kurtseifried (he/him) on Nostr: Good news: my paper on #Passkeys predicted major vendors moving to Passkeys. Bad ...
Good news: my paper on #Passkeys predicted major vendors moving to Passkeys.
Bad news: I was thinking months, not "next week" which is the best kind of being wrong I guess.
The draft of my Passkey paper is available, with comments enabled (which will be turned off if vandalism becomes a problem) at:
https://docs.google.com/document/d/1eBjQDWkbqXJSL4GRrAdTUcAx2mVRA9YeTJKr2JgnT0U/edit?usp=sharing
TL;DR:
============
Major insights in this paper:
Passkeys level up security, and while Passkeys make some tradeoffs concerning security vs. usability, they do not introduce any new attacks and make many existing attacks much harder or impossible (e.g. brute forcing attacks or credential stuffing) Passkeys will bypass the hurdle of getting people to start using password managers, and will likely result in the widespread use of biometrics to secure Passkeys Passkeys can potentially make account sharing harder once attestation is supported, something a lot of service vendors are in favor of. Passkeys are also easier to deploy and reliable due to optional device synchronization, which should reduce the need for account recoveries and lower support costs Passkey client support in both software and secure hardware tokens is widespread and available now on most platforms, browsers and most third-party password managers Passkeys are being deployed by major vendors (e.g. Google https://blog.google/technology/safety-security/passkeys-defa...)
============
Conclusion:
No new significant risks or attacks are introduced from the threat model perspective. From a usability and reliability perspective, Passkeys are infinitely better than passwords. Finally, from a support perspective, chances are that if you currently use a system to manage your passwords, it already has Passkey support. For high-security applications, you can also choose to use your hardware token.
Web applications and websites are becoming increasingly critical to everyday life (banking, healthcare, education, shopping, etc.). We must improve security across the board and get rid of old and insecure things like usernames and passwords. The world has also changed, and virtually everyone has a smartphone, something unimaginable even ten years ago, let alone twenty.
Simply put, in every situation where you use a password, you should upgrade to a Passkey if possible.
Bad news: I was thinking months, not "next week" which is the best kind of being wrong I guess.
The draft of my Passkey paper is available, with comments enabled (which will be turned off if vandalism becomes a problem) at:
https://docs.google.com/document/d/1eBjQDWkbqXJSL4GRrAdTUcAx2mVRA9YeTJKr2JgnT0U/edit?usp=sharing
TL;DR:
============
Major insights in this paper:
Passkeys level up security, and while Passkeys make some tradeoffs concerning security vs. usability, they do not introduce any new attacks and make many existing attacks much harder or impossible (e.g. brute forcing attacks or credential stuffing) Passkeys will bypass the hurdle of getting people to start using password managers, and will likely result in the widespread use of biometrics to secure Passkeys Passkeys can potentially make account sharing harder once attestation is supported, something a lot of service vendors are in favor of. Passkeys are also easier to deploy and reliable due to optional device synchronization, which should reduce the need for account recoveries and lower support costs Passkey client support in both software and secure hardware tokens is widespread and available now on most platforms, browsers and most third-party password managers Passkeys are being deployed by major vendors (e.g. Google https://blog.google/technology/safety-security/passkeys-defa...)
============
Conclusion:
No new significant risks or attacks are introduced from the threat model perspective. From a usability and reliability perspective, Passkeys are infinitely better than passwords. Finally, from a support perspective, chances are that if you currently use a system to manage your passwords, it already has Passkey support. For high-security applications, you can also choose to use your hardware token.
Web applications and websites are becoming increasingly critical to everyday life (banking, healthcare, education, shopping, etc.). We must improve security across the board and get rid of old and insecure things like usernames and passwords. The world has also changed, and virtually everyone has a smartphone, something unimaginable even ten years ago, let alone twenty.
Simply put, in every situation where you use a password, you should upgrade to a Passkey if possible.