[ PFIR ] Regarding Google Passkeys and a Solution

Fri, 05 May 2023 16:28:08 -0700 


Regarding Google Passkeys and a Solution

https://mastodon.laurenweinstein.org/@lauren/110318648402135583

Greetings. I appreciate all of the questions on this topic, and I do
want to emphasize that passkeys are a significant security advance,
particularly in terms of blocking phishing attacks. I have long pushed
toward a "passwordless" future -- I wrote of this in my blog many
years ago ("Die Passwords! Die!" -
https://lauren.vortex.com/2016/06/21/die-passwords-die). But the
devil, as always, is in the details.

In terms of the specific passkeys implementation that Google is
deploying, my specific concern is that since the passkeys are
protected by the same unlocking mechanism protecting the device, a
weak unlocking mechanism (e.g., non-biometric), means that a purloined
non-biometric unlocking code (perhaps by an onlooker prior to theft --
more common than you might think -- or by later cracking)
automatically gives access to the passkeys as well, and the totality
of a user's Google accounts.

A solution is to provide (at least when non-biometric device locking
is in use, and many people either can't use biometric locking or
choose not to do so for legal reasons) a separate authentication
option for passkey unlocking, which would be much less likely to be
easily subject to routine "spying" in public.

Of course, implementation details continue to matter greatly, but this
seems like a relatively "low cost" way to help a significant number of
Google users avoid some significant possible grief down the line. -L

- - -
--Lauren--

Lauren Weinstein 
[email protected] (https://www.vortex.com/lauren)

Lauren's Blog: https://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein
Mastodon: https://mastodon.laurenweinstein.org/@lauren
T2: https://t2.social/laurenweinstein
Founder: Network Neutrality Squad: https://www.nnsquad.org
        PRIVACY Forum: https://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility
Tel: +1 (818) 225-2800
_______________________________________________
pfir mailing list
https://lists.pfir.org/mailman/listinfo/pfir














    











					Reply via email to