0000, 1234, and Google Passkeys
As you probably know by now, I am critical of the Google passkey
implementation primarily because it does not provide an option or
requirement for a passkey authentication layer other than the device
lock. It is entirely dependent on the strength of the device lock. If
a perpetrator can see or crack a weak device lock, they then have
access to all of the passkeys and associated accounts, no other
authentication needed.
Which brings up the question -- how many devices use weak device
locks? After all, human nature never really changes.
Mel Brooks would be amused.
According to this recent article, about 26% of phones can be unlocked
using one of 20 4-digit PINS, including 1234, 1111, 0000, etc.:
https://www.pocket-lint.com/these-are-the-20-most-common-phone-pins-is-your-device-vulnerable/
Passkeys need an additional authentication layer.
Think about it. -L
- - -
--Lauren--
Lauren Weinstein
[email protected] (https://www.vortex.com/lauren)
Lauren's Blog: https://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein
Mastodon: https://mastodon.laurenweinstein.org/@lauren
T2: https://t2.social/laurenweinstein
Founder: Network Neutrality Squad: https://www.nnsquad.org
PRIVACY Forum: https://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility
Tel: +1 (818) 225-2800
_______________________________________________
pfir mailing list
https://lists.pfir.org/mailman/listinfo/pfir
