Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Google Chrome Gains Support for Passkeys, Making it Easier to Log Into Websites and More

Mr. Heckles said:
I am not sure, something to look into. With Apple devices, your Passkey will sync to other Apple devices.
Click to expand...
Yes, correct. But consider how many people these days have no clue what their Apple ID password is. The general public has no idea because they’ve been using biometric authentication, such as FaceID, since the day they first signed into their device.

I deal with this almost everyday at work.

Edit: 1Password actually forces you to type in your password every once in a while (set to two weeks at my company). This is actually smart because it helps to prevent forgetting it.
 
Last edited:
  • Like
  • Disagree
Reactions: cyb3rdud3, ISKOTB, cyanite and 1 other person
AppleTO said:
Yes, correct. But consider how many people these days have no clue what their Apple ID password is. The general public has no idea because they’ve been using biometric authentication, such as FaceID, since the day they first signed into their device.

I deal with this almost everyday at work.

Edit: 1Password actually forces you to type in your password every once in a while (set to two weeks at my company). This is actually smart because it helps to prevent forgetting it.
Click to expand...
Yeah... a lot needs to be worked out. thankfully, Passkey isn't happening overnight.
 
  • Like
Reactions: AppleTO
None of these solutions address real world non-technical people who still attempt to use the same password for every site. When they get a new phone they get a new sim card and unless they know someone they just setup the phone as new. Passkeys are just an additional complication that won’t be adopted.
 
  • Disagree
Reactions: cyanite, NightFlight and ipedro
i still don't buy using passkeys. i'm happy using ios and bitwarden to store passwords. i always generate strong passwords and use 2fa where i can.

i don't want keys stored on my android or iphone. i mean i don't mind using ios password manager but i want to be able to move passkeys away from it if i need to. bitwarden is my main manager i just use ios to make it a bit easier and quicker for some sites and apps. i want to be able to have a back up of them at all times.
 
  • Like
Reactions: TheYayAreaLiving 🎗️
krspkbl said:
i still don't buy using passkeys. i'm happy using ios and bitwarden to store passwords. i always generate strong passwords and use 2fa where i can.

i don't want keys stored on my android or iphone. i mean i don't mind using ios password manager but i want to be able to move passkeys away from it if i need to. bitwarden is my main manager i just use ios to make it a bit easier and quicker for some sites and apps. i want to be able to have a back up of them at all times.
Click to expand...
I think you’ll be able to store your Passkeys in Bitwarden. 1Password announced this, and I’m sure you’ll be able to do this in Bitwarden.
 
Last edited:
So every single time I want to log into anything, I'll need to use my phone's biometrics or scan a QR code and pray that it works? Man, the future of the Internet looks so bright, I'll have to wear shades to browse :cool:
 
GoodOne said:
Bring FaceID to Macs and Apple Displays already!
Click to expand...
Not sure it’d be that useful

In order to use faceID on iPhones , you need to confirm it by double clicking on the power button , as a measure of prevention

They will do the same on Mac (else it wouldn’t be very secure ) so you’d have to click nay double click on some button ( say power or enter)

If you’re clicking , why not just use the power button’s Touch ID ?
 
  • Like
Reactions: compwiz1202 and kitKAC
good - too many passwords in this day and age - plus the hassle of corporate mandates to change passwords every 3 months
 
AppleTO said:
So if you lose a passkey will you still be able to ‘reset’ your website login using your email?

Without 2FA, many websites/services have stopped using passwords altogether. They just send an email with a code or link. Why? Because if you say your forgot your password, they just send you a email to reset it anyways. Might as well skip the password step altogether. Some even consider email to be a 2FA choice, which makes no sense, as you can just reset your primary authentication over email.

But this means if an attacker gains email access they can reset your password on almost every website.

If you lose a passkey and have to reset a website, how would you prove yourself with 2FA? As soon as you put a phone number as a backup, you are significantly reducing the security.

I don’t get it personally. The general public is generally not that intelligent when it comes to internet security. People are just going to end up locked out of their all accounts and have no idea why.

We use 1Password Enterprise at work and I’m constantly having to recover employee accounts.
Click to expand...

Apple's answer to 2FA seems to be "have lots of Apple devices signed into the same iCloud account so you can't lose all of them at once."

To be fair that does seem to work, but I have the same concerns with passkeys. As I understand it it's exactly the way TLS works. You hold the private key and the services get your public key. But key management has always been a problem, doesn't seem like a huge improvement over good password management with 2FA. How indeed would you establish a different public key for the same account?

I agree with you, I'd rather have full control of the secrets rather than rely on Apple to obfuscate that away from me.
 
  • Like
Reactions: AppleTO
Mr. Heckles said:
I think the opposite. Passkey is limited in a lot of ways.


It will not be easy to switch from Android to iPhone at all and vice versa. It can be done, but it won't be easy at all.

The other issue is sharing Passkeys. My wife and share passwords for our bills, how can you do this with Passkey? You can't. This again where a password manager will shine. My wife can use the vault we share passwords, we can share Passkeys very easily.

Another issue is when you login into a computer and your Passkey is on your phone. Yes, there will be a QR code, scan with your phone, and log in, but password managers are cross platform. I have my Password Manger on all of my devices, so I can easily log into a website without having my phone with me. 1Password also made a way to log into a computer that isn't yours easily (article below), and I bet Bitwarden and others will follow.

