Leszek Karlik @Leszek_Karlik@circumstances.run
Public

@mcc

I sometimes wonder if I want passkeys, but as far as I understand, they provide convenience at cost of security.

A proper random password kept in a password manager combined with U2F/TOTP on a separate device is more secure, because you have two independent factors for login (and the password manager and U2F provide the anti-phishing so beloved by FIDO alliance).

With passkey, you really have one - the password manager with the passkey.

But it is more convenient than using a password manager and an U2F token.

mcc @mcc@mastodon.social
Public

@Leszek_Karlik A password is less safe than a passkey because it can be MITMed and reused. On entry it can be stolen if your computer is compromised or there's a camera watching you type. On receipt, it can be exfiltrated if the web server or its edge server is compromised.

Now, random PW+TOTP as you say, that looks more appealing the more I see how passkeys turned out. But with passkeys in the world TOTP support may not be an option in future (NPM recently put hard restrictions on TOTP use)

0
0
0

If you have a fediverse account, you can quote this note from your own instance. Search https://mastodon.social/users/mcc/statuses/115663966264793416 on your instance and quote it. (Note that quoting is not supported in Mastodon.)