Deleted mine last week as well. Adios.Too late for me I guess. I tried enabling it a while back and realized it wouldn't work. I'm deleting my Twitter/X account after 16 years. Had enough of it
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
X Rolls Out Passkeys Support to iPhone Users Worldwide
- Thread starter MacRumors
- Start date
- Sort by reaction score
If someone has your phone you're already deep into a problem.
You're right that as long as username/password is still allowed, security hasn't been significantly increased as that's still an attack vector.
But what they do to improve security is stop the sending of secrets back and forth, and not give the website anything valuable to have stolen from it. I too am worried about the idea of having to maintain a chain of physical devices with Passkeys, but if you enable them and can turn off username/password it is an improvement.
Security is really hard and really inconvenient to do completely correctly. But I do think passkeys are helpful if used correctly.
The notion that just because there is a password fallback alongside passkeys means that passkeys do nothing to improve security is absurd. While it may be less secure than passkeys-only, it is still an improvement over not having passkeys at all. For example, using passkeys means that probably 99% or more of the time that users are going to be interacting with a website they are not going to be using passwords. That right there reduces the attack surface significantly. Also, since users are going to almost always be logging into a site with passkeys rather than passwords, then if they are challenged with a password to access a site that they know they have been reliably logging into using passkeys for a long time then they going to be much more suspicious and alert to the possibility that a phishing attempt might be at play.
With respect to your phone being a single point of failure… you can register more than one device to use passkeys with.
As strange as it sounds, I follow a lot of devs, and find really great info about making iOS apps. I haven't found a way to find as much info on other platforms.I didn't know Twitter was still a "thing"
Passkeys fails the Kiss test. Just read the how to article on How to Geek on setup and use passkeys and its over ten pages. If a solution is complicated it will have multiple points of failure (icloud access is incredibly fragile since Apple assumes you own multiple Apple devices all running the lastest OS). Until you have a simple universal solution passwords will remain the standard and passkeys will remain another niche technology that was supposed to replace passwords.
Passkeys are more difficult on a technical level, but the user experience is usually extremely simple. If you’re using a phone, you go to the website of a service that supports passkeys, go to the security settings for your account, click “add passkey”. If you’re on your phone you’ll get a pop up asking if you want to add a passkey, you click yes. The next time you go to that site, instead of entering your credentials you click “Use passkey” and the phone uses your biometrics to authenticate you and you’re in. There’s nothing to remember so no risk of forgetting and it can’t be cracked like a password can.
You can get more technically advanced with passkeys, like using a hardware key as your passkey, but most people will use their phones and that is extremely simple.
Careful, Elon might sue the rights owner of the X-Com series.
Who still calls it a tweet? That is so 2000s. Tweets are now posts. In the same app update that wiped out the bird logo, the company swapped its classic blue “tweet” button for one that says “post.” I'm going to go "post" something. This is so 2000s as well... It has no character to it. I stopped using the platform when I could no longer "tweet" something.
It's really not absurd. The key security gain of passkeys over username/password pairs is that with passkeys - there is nothing stored on the server side that can be stolen and used to access the service.
As long as a service continues to maintain username/password pairs as backdoors, in addition to passkeys - that attack vector still remains. Services need to remove username/password access for any real security improvements.
Your security is as strong as the weakest link.
Not sh*tting on Twitter/X specifically but over the last 10 years social network owners have made everything possible and impossible to make using their websites a total nightmare.
You write a meaningless comment? You banned or shadowbanned.
Posting too much photos? Feed won’t show your new ones. You just want to find friends? Good luck, friendship is IRL now, get lost.
When Instagram first came out it was a nice hipster polaroid photo album. Now it is overloaded with useless features that nag you every second - stories, reels, videos. And every 2nd post is advertisment. I know Mark needs money, but there is no point for people to subscribe to voluntary ad network.
Also it is highly idiotic when you register account there and they instantly start to recommend your profile to everyone on your IP address and everyone who knows your email/phone number. What if I just want to use Facebook Groups?
And what was a point for Facebook to divide app into Messenger and Facebook, so there will be twice more useless social trashbins that drain iPhone battery?
In fact, there is almost no point of using social networks today, unless you run some small business and need a “social face”. And I mean all of them – Facebook, Instagram, Twitter/X, Tiktok.
YouTube is useful sometimes tho. Especially with adblock🗿
You write a meaningless comment? You banned or shadowbanned.
Posting too much photos? Feed won’t show your new ones. You just want to find friends? Good luck, friendship is IRL now, get lost.
When Instagram first came out it was a nice hipster polaroid photo album. Now it is overloaded with useless features that nag you every second - stories, reels, videos. And every 2nd post is advertisment. I know Mark needs money, but there is no point for people to subscribe to voluntary ad network.
Also it is highly idiotic when you register account there and they instantly start to recommend your profile to everyone on your IP address and everyone who knows your email/phone number. What if I just want to use Facebook Groups?
And what was a point for Facebook to divide app into Messenger and Facebook, so there will be twice more useless social trashbins that drain iPhone battery?
In fact, there is almost no point of using social networks today, unless you run some small business and need a “social face”. And I mean all of them – Facebook, Instagram, Twitter/X, Tiktok.
