Beware of Google's latest passkeys push!
Google, which itself in my experience is a massive source of spam and
phishing attempts sent from Gmail to non-Gmail mail platforms, is
using scare attempts again to try trick users into using their flawed
passkeys system instead of passwords, without these users necessarily
understanding the full implications.
While the phishing attack model described in the link below is real
and the result of what is essentially a flaw in Google's handling of
DKIM-"protected" email checking systems (I see phishing attacks daily
from Gmail users that have passed DKIM checks), I will repeat my
concern that passkey implementations routinely result in many users
who are not sophisticated techies getting locked out of their Google
(or other) accounts, especially if they access the Internet via a
single device.
I routinely hear from such users, and Google typically tells them to
pound sand -- that is, tough luck -- you're screwed.
The march by firms to push users into giving up passwords is
theoretically a laudable one -- for many years I have noted the need
to move beyond the password model. Unfortunately, the rushed and
poorly thought out passkey systems now being pushed on users by
various firms continue to result in many users being locked out and
left behind to rot without access to their email or other data.
The proponents of passkeys will argue that the risk of getting locked
out of your account is acceptable when viewed against the damage that
can be done by the various types of sophisticated phishing attacks --
that are indeed real and are increasingly difficult to detect by many
users.
However, given the absence of humane account recovery policies on the
part of Google and some other firms, the risk to many users of TOTAL
lockout is so severe that their using passkeys becomes a much more
problematic scenario.
I have continued to recommend to Google specific approaches to improve
their account recovery and passkeys systems to avoid harm to many
innocent users, but continue to hit a brick wall of apparent
disinterest on their part.
Of course it is your decision whether or not to use passkeys, and to
weigh their advantages and disadvantages. Personally, I am not
willingly using any existing passkey implementations, especially
Google's, and if firms begin to force their use, they will do even
more damage to many innocent users whom they in many cases already
treat so very badly when account access problems occur.
L
https://www.forbes.com/sites/zakdoffman/2025/04/18/google-confirms-gmail-update-stop-using-your-password-now/
- - -
--Lauren--
Lauren Weinstein
[email protected] (https://www.vortex.com/lauren)
Lauren's Blog: https://lauren.vortex.com
Mastodon: https://mastodon.laurenweinstein.org/@lauren
Signal: By request on need to know basis
Founder: Network Neutrality Squad: https://www.nnsquad.org
PRIVACY Forum: https://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility
_______________________________________________
google-issues mailing list
https://lists.vortex.com/mailman/listinfo/google-issues
