The problem with passkeys is the global, military-grade vulnerability created by massive centralization of indispensable authentication functions.
On the other hand… today, once again, I dealt with a long-time client that absolutely will not do the most basic things to make password authentication with 2FA easy.
He won’t write passwords down.
He won’t use a password manager.
He has several passwords only because some orgs won’t let him reuse previous passwords.
He has to reset his passwords on a regular basis.
He forgets his passwords.
His Microsoft account showed two authenticator apps - both installed on previous phones, not his current phone, so neither one could be used for password recovery/resets.
On the one hand, he seems like the poster child for why we should switch to passkeys.
But then again, setting up passkeys is NOT easy, it is NOT intuitive, it still requires memorizing or recording a PIN and one-time recovery codes, and authenticating in an authenticator app before you can authenticate in the app you’re trying to use confuses the heck out of most non-technical users.
Conclusion: the problem isn’t all Microsoft’s fault. If the client won’t keep track of his passwords, that’s on him. But Microsoft isn’t innocent, either. Passkeys are not wonderful.
Bob Young /
npub15k…50975
2024-12-28 00:02:42
Author Public Key
npub15krg93l2y49fej28vs3npcg7wjyuw87q7rv4rmm4cdknswxmhhsqp50975Published at
2024-12-28 00:02:42Event JSON
{
"id": "4e6d143e108aff8fe17ea0411ff420074be0b43b807b3e207784a651b052846e",
"pubkey": "a58682c7ea254a9cc947642330e11e7489c71fc0f0d951ef75c36d3838dbbde0",
"created_at": 1735344162,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/users/fifonetworks/statuses/113727515021880834",
"activitypub"
]
],
"content": "The problem with passkeys is the global, military-grade vulnerability created by massive centralization of indispensable authentication functions. \n\nOn the other hand… today, once again, I dealt with a long-time client that absolutely will not do the most basic things to make password authentication with 2FA easy.\nHe won’t write passwords down.\nHe won’t use a password manager.\nHe has several passwords only because some orgs won’t let him reuse previous passwords.\nHe has to reset his passwords on a regular basis.\nHe forgets his passwords.\nHis Microsoft account showed two authenticator apps - both installed on previous phones, not his current phone, so neither one could be used for password recovery/resets.\n\nOn the one hand, he seems like the poster child for why we should switch to passkeys.\n\nBut then again, setting up passkeys is NOT easy, it is NOT intuitive, it still requires memorizing or recording a PIN and one-time recovery codes, and authenticating in an authenticator app before you can authenticate in the app you’re trying to use confuses the heck out of most non-technical users.\n\nConclusion: the problem isn’t all Microsoft’s fault. If the client won’t keep track of his passwords, that’s on him. But Microsoft isn’t innocent, either. Passkeys are not wonderful.",
"sig": "42deef617d058c233314af0e500025f6b2df4bc139f38e105c926e27fef895df12224b7327fbd801d04170b023d92258ebf871016ef2ad711482db8f96d27d59"
}