Passkeys are now enabled by default for Google users

As others have pointed out, cryptographic authentication is very hard to bootstrap if you simply loose your device.<p>Just last month my missus cracked the glass of her iPhone. Apple repaired it under AppleCare, which is great… <i>except</i>… that they didn’t tell her that the “glass repair” entails them replacing the guts of the phone and wiping it in the process.<p>Apple iPhone backups don’t contain cryptographic secrets like eSIMs!<p>She got stuck in a loop where she couldn’t activate her eSIM because that needed her email, but her email needed MS Authenticator, which she couldn’t activate without an SMS.<p>She had to drive to the Telco with a pile of photo ID to reissue her eSIM. Her bank account got locked in the process despite the password being correct because of some sort of phone hardware lock.<p>This took days to fix and multiple in-person visits to various organisations. If this had happened while overseas on holiday, she would have been <i>screwed</i>.<p>Times have changed.<p>Your entire digital identity is now a smart card in your phones<p>That Smart Card is either a SIM card or an onboard TPM chip, but in any event if you lose it, you may as well be dead as far as anyone else is concerned.<p>Passkeys make this <i>much</i> worse. At least if you still have a physical SIM you can transfer it from any phone to any other phone.<p>Passkeys are not cross-vendor transferable!<p>Run away screaming. Don’t believe the hype. Wait until the vendors get their act together and come up with a solution for transfer and recovery.

While I believe this is a step in the right direction. I have read too many horror stories of people who were locked out of their Google and iCloud accounts with no real possibility of getting back in.<p>I don’t think I am alone in thinking I am on borrowed time. Someday, probably due to my own fault I will be locked out of Google and my digital life will be over.<p>If a private company can offer a similar login method like login.gov and let me talk to a real person when I am locked out like the USPS, I will be screaming shut up and take my money.

Lauren Weinstein is sounding the alarm on passkeys which is flawed and that it would make a huge headache for a lot of people especilly normal folks. <a href="https:&#x2F;&#x2F;mastodon.laurenweinstein.org&#x2F;@lauren&#x2F;111103819626952178" rel="nofollow noreferrer">https:&#x2F;&#x2F;mastodon.laurenweinstein.org&#x2F;@lauren&#x2F;111103819626952...</a> <a href="https:&#x2F;&#x2F;mastodon.laurenweinstein.org&#x2F;@lauren&#x2F;111211366080459949" rel="nofollow noreferrer">https:&#x2F;&#x2F;mastodon.laurenweinstein.org&#x2F;@lauren&#x2F;111211366080459...</a>

1Password enabled PassKey support recently and I was &quot;surprised&quot; to learn that there is no way of exporting them out of 1Password. They&#x27;re not included in the 1PUX format export, nor in the CSV.<p>That means that they&#x27;re literally impossible to back up. If 1Password goes down, or the company stops operating, or anything else like that, your Passkeys are just... gone. Absolutely no way to recover them.

As a user I still don&#x27;t understand this.<p>What happens if there&#x27;s a house fire or something and all my devices where I&#x27;m logged in with Google break? How do I log into my account again?

Simpson&#x27;s Paradox lives here.<p>On average, this might increase security (the vast majority of users are terrible at using passwords).<p>For proficient users who use passwords securely, this is an acute drop in security (if forced to use).<p>Forced phone number 2FA has the same effect; in Big G&#x27;s case <i>forcing</i> phone number 2FA is anti-anonymity disguised as security. In this case, it&#x27;s a bid for biometrics.

I&#x27;m surprised that they&#x27;re moving forward with this already. As of last week, there were still enough rough edges on their implementation that I disabled it for my Workspace tenants. The two most irritating:<p>1. Advanced protection doesn&#x27;t yet support passkeys. You must keep U2F in place for now. 2. If you have a U2F key configured on your account, Google will prompt you to use it as a passkey before telling you that it&#x27;s not a passkey and you must login with your password. The net result is that anyone using phishing resistant MFA loses the ability to have their MFA step &quot;remembered&quot; on a device because Google will always prompt for the U2F factor before the password.<p>This aside, I&#x27;ve been doing a lot of testing with FIDO2 flows using security keys and passkeys across device types and platforms in preparation to roll out passwordless via Okta with a couple of smaller clients. Overall, I love the authentication flow, but there are a lot of gotchas to keep in mind. We&#x27;ve spent a considerable amount of time mapping out the happy path, creating onboarding resources, and documenting business continuity scenarios. The personal use case is actually more of a challenge in some ways, because you need to think about each service rather than just one IdP.<p>FYI, the easy path right now if you need to support multiple environments is to invest in 1Password or another password manager that supports passkeys. This provides the most consistent user experience and works across most platforms, though we&#x27;re still having trouble with Android 14.<p>We&#x27;re sticking to hardware keys for highly privileged accounts, so admins get a pair of FIDO2 keys. Everyone else gets one Yubikey, which serves as a backup if they lose access to their devices or need to login on an untrusted device. Android is also a problem here. Even in 14, it doesn&#x27;t seem to support passwordless FIDO2 flows.