YouTube is useful sometimes tho. Especially with adblock🗿
Nope. The login flow is broken. I get just logged in enough to tell me two factor is for premium accounts only, which redirects me back to log in. Can’t get to settings page. Maybe I could try contacting support, maybe they eventually fixed it, I don’t care anymore. That account is not worth any more of the hassle of dealing with a broken login flow because he made a dumb decision. I don’t want back in now. I made another dummy account for content I have to see but I’m not using it by choice.
To be fair, if I'm going into the sewer (as I often do since I have a Twitter/X account) I would want to be protected 👷♂️
They already have. Billions of people use Telegram and it has very deep roots in Russia, while publicly they say that it is “focused on privacy”. Musks Tesla is basically a spycar that can record videos with audio whenever it wants to.
Until people wake up and move their communications to something more secure and based in US-only there will be data breaches and all this stuff.
Right now I haven’t seen something more secure than Apple’s iMessage and FaceTime. WhatsApp from Facebook is also OK because it stores all data on individual phones.
I have seen everyone promoting Signal but I would not trust this one as well. Why should anyone trust something endorsed by Snowden who is now a full-right citizen of Russia
Agreed. That's what happens when you combine corporate America's insatiable appetite for profit with society's hyper individualized egotism. While I haven't outright deleted any of my accounts across the various platforms (I still find some value in each of them on the premise on which they were founded), I've significantly reduced the amount that I use them. I'm almost 30 now and compared to my early 20s I hardly use any social media anymore. I check each of them maybe once or twice a week and I actively use them - posting, commenting, etc - even less than that.
While I would never advocate for State intervention to drive a wedge between social media and it's zombified users, I hope that it ends up naturally falling out of fashion through social ostracism much the same way smoking did in recent decades.
It's extremely naive, and honestly delusional, to think that US based companies are more secure and safe with our data than Russia or China. We know the NSA actively spies on US residents, including citizens, and Facebook has been hit again and again with revelations of illegal data sharing (most recently with Netflix, but of course there was the whole Cambridge Analytica debacle). If the service is based in any Five Eyes country, you should expect that your data is being backdoored and is for sale.
And I'll trust Snowden any day over US politicians who are bought and sold by mega corps that grandstand about "data security" while letting Facebook, Google, and any other major tech company have deep access and ties to the NSA.
You are correct that the password remains the weakest link and the biggest attack vector as long as these services allow for a password backup. However, this is a transitional period. These companies need to be able to get people on board so we can get to mass adoption on passkeys. Once that happens they can phase out passwords as a login option. Right now, if they said you should switch to passkeys and oh by the way doing that means your password disappears, it would scare a lot of people off. I can't currently think of a service other than 1Password (via a beta) that gives you the option to use ONLY a passkey with no backup of any kind. Microsoft might do that but you're forced to use their authenticator if you want to go passwordless, and no way am I going to install an authenticator for one service only.
The best way to manage things for right now is to get a robust password manager that can generate a high entropy password for those services so they are difficult to crack, and also adopt passkeys so we can get closer to the period of phase out for passwords (and all the good password managers now support passkeys so you don't have to keep them on your phone only, you can access them across devices and operating systems).
Passkey does show as an option on my device. App is up to date.
Edit: aha, they translated the word to the same as "Password" in my language (Danish). Clever, clever
Edit: aha, they translated the word to the same as "Password" in my language (Danish). Clever, clever
Nevertheless, it is still much better if a service offers passwords and passkeys than just passwords. Moreover, a service that’s forward-looking enough to implement passkeys is highly likely to also properly store user passwords hashed and salted. As such, even if the website is broken into, the stored passwords are of little value.
On the client-side, passkeys make it way more difficult to phish for credentials and if a bad actor tries to trick the user to use a password instead, then given that the user has almost always used passkeys in the past to log onto the site, if they are now presented with a password challenge instead, that will likely prompt the user to be on the alert for a potential phishing attack.
Took their time rolling out beyond US users but it seems to work at a basic level.
There’s no passkey ‘settings’ to speak of, just an off/on switch and the usual initial passkey creation process. Creating multiple passkeys for an ‘X’ account doesn’t seem to be possible.
The domain tied to passkeys is still twitter.com, they really can’t escape it!
Properly meaning using a (protected) password manager to generate, store, synchronise and autofill unique, high entropy passwords. Ideally a seperate manager is used to store MFA/2FA TOTP codes, where supported, and SMS passcodes you’re lucky if you’ve got something like an Apple OS that autofills and auto deletes them.
If you’re using a password manager, passkeys aren’t much different from a user experience pov.
There’s no passkey ‘settings’ to speak of, just an off/on switch and the usual initial passkey creation process. Creating multiple passkeys for an ‘X’ account doesn’t seem to be possible.
The domain tied to passkeys is still twitter.com, they really can’t escape it!
Passwords done properly fail the ‘KISS’ test.
Properly meaning using a (protected) password manager to generate, store, synchronise and autofill unique, high entropy passwords. Ideally a seperate manager is used to store MFA/2FA TOTP codes, where supported, and SMS passcodes you’re lucky if you’ve got something like an Apple OS that autofills and auto deletes them.
If you’re using a password manager, passkeys aren’t much different from a user experience pov.
Both Passkeys and passwords are stored in iCloud keychain. I don’t passkeys worsen the problem