[removed]

Do you even know how the PassKey standard is working? You don’t give Google anything with this.

Online password vaults are not a great idea.

And yet almost most of organizations are using it. If implemented right - where you have encrypted passwords stored and it's the client that does the decryption locally - they are quite secure. Now, whether you trust the vendor to implement it properly is a whole different conversation.

[removed]

It's not a password vault.

There is absolutely no way you can guarantee your data's safety when it's constantly accessible online. I hear the arguments, but at the end of the day it is an absolute security risk that can be avoided for the average person at home. Work can do as it like, but you're choices should be more well informed.

You can not guarantee data safety at home/within your org either. Remember all the home/prosumer devices that get infected and become part of the botnet? Well, that botnet is not only used for ddos, it can also scan your local systems for vulnerabilities. So don't be so sure your data is safer at home/org. At least Google is very likely to discover data leak quickly, will you even notice your data leaking at home/your company?

It’s going to take time for people to grasp key exchanges unless you have been in tech awhile.

The fact is one way key exchanges happen everyday with various things. The fact this is FIFO based and FIDO2 while nothing is foolproof this is the only step in the right direction to potentially eliminate a vast majority of exposure for anyone.

You’re getting downvoted, but you’re right. Accessibility and security of data are two parts of the triad that require the most balancing. By its very nature, security is reduced as you increase accessibility, and vice versa.

The key word here is guarantee though. It is possible to make it extremely difficult to get the data without proper access—just not impossible. Some of the methods used today are pretty slick, but I’ve already forgotten most of what was covered in my network security course. I mostly just remember thinking “this isn’t for me” and “please make this stop”.

I agree, forcing a non technical user to have a unique “password” (private / pub key pair) on every account will already be a huge improvement compared to todays standards.

can you escape from Google after you go all in on this?

What I haven’t been clear on is whether cross platform passkey sync can even be on the long term roadmap…as I use Windows, Mac, and iOS.

I'm already using long randomly generated passwords, what would be the difference in adoption of passkey? So instead of a password, an attacker can steal your private key? I'm genuinely curious, what are the benefits

Nah, I'll keep KeePass

They cant steal your passkey and its bound to the real domain name.

Sorry, could you clarify this bit about a domain name? How does it work?

Well, if you want cross platform sync, you’d best use a cross platform credential manager that can handle passkeys. They exist :)

Sites should make it easier to add multiple passkeys, which would also help.

I don’t know what he meant by that. But the passkey only works for that specific login. So in that sense it would be like having 100% unique passwords in all cases.

They could add passkey support. Other apps have or are.

You don’t have to use Google in the first place. I can have a passkey on my iPhone and use it to log into some website on a computer using Chrome. I already tried that with Edge, which supports it.

Part of the system is where you can use your own device to handle the credentials.

The key that is generated for eg google.com will not be used for fakegoogle.com and there is no way for them spoof it. So your key never leaves your device and only works for the specific, valid website.

And this is the problem right here

> The Google Password Manager on Android is ready to sync all your passkeys to the cloud, and if you can meet all the hardware requirements and find a supporting service, you can now sign-in to something with a passkey. [added emphasis]

Passwords are familiar, easy to use, and are implemented everywhere. Other schemes, no matter how good they are, don't tick all of those boxes and won't gain wide adoption.

Hell, I can't use standard based TOTP/HOTP tokens on any of my financial sites. If financial sites support it, you must use their app.

I would love to see standards based 2FA mandated for financial and healthcare sites.

dont use same password across multiple applications because these password applications get hacked and you are expossed eventually

LastPass?