**** Questions I'm getting about Google's "passkeys" announcement ****
All, I'm getting a pile of (many confused) questions about #Google's new "passkeys" announcement. Since I wrote "Passwords Must Die!" many years ago, I cheer these advances ... however ... there are implications in the implementation that really need to be fully understood by users, and frankly, given the difficulty in getting users to use 2-factor authentication, I suspect passkeys adoption will be complex unless users are forced to use them, which has its own implications.
Bottom line, I would not urge use of them immediately, unless you are absolutely convinced that you understand the details, some of which are a bit opaque right now.
My intention is to blog in some detail on this (and the new Google Authenticator cloud issues I mentioned previously) as soon as possible.
Please take care. Best, L
@lauren Details from the blog post at https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/ are a little thin on the ground; I'm going to have to seek out an implementation explanation.
I think my biggest question is "If Google, being a private company and not beholden to government oversight regarding its account use policies, arbitrarily decides one day that I've violated their ever-changing terms of service and deactivates my account, am I now screwed vis-a-vis every single company I only have a passkey-based login with?"
Because that alone should give pause.
@mrisher Thank you for the clarification.
I had never heard of mail keys either, until I read about this incident. And according to the article in The Verge, the malicious actors were able to generate these keys, as opposed to the keys being leaked.
@mtomczak @atanas @lauren a few things here to try to help:
1) passkeys on Google Accounts are additive; no added risk of lockout
2) if someone steals an unlocked phone that's signed in to Google with a passkey, I don't see how that's higher risk than being signed in with a password. Help me understand?
3) Atanas, I don't know what mailkeys are, but one huge advantage of passkey is that the relying party (At&t) in this case, stores only the public key. Nothing to get breached.
4) MarkT, the passkeys (the private key part) are stored in the device and not beholden to your Google Account being deactivated.
Nope this helps!