This is an interesting direction. It&#x27;s worth noting that biometrics, like fingerprints or facial recognition, aren&#x27;t really &#x27;secrets&#x27;. They can be observed or leveraged without a users knowledge or consent, and in many ways function more like a username than a password.

Most accounts with passwords have the fail-safe method of &#x27;prove my identity to company, they reset&#x27;. I.e if you can&#x27;t remember your bank password, there are paths for the bank to reset for you.<p>Anything that Google controls you have absolutely no way to get in contact to resolve issues. This is <i>already</i> a problem with all of their products. Locking all of your access behind a Google controlled door is just setting yourself up for a future nightmare.

Still can&#x27;t store passkeys in Bitwarden, which is a bummer. Should be coming in Oct though per the message at the top of this page.<p><a href="https:&#x2F;&#x2F;bitwarden.com&#x2F;blog&#x2F;bitwarden-passkey-management&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;bitwarden.com&#x2F;blog&#x2F;bitwarden-passkey-management&#x2F;</a>

One question I don&#x27;t often see asked in regards to passkeys: what is the legal standing in regards to law enforcement access to &#x27;passkeys&#x27; vs passwords?<p>For example, it is completely valid to say I genuinely do not know my 1000 long multiple special character password; it could be on a piece of paper, in a file encrypted with multiple layers. Essentially, there is no foolproof way to ever prove whether I know a given password, or not, especially if the password is only ever in my head (assuming the plaintext version is never logged, all you would ever have as &#x27;proof&#x27; is a hash to compare it to).<p>Passkeys make it so that, I imagine, there is an element of &#x27;proof&#x27; at all times; your face, fingerprints (which in some countries you are required by law to provide), I can&#x27;t disprove I &quot;own&quot; my fingers so that element is always there, and you can be compelled to provide your fingerprints at any time for any reason - with a password, it is <i>impossible</i> to know whether I know a password.<p>In that sense, a password is far, far, far stronger than any other method of authentication.<p>Take a scenario: Mr Police wants access to your phone, it&#x27;s protected only by your fingerprint, pretty easy to gain access. Now do the same but with a password that&#x27;s sufficiently complex, written on a now shredded piece of paper, and there is genuine plausible deniability.<p>I imagine in a lot of cases this is extremely important and passkeys will be shunned altogether.

&gt;To use passkeys, you just use a fingerprint, face scan or pin to unlock your device, and they are 40% faster than passwords<p>&gt;We’ve found that one of the most immediate benefits of passkeys is that they spare people the headache of remembering all those numbers and special characters in passwords.<p>So they aren&#x27;t considering at all how easy is the autofill password feature with a password manager (that they even have built in Chrome&#x2F;Android).

Ugh, is this why my FIDO key started making me enter a redundant pin on the company login page (so: enter password, press FIDO key, enter PIN, press FIDO key)?

So what happens when I die and my spouse or next of kin has to deal with this stuff? As the executor of my father&#x27;s estate, he kept a physical password book that was instrumental in making it easy for me to settle his affairs.

There are a lot of interesting points being made in the conversation here.<p>What I haven&#x27;t seen yet is a reminder that a Google Account is effectively Google&#x27;s private property that they&#x27;re letting you access in exchange for vacuuming up your personal data.<p>The only winning move is not to play.

Always remember that passwords are protected by Fifth Amendment and similiar laws in other countries, but there is no law prohibiting officer to put your phone in front of your face to unlock it.

Never. You can pry my passwords from my cold, dead hands.