Work Passwords... I read an article about work passwords, how this will be an issue (I wish I kept that article). It's probably not an issue now, because it will take years before Passkey takes off.

Password managers are superior in this way, and just switching/cross platforms alone are worth it.

Here is the article about how 1Password will handle Passkeys (and where I got the quote above). Please note, I bet money Bitwarden and others will do the same, and it's great. They will make it easy to switch Password Managers with Passkeys also.

Passwords aren't going away anytime soon, so password are going to be around for years. Not every wedsbite is going to change overnight to Passkey.
Click to expand...

Seems like the way passwords are handled at work, is all the users have nfc what they are doing and the IT admin is the one who handles that with constant resets. The only way users can handle good passwords now is with a password manager. For work it might actually be an improvement, users can't give away through phishing what they don't have.

I'll tell you what users have the biggest problems with. It's not passwords. It's usernames. At least users have some idea of what a password is because the word is thrown around all the time. Want to really stump a user? Ask them "What's your username?"

I suppose passkeys would solve both those problems, but there's still the issue of who is really handling the key management. It still can't be the users. It's bad enough when a work account winds up tied to someone's personal email address. Imagine if it wound up tied to their iPhone, which they also have no clue what the password to their iCloud account is. I know way too many people who, instead of logging in when prompted, just hit that password reset link *every* *single* *time*.
 
Last edited:
ifxf said:
None of these solutions address real world non-technical people who still attempt to use the same password for every site. When they get a new phone they get a new sim card and unless they know someone they just setup the phone as new. Passkeys are just an additional complication that won’t be adopted.
Click to expand...

Some people write their pw under their wrist pad.
Some people decide not to lock their car.
Some people decide to spend their money frivolously instead of paying their rent/mortgage.
I don’t see some people’s personal choices as something I need to solve.
That’s what Darwin is for.
 
Artemis70 said:
I do not understand how this answers the question that @MacBH928 has. The video shows how to do this with your secure device. The question by @MacBH928 is, how do I do this if I don't have a secure device anymore?
Click to expand...
Passkeys are stored in iCloud Keychain, buy a new phone, sign in to iCloud, your keychain syncs to the device and you've got your passkeys back.

If you choose to store them in 1Password or BitWarden or whatever password manager you want to use, install it and let your passkeys sync back to it.
 
  • Like
Reactions: Cheesehead Dave, thebluepointe and cyanite
rhpt said:
I read all these articles that say eBay and PayPal support Passkeys but I don't get that option. The only website that it is available to me is BestBuy.com
Click to expand...
I activated a Passkey on eBay. I can see it in my passwords. However, it never gives me the option to sign in with it on any other device. Even logging out on my iPhone doesn’t give me the ability to use the passkey. I do get prompted to sign in with 1Password still
 
Surprised they could even add support. Maybe Apple is really trying to replace passwords rather than locking people into their own services.
 
ebika said:
Has anyone seen any of the big sites out there supporting Passkeys/WebAthn yet? I’ve yet to come across one in the wild. I saw articles that PayPal was starting to roll it out in October, but it hasn’t shown up for me as an option yet.
Click to expand...
Not sure if anyone answered your question but bestbuy has it. There are only handful of sites for now. eBay is another one.
 
AppleTO said:
So if you lose a passkey will you still be able to ‘reset’ your website login using your email?

Without 2FA, many websites/services have stopped using passwords altogether. They just send an email with a code or link. Why? Because if you say your forgot your password, they just send you a email to reset it anyways. Might as well skip the password step altogether. Some even consider email to be a 2FA choice, which makes no sense, as you can just reset your primary authentication over email.

But this means if an attacker gains email access they can reset your password on almost every website.

If you lose a passkey and have to reset a website, how would you prove yourself with 2FA? As soon as you put a phone number as a backup, you are significantly reducing the security.

I don’t get it personally. The general public is generally not that intelligent when it comes to internet security. People are just going to end up locked out of their all accounts and have no idea why.

We use 1Password Enterprise at work and I’m constantly having to recover employee accounts.
Click to expand...

Yes, passkeys don't solve those problems, but they do solve some others. Basically even if a user is using a password manager and has 100 random passwords all managed by it, there are some big limitations that passkeys fix.

In a lot of scenarios, strong device security and no 2FA with a passkey, is actually much stronger than even a good password manager and good 2FA. This means for users who are never going to use strong 2FA, they're better off. And for the technical users who will use strong 2FA, recovery codes, the whole deal, they're much better off. Sure it doesn't solve every problem a user might have, but perfect being the enemy of good and all that, and the death of passwords is very, very good.

- If a site's passwords get breached, even if the password is unique, an attacker can still login to that site as that user (assuming no 2FA). With passkeys, all they have is a public key, it's useless to them.

- Let's say I want to login to a web app on a public computer. With a password manager, best I can do is type out my awkward long password off my phone screen. Wtih passkeys, I can scan a QR code. I don't even have to worry about the public computer logging my password. (Which is kind of also next.)

- And most technically, passwords are vulnerable to replay attacks, making phishing such a nightmare. If someone fools me into typing a password into a fake form, they have the password. It will be much harder for them to force my browser to even do the cryptographic challenge to the wrong website, but even if they intercept the whole (unencrypted) challenge, they can't just "replay it" and get into that website later.
 
  • Like
Reactions: robbiemc, mainemini, cyanite and 1 other person
Last edited:
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back