Dan Goodin on Nostr: ICYMI: I published a year-end state-of-play story about passkeys. In short, they're ...
ICYMI: I published a year-end state-of-play story about passkeys. In short, they're the most viable means of moving to credential phishing-immune authentication, but they're also (1) not what I consider "usable security" for many and (2) don't (yet) live up to their security promises, since just about every site offering them still allows us to fall back on passwords and resets from emails, SMS, etc.
There are a large number of devs putting their blood, sweat and tears into passkeys. They deserve our thanks and respect. The move off of phishable, knoweledge-based authentication won't be easy. No one said it would be. Nothing in this story is intended to detract from the important work these folks do.
https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/
There are a large number of devs putting their blood, sweat and tears into passkeys. They deserve our thanks and respect. The move off of phishable, knoweledge-based authentication won't be easy. No one said it would be. Nothing in this story is intended to detract from the important work these folks do.
https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/