Oh I&#x27;m seething. Screw google, so god damn much.<p>They&#x27;ve been accidentally enabling it for nearly a month if not more. And the UX has been infinitely confusing. I&#x27;ve been using 2fa for a decade (not an exaggeration, an understatement). I&#x27;ve been using u2f since the first month it was available and FUCK Google for this blog post.<p>A month ago I logged in and tried to check on my security tokens. Their UI was silently upconverting them. Without telling me. And the flow made it look like it was just deleting them. Hours later I realize it had re-enrolled them AND IT LOST THE DESCRIPTION I GAVE TO THEM. To be clear, it trashedt the decription I gave them during (what I didn&#x27;t know at the time) was re-enrolling them as passkeys, because i sure as hell wansnt in the passkeys area. So not only did I inadvertently change them, they&#x27;re now indistinguishable and unidentifiable to me. So if I want to ensure my primary and backup tokens are enrolled properly , I have to do it all over again, with all of them in my possession<p>Seriously, I have defended google against all sort of claims with respect to their 2FA and they can absolutely <i>get up their own</i> after what they pulled, and now this blog post.<p>Do some god damn basic (user) testing FFS. I would literally pay $1000usd right this second to scream at the people who green-lit and implemented this. And another $1000usd to ensure to people here that I know <i>DAMN WELL</i> what I&#x27;m talking about here. It&#x27;s not like I don&#x27;t have video evidence of exactly what I&#x27;m stating here on an unlisted YT video tweeted at Google Security.<p>Edit2: to be VERY clear, I have a video I reviewed, just now, that shows me trying to enroll an existing Security Token with a description, it <i>disappearing</i>, it then appearing as a Passkey with no description.

Correct me if I&#x27;m wrong but isn&#x27;t it fair to say that passkeys secured on your phone are more secure than 1FA (password) but less secure than &quot;traditional&quot; 2FA?<p><pre><code> Passkey 2FA: unlock your phone and the passkey on your phone can log you in. Traditional 2FA: remember a password AND unlock your phone (where your TOTP is stored) and you can login </code></pre> If I were to rate all 3 methods on a scale of 1 to 10, for convenience and security, I&#x27;d say:<p><pre><code> Method Convenience Security Password only: 4&#x2F;10 2&#x2F;10 Passkey 2FA: 9&#x2F;10 8&#x2F;10 Traditional 2FA: 6&#x2F;10 9&#x2F;10 </code></pre> Fair?

Nope, not signing up.<p>The trend from Google continues to be towards &quot;if you lose your phone with your credentials, you will be unable to log in&quot;. And Google refuses to create a scalable system that allows you access to your account by verifying your identity in person.<p>This is a recipe for disaster. And, possibly, a warning to move off GMail before it gets worse.

&quot;To use passkeys, you just use a fingerprint, face scan or pin to unlock your device, and they are 40% faster than passwords — and rely on a type of cryptography that makes them more secure. &quot;<p>Who wrote this sentence? It&#x27;s just a mess.

Once this rolls out plus attestation the days of using mainstream sites anonymously with an account will come to an end.

Passkeys make accessing all your online services as easy as accessing your phone.<p>... that is a statement that some people will find convenient and some people will find terrifying. As much as I&#x27;m excited for the convenience, this is my primary concern: how easy is it for a stranger to unlock your phone? Most people intentionally keep their phones easy to unlock because they&#x27;re doing that dozens of times a day.

I wont add on to the technical aspect of the discussion, but this whole article is &quot;its easier and its faster and its less expensive for you!!&quot;, a data-harvesting tactic having been done for years. Please think, people. I get the security aspect, but this technology gives up an astronomic amount of personal freedom - even if vendor lock-in is somehow eliminated - and biometric data.

Finger prints and face scans are better replacements for user names than passwords.<p>I had read some good things about YubiKey, but I don&#x27;t think I could get it to work on my corporate computerr.

As usual, the multi-device&#x2F;multi-OS and recovery scenarios are simply just glossed over. I&#x27;ll stick with a password vault I can sync to multiple OSes, thanks.

What happens if I lose my phone?

My 90 year old mother saw this change, clicked on something she can’t remember, and now can’t login. She’s been able to login using the username and password she keeps on a card next to the computer just fine up to now.

I feel that this is net negative.<p>You have to meet people where they are at.<p>per some support document (sorry lost the link), by default, Android users will have passkeys synced to their google account. So first of all, this is a lock-in play on Google&#x27;s part. The passkey FAQ only mentions iCloud, so second of all it&#x27;s a duopoly reinforcement. (This really needed Apple to first release passkey support.)<p>Beyond that, there are so very many ifs, ands, and buts around recovery and third party device usage that a typical user can&#x27;t really keep it straight.<p>It&#x27;s more convenient ... until it isn&#x27;t.

