Google Passkeys Weakness
Since that blog post I noted doesn't mention passkeys specifically, I'll
note here the fundamental issue. In their promotion of passkeys, Google
attempts to gloss over a key weakness (no pun intended) in their passkey
implementation, and in my discussions with them to try "minimize" the
importance of this problem.
Google's current passkey implementation is completely dependent on the
device security on which passkeys have been deployed. Google has not
provided any mechanism for secondary passwords or other authentication
methods to specifically protect passkeys if a device is compromised.
Every day, many devices are stolen and their access authentication
bypassed, sometimes by thieves who see the actual authentication
sequence before stealing phones, etc., sometimes since the user has
set relatively weak authentication in the first place.
This means that once access is gained to the phone past the device
security level, there is no additional protection available for the
passkeys that can give access to every user account that is passkey
protected via that device.
That's the executive summary. The details are lengthy.
- - -
--Lauren--
Lauren Weinstein
[email protected] (https://www.vortex.com/lauren)
Lauren's Blog: https://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein
Mastodon: https://mastodon.laurenweinstein.org/@lauren
T2: https://t2.social/laurenweinstein
Founder: Network Neutrality Squad: https://www.nnsquad.org
PRIVACY Forum: https://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility
Tel: +1 (818) 225-2800
_______________________________________________
pfir mailing list
https://lists.pfir.org/mailman/listinfo/pfir
