The Password is Dead: Here comes the Passkey
#1
FlyerTalk Evangelist
Original Poster
Join Date: Nov 2002
Location: ORD
Posts: 14,200
The Password is Dead: Here comes the Passkey
Google this week enabled passkey support for everyone. Passkeys are touted as the password killer, at long last. Your phone generates a public/private keypair, and all you need to do is use that to log in without a password. It pretty much eliminates phishing as a threat since you need your phone to log in, and your phone needs to be physically close to the device you're trying to log in on (they communicate via Bluetooth).
I have tried it in a few ways and it's pretty slick. To log in on my computer, my computer shows a QR code that I scan with my phone, do FaceID, and I'm logged in. My password manager, 1Password, has announced they will start supporting cross-platform passkeys next month.
Here's an article: https://arstechnica.com/information-...rds-heres-why/
I have tried it in a few ways and it's pretty slick. To log in on my computer, my computer shows a QR code that I scan with my phone, do FaceID, and I'm logged in. My password manager, 1Password, has announced they will start supporting cross-platform passkeys next month.
Here's an article: https://arstechnica.com/information-...rds-heres-why/
#4
FlyerTalk Evangelist
Original Poster
Join Date: Nov 2002
Location: ORD
Posts: 14,200
#6
Join Date: Aug 2008
Location: Somewhere in Florida
Posts: 2,580
Eh... I hate 2-factor, especially phone/e-mail. The current setups with password-only logins, especially the useless C0mp1eX! requirements, needs help, but I'm not so sure this is the right solution. I still have multiple users in my office that can't handle SMS 2-factor authentication (seriously).
Smartphones haven't been reliable for me. Apple, Samsung, Motorola, all have been unstable for me. Overheating, locking up, spontaneously rebooting, and battery issues. Add in all of the things which have to go right for this to work and no thanks. Bluetooth's gotten better over the years but still isn't as seamless as it should be.
One of my condos replaced our 24/7 security guards with a "cloud" entry system where they want you to download a Chinese app to your phone to gain entry. Useless thing. For it to work: 1) There has to be power, 2) Their Comcast connection and router have to be working, 3) the gate system keypad/controller have to be working, 4) the gate system's cloud servers have to be working, 5) the larger internet has to be working, 6) the cell connection has to be working, 7) my phone has to be working, 8) the app has to be running and working. No thanks, I'll just enter the 5 digit code or copy of the barcode I made and go on my merry way.
I don't have a problem with it existing, but I don't see this as THE solution. It's just going to change the bad actors' targets from desktops to phones and Bluetooth. Anyone have a FlipperZero? After all, most people keep their entire lives on their phones, passwords, accounts, and all. Read up on the recent YouTube cookie / session hacks and it's not a stretch to port those type of hacks to infiltrate this type of system. At my office we use token (public/private key deal) + password, which is better than a password alone, but is far from infallible.
Given Google's extensive history of coming up with something and then getting bored and discontinuing it doesn't rub developers and programmers well. I personally spent many hours chasing my Google's ever-changing APIs before finally giving up.
Smartphones haven't been reliable for me. Apple, Samsung, Motorola, all have been unstable for me. Overheating, locking up, spontaneously rebooting, and battery issues. Add in all of the things which have to go right for this to work and no thanks. Bluetooth's gotten better over the years but still isn't as seamless as it should be.
One of my condos replaced our 24/7 security guards with a "cloud" entry system where they want you to download a Chinese app to your phone to gain entry. Useless thing. For it to work: 1) There has to be power, 2) Their Comcast connection and router have to be working, 3) the gate system keypad/controller have to be working, 4) the gate system's cloud servers have to be working, 5) the larger internet has to be working, 6) the cell connection has to be working, 7) my phone has to be working, 8) the app has to be running and working. No thanks, I'll just enter the 5 digit code or copy of the barcode I made and go on my merry way.
I don't have a problem with it existing, but I don't see this as THE solution. It's just going to change the bad actors' targets from desktops to phones and Bluetooth. Anyone have a FlipperZero? After all, most people keep their entire lives on their phones, passwords, accounts, and all. Read up on the recent YouTube cookie / session hacks and it's not a stretch to port those type of hacks to infiltrate this type of system. At my office we use token (public/private key deal) + password, which is better than a password alone, but is far from infallible.
Given Google's extensive history of coming up with something and then getting bored and discontinuing it doesn't rub developers and programmers well. I personally spent many hours chasing my Google's ever-changing APIs before finally giving up.
#7
Ambassador: Emirates Airlines
Join Date: Sep 2004
Location: Manchester, UK
Posts: 18,556
#8
FlyerTalk Evangelist
Join Date: Apr 2001
Location: Denver, CO
Programs: UA Silver, Bonvoy Gold, Hyatt Discoverist
Posts: 21,470
#9
Join Date: Jul 2023
Posts: 15
this is actually my first time hearing about google passkeys and haven't seen any other articles referring to it. It'll probably take a while before smaller websites start switching over since the implementation will take time and if its even worth the effort. I can see this be useful for the bigger companies that already require 2fa anyway.