I was surprised by the amount of dislike of passkeys in this thread until I realised I had misunderstood what passkeys refer to.<p>I thought it was the same as security keys, which are like digital, but still physical, keys. They are awesome, one just has to have two and you are set. Passkeys tied to a cloud service or device like a smartphone are a terrible alternative (comparatively), from privacy and security (as in not get locked out) standpoints. At least they use fido2 so pushing for passkeys add support for security keys at the same time..

Why is a pin more secure than a password?

There&#x27;s a good, simplified diagram of how passkeys work here: <a href="https:&#x2F;&#x2F;github.com&#x2F;passwordless-id&#x2F;webauthn#how-does-the-protocol-work">https:&#x2F;&#x2F;github.com&#x2F;passwordless-id&#x2F;webauthn#how-does-the-pro...</a>

There&#x27;s one elephant in the room I&#x27;m not hearing enough about, namely the legal precedent (at least in the U.S.) that you <i>can</i> legally be compelled to provide a biometric identifier (fingerprint, face scan, etc.), but <i>cannot</i> be compelled to provide a password, as that would be &quot;compelled speech&quot; and violate the first amendment.<p>I disable all kinds of biometrics from my devices when traveling for this reason specifically. Passwords in my password manager aren&#x27;t the whole password. There&#x27;s another component in my head that I won&#x27;t (and, more importantly, cannot be compelled to) disclose.

There&#x27;s nothing about the PKI aspects of passkeys that requires you to buy into a vendor ecosystem and have them on device, right? They&#x27;re just key pairs, but I guess it&#x27;s a good as chance as ever to ram through device attestation.

Probably a stupid question but why can&#x27;t photos of my face be used to defeat this?

Can we decide to band together as an industry and call this “zero factor authentication,” since you login without using something you know or something you own&#x2F;control?<p>The only way I can think of to explain this to a non-techie is “your account is now tied to your [singular] device, and neither a password nor a replacement device (like a new sim card) will let you in.”<p>So, it really does remove both factors from 2FA, and the logical conclusion holds.<p>Either anyone can get into an account with a “I broke my phone” social engineering attack, or the account owner cannot reliably authenticate.

A FAQ at the bottom answers some questions <a href="https:&#x2F;&#x2F;safety.google&#x2F;authentication&#x2F;passkey&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;safety.google&#x2F;authentication&#x2F;passkey&#x2F;</a> .<p>Seems that the recovery if you lose the devices with stored passkeys is still using a password.<p>And will it be possible to use software keys and backup them to wherever I want and use them with Google or is it going to demand TPMs or that I keep the key in a secure vault in my phone or something or the sort?<p>There still isn&#x27;t a way to use this on desktop Linux right?

If I&#x27;m allowed to use a software implementation (like with TOTP) so that my private keys can be stored in for e.g. a KeePassXC database so that I can back it up by having multiple copies, then I&#x27;m okay with it. Is it possible for sites to deny certain webauthn providers (ignoring scenarios like attestation forcing you to use a locked down system where you can&#x27;t run keepassxc)?<p>Hopefully Tor Browser can turn on security.webauth.webauthn in a safe way before sites force it to be used, too.

Hmmm. I don&#x27;t want to be dependent on any cloud provider for my logins. Any passkey solution must be fully self hosted for me to accept it. Is there such a thing yet?

Isn&#x27;t it obvious that logging in with your face or your fingerprint is less secure? Sure, it&#x27;s convenient, but any thug can just forcefully unlock your device.

No one has managed yet to explain to me how you recover access to an account using these passkeys if you somehow lose access to all your devices.<p>Note that i said &quot;all your devices&quot; so the cloud backup you dream of will also be inaccessible because I can&#x27;t authenticate to that either.<p>And I know about backups... what about your average user who is likely to own a single phone and no other device? They lose access to everything if they drop it in the toilet?

A thousand nopes. I don&#x27;t care if it is 100% secure. This is one instance where &quot;cloud&quot; is better. Having the mother of all failsafes be a device that can be stolen, broken, or just plain borked on a dime, and potentially your entire digital life is now locked from your access for good? Great innovation there google, please kill this in 18 months please.

