- cross-posted to:
- [email protected]
- [email protected]
- cross-posted to:
- [email protected]
- [email protected]
Google warns “passwords are not only painful to maintain, but are also more prone to phishing and often leaked through data breaches.” And that’s the real issue. “It’s important to use tools that automatically secure your account and protect you from scams,” Google tells users, and that means upgrading account security now.
Google says “we want to move beyond passwords altogether, while keeping sign-ins as easy as possible.” That includes social sign ins, but mainly it means passkeys. “Passkeys are phishing-resistant and can log you in simply with the method you use to unlock your device (like your fingerprint or face ID) — no password required.”
This is just one of their excuses, to keep their users inside google’s walled-garden
How do passkeys keep you inside Google’s walled garden?
They also push google oauth. If you’re logging in to over a dozen sites with your google account, it becomes that much harder or at least more annoying to curate all of those. They’re banking on people choosing convenience over security - and they’ll be right.
With passkeys you no longer need to use oauth at all since creating and using passkeys can be done more easily than creating a new password or using oauth. If you’re using Google services of course you’ll still log in with a Google account, but on example.com you can just create a new account with a passkey and never worry about oauth or passwords at all.
the issue is portability. Should I use a password manager’s passkey or the OS’s. What about wanting to login with a passkey on a different machine with a different OS. Every implementation is trying to fight to be used. I don’t remember them allowing multiple passkeys for login, do they?
Finally, if you really care, you don’t want Google/Apple/Microsoft “cloud” to hold your keys when they offer it with their devices. For when your account gets whacked for no reason/device gets lost or stolen, or broken, all your “worry” will start worrying.
There’s much to worry about unless you only ever use a single device.
You use a password manager which integrates with all OSes. You don’t need to ever worry about creating multiple keys. I login to <x> account on whatever device I want using 1Password. It can use a passkey no matter what, windows, Mac, iPhone, etc.
deleted by creator
Making a new passkey when you switch services, is exactly like making a new password when you switch services.
Where in the world are we talking about Google managing your passkeys. The article is about using passkeys for Gmail. You would manage your passkeys exactly like you would with any password, with a password manager like 1pass, bitwarden, etc. Google doesn’t manage or control any part of that.
Simple solution. Don’t use Gmail at all. Unless you’re really keen on someone else reading your mail, of course.
not what this article is about at all
They don’t, well, not any more than passwords do.
In lack of further context, and thus conjecturing, maybe as a leash/ransom? “If you walk out of our (Google’s) line, we will kill potentially decades of your history”.
I think OP and several others in this thread just don’t understand what passkeys are replacing, which is passwords. Google doesn’t manage any part of that.
more like the garden of weeds is spreading out of control. they want passkeys and oauth so they can become the third-party gatekeeper for everything.
the want them tied to bio because your fingertip or face are harder to share with others, harder to fake, easier to track multiple accounts with, and are tied to real people and identities that can be linked with other data their databases all to make their data and targeted adverts more profitable.
Passkeys have nothing to do with Google. They’re a standard compliant control mechanism designed to replace passwords. https://fidoalliance.org/passkeys/
Google doesn’t do anything with them besides store them exactly like they would your password. You authenticate using your device, which Google knows nothing about. The biometrics do not leave your device. https://www.passkeycentral.org/introduction-to-passkeys/passkey-security
Passkeys do not have to be biometric. You can use 1Password for example and not ever use fingerprints or anything biometric and still use passkeys to log in to services. It’s literally just a different better authentication method than passwords. You can still share passkeys through a password manager.
Literally everything you said is scaremongering and making it easier for scammers to take advantage of people. You should be switching to passkeys immediately.