Passkeys are a nightmare. For whatever reason they play SO SO badly. Microsoft / et al all seem to compete to screw this stuff up. Seriously, if you are logged into a remote desktop, the push goes through chrome to some microsoft thing which has a different pin / password / whatever. What's even crazier - I have a yubikey and somehow the passkey doesn't need the actual hardware key to be plugged in - so this passkey is being stored somewhere else.
Keep it simple. I liked the U2F yubikey flow where you had to touch the yubikey to authenticate and I like TOTP well enough as well.
It seems I can use my phone as my "passkey". Okay nice, that should mean I can use the same one on multiple devices, just like with a hardware Yubikey, right? Well apparently no. Use a phone as a passkey on one device for a web account, try to log into the same account on another device, using the phone passkey, and it doesn't work, claims there is no passkey. I can't see what passkeys are actually present on the phone, so I don't know what's wrong.
There's so many different ways to have and use passkeys, and no way to tell what the status is. I have no idea how the less-technical users are supposed to be able to figure this stuff out.
The whole point of a little yubikey is that if someone gets my password, they also have to get the yubikey. The chances of that, while not zero, are MUCH smaller. And then I can do a little recovery envelope with a yubikey in it as a backup.
Since most users would prefer to store it in iCloud (or competitor) and have it synced to all their devices, that’s the default. But you can keep using external security keys in this new passkey-based world. You just have to opt-in to it.
And yes, I agree that external security keys offer better security, at the cost of a little convenience.
If I'm using whatever windows is pushing (maybe INSIDE windows - so if they get my pin/password I'm hosed?) how does that work on my iphone or for Apple TV login?
The whole thing is a freaking mess. U2F or whatever came before was so easy by comparison. Seemed to work very well cross platform. If you had a NFC version you could bring it close to your phone and touch a button and voila - authenticated. Or plug into a computer and touch a button. And it seemed to work with Chrome / Windows etc etc.
What happened was that I was immediately logged out from most systems and had to call IT to unlock my account. Apparently Outlook had initialised a login request after the 14 days validity of the previous authentication in the background with no indication on my screen that it had done so.
I don't use Authy or any of them that backup to the cloud either, since that defeats the whole point. Every time I add a new TOTP, I add it to an old OnePlus phone as a backup, and that is at home 24/7 in case I lose my main phone.
After having someone try and hijack my NPM account, and actively pursuing me for a bit, I realized all other forms of 2fa are a joke. They will impersonate you to your carrier, they will try to get you to send them the code to hijack your sim... It's basically a matter of time for any large scale organization has one employee who drops the ball.
If I hit no, it better be 5 minutes before the next one is allowed through. And then 15min, then 2hr, etc.
Fatigue should have been considered in both the server and the client.
Edit: Strongly encourage upgrading to passkeys as soon as an org can, Entra recently launched GA support a few months ago.
https://learn.microsoft.com/en-us/entra/identity/authenticat...
https://learn.microsoft.com/en-us/entra/identity/authenticat...
(i do security things at a fintech and own the idps, thoughts and opinions my own)
Where's the catch?
Is it a prompt when you login to "text 123456 to 555-444-3333" and wouldn't that be pretty trivial to forge to appear to be coming from the account owner's phone (if you knew its phone number)?
One thing I would say though is while it's technically bad that this person hit "approve" after being bombarded with notifications, limiting repeated authentication and exponential delay on sign in attempt is one of the most basic security protections that any authentication mechanism or service should implement and failing to do this is a pretty basic and fundamental failure on the part of that service.
[1] It was frustrating to me when I worked on browsers where people kept trying to add extremely privileged functionality to the browser and then claiming there were no security problems because you could prompt the user. But it happens everywhere, I think Raymond Chen had a post many years ago regarding how the windows installer used to prompt people to replace files but would keep asking until people thought they were answering wrong, which then led to non-booting machines.