Is it hard to remember the one password you use for all Google services everyone&#x27;s already been doing forever and will still have to do for every other site? When&#x27;s the last time anyone even had to log into Google on any device? I&#x27;m signed in everywhere all the time and it almost never seems to expire...<p>My desktop doesn&#x27;t have a camera, fingerprint reader or touch screen...

So what is going to happen to those who were using U2F and then later on webauthn?<p>If you registered, say, a Yubikey, many moons ago, on your Google account. Is this Yubikey now automagically going to become a &quot;passkey&quot;?<p>Or will you have to choose between logging in with your Yubikey or with a new passkey? (say something Google controls, in your phone for example)

In one of my groups leaders decided to reuse google suite accounts. It was really difficult for me to accept the account from a other person. Google sent multiple notification to other person phone, had to unlogin, configure two factor authentication, the other person had to ignore warnings about Linux access. It was nightmare.

When can we use real crypto on a Smart Card &#x2F; PIV &#x2F; CAC without relying on Google, MS, or the Government?

I see a lot of misinformation, or misunderstanding, of Passkeys in this thread.<p>I highly recommend reading Steve Gibson&#x27;s notes on Passkeys from his Security Now! podcast episode #870: <a href="https:&#x2F;&#x2F;www.grc.com&#x2F;sn&#x2F;sn-870-notes.pdf" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.grc.com&#x2F;sn&#x2F;sn-870-notes.pdf</a> (p. 10-13)<p>For context, Gibson developed, and completed, an entirely secure and working solution to the problem Passkeys aims to solve, called SQRL (which I argue is better than Passkeys in a few ways). He is familiar with this problem space, and explains Passkeys in a straightforward way.<p>You can find this full podcast episode on Twit.tv: <a href="https:&#x2F;&#x2F;twit.tv&#x2F;shows&#x2F;security-now&#x2F;episodes&#x2F;870" rel="nofollow noreferrer">https:&#x2F;&#x2F;twit.tv&#x2F;shows&#x2F;security-now&#x2F;episodes&#x2F;870</a><p>You can also find a full text transcript of the episode, transcribed by a human - by hand, here: <a href="https:&#x2F;&#x2F;www.grc.com&#x2F;sn&#x2F;sn-870.htm" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.grc.com&#x2F;sn&#x2F;sn-870.htm</a>

Will this work for social login, like if I use my iPhone to sign into Gmail with a passkey, can I then sign into Reddit with Gmail and not have to enter a password? I&#x27;m assuming so.

The post mentions eBay as a site using passkeys. eBay&#x27;s implementation on PC accepts Touch ID, while Google&#x27;s implementation did not the last time I tried it.

Don&#x27;t quite know how these work yet, but I appreciate how much work it took to make something good enough that it was approved. Cheers

Can you store a passkey on a YubiKey? Or just buy a $100 android phone just for passkey backup to keep at home?

ahhhhh! yet another setting I have to go disable in my Google account. I use yubikeys for 2fa for a dang reason, don’t try and force me to do stupid shit like this which will actually decrease my security!<p>I’m glad I only keep my Google account around for historical purposes and YouTube.

This may cause me to &quot;up&quot;grade to 1Password 8, which I have been dreading.

What happens if the phone is lost? A famous Google support, I presume?

It&#x27;s stupid these are required just to enable TOTP.

One of my companies switched to Yubi pass keys. They were super cool -- until I tried to log in on a computer with only USB-A ports. My key is USB-C. I suppose I need to get an adapter now.

I might regret this but I have an (almost finished) draft of a paper on Passkeys, it is available, with comments enabled (which will be turned off if vandalism becomes a problem) at:<p><a href="https:&#x2F;&#x2F;docs.google.com&#x2F;document&#x2F;d&#x2F;1eBjQDWkbqXJSL4GRrAdTUcAx2mVRA9YeTJKr2JgnT0U&#x2F;edit?usp=sharing" rel="nofollow noreferrer">https:&#x2F;&#x2F;docs.google.com&#x2F;document&#x2F;d&#x2F;1eBjQDWkbqXJSL4GRrAdTUcAx...</a><p>TL;DR:<p>============<p>Major insights in this paper:<p>Passkeys level up security, and while Passkeys make some tradeoffs concerning security vs. usability, they do not introduce any new attacks and make many existing attacks much harder or impossible (e.g. brute forcing attacks or credential stuffing) Passkeys will bypass the hurdle of getting people to start using password managers, and will likely result in the widespread use of biometrics to secure Passkeys Passkeys can potentially make account sharing harder once attestation is supported, something a lot of service vendors are in favor of. Passkeys are also easier to deploy and reliable due to optional device synchronization, which should reduce the need for account recoveries and lower support costs Passkey client support in both software and secure hardware tokens is widespread and available now on most platforms, browsers and most third-party password managers Passkeys are being deployed by major vendors (e.g. Google <a href="https:&#x2F;&#x2F;blog.google&#x2F;technology&#x2F;safety-security&#x2F;passkeys-default-google-accounts&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;blog.google&#x2F;technology&#x2F;safety-security&#x2F;passkeys-defa...</a>)<p>============<p>Conclusion:<p>No new significant risks or attacks are introduced from the threat model perspective. From a usability and reliability perspective, Passkeys are infinitely better than passwords. Finally, from a support perspective, chances are that if you currently use a system to manage your passwords, it already has Passkey support. For high-security applications, you can also choose to use your hardware token.<p>Web applications and websites are becoming increasingly critical to everyday life (banking, healthcare, education, shopping, etc.). We must improve security across the board and get rid of old and insecure things like usernames and passwords. The world has also changed, and virtually everyone has a smartphone, something unimaginable even ten years ago, let alone twenty.<p>Simply put, in every situation where you use a password, you should upgrade to a Passkey if possible.

ugh companies reallly shouldn&#x27;t blog about cyber awareness month until they fix the acronym

does this work in conjunction with multifactor authentication?<p>like biometric + one time passcode?

but i cannot just use a password for IMAP ffs

Hottake here:<p>The biggest mistake that the passkeys movement did is try to make it sound more marketable at the cost of oversimplification.<p>First up, these aren’t really “no password” mechanisms. They’re closer to ssh certificates. You need to authenticate through some other mechanism and then agree to do the equivalent of creating and installing ssh certificates on your device.<p>The ssh certificates get synchronized across your devices securely by your cloud provider. But they can never serve as the primary authentication mechanism - that will still have to be a traditional authentication mechanism.<p>It’s mildly infuriating that someone decided to take this simple idea and confuse the fuck out of everyone by positioning it as some alternative to a password based authentication mechanism. Obviously everyone is going to come and ask a ton of questions about how a mechanism without any passwords should work. And then the responses further confuse everyone because they don’t want to admit “no actually you still need passwords”<p>&#x2F;rant

If I may, I&#x27;ll repeat a comment I made a few days ago:<p>Give me an implementation I can self-host, without Google, Apple, etc. having effective control (including claws in my relevant software supply chain) and with an easy user experience, where I can maintain secure backups (on my own infrastructure, thank you) and smooth transition to future devices, and ideally, if needed, securely export root keys (cause if I don&#x27;t control them then someone else owns them), and maybe I&#x27;ll be interested.<p>In the meantime plain old high-entropy passwords with a good manager gives me all those features and a simplicity that&#x27;s hard to beat.<p>In my 30+ years of computing I&#x27;ve suffered more harm from failures of other companies than I have from any failure of my own diligence. The whole lesson learned is to reduce trust in them and, maybe I&#x27;m wrong, but everything I&#x27;ve read about passkeys and the like seems to put me at liberty of the companies developing and pushing the implementations of them down my throat. It will take a lot of trust before I give up my ability to copy&#x2F;paste my credentials.<p>(<a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=37794379#37796842">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=37794379#37796842</a>)

&gt; What are Passkeys?<p>&gt; Passkeys are a new way to sign in to apps and websites. They’re both easier to use and more secure than passwords, so users no longer need to rely on the names of pets, birthdays or the infamous “password123.” Instead, passkeys let users sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan or a screen lock PIN. And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.<p>I <i>HATE</i> paragraphs like this. It&#x27;s as if you&#x27;re purposely obfuscating what they really are.

G: Here&#x27;s a <i>cool</i> new security feature!<p>HN: Yeah, but what if <i>disaster scenario</i>?<p>A1: If you&#x27;re authenticating to Google because your $DAYJOB mandates it, contact your Enterprise Administrator. As part of their multi-gazillion deal with the dark side, I&#x27;m sure there is some kind of support for a recovery mechanism, and if there isn&#x27;t: <i>yeah</i> paid holiday until they figure it out!<p>A2: If you rely on Google for personal-slash-small-business reasons, please refer to the previous writing on the wall, and accept that <i>all</i> is probably lost...