Administered by:
**** The Google passkeys threat model ****
So let's pull this together. Google says:
"When you create a passkey on a device, anyone with access to that device and the ability to unlock it, can sign in to your Google Account."
They then suggest keeping physical control of your devices is easier than watching for phishing attempts.
The reality is that every day many phones are stolen and successfully unlocked (or are already unlocked when stolen) by thieves. We've seen the reports lately of iPhone users being totally locked out of their Apple accounts when thieves reset security keys -- and Apple can't help.
But whether Android or iPhone, the bottom line is that as I understand this, stolen unlocked phones using passkeys for account security give the thieves complete access to those accounts, until such a time as the rightful owner manages to revoke them -- which could be hours in many situations out in public, far too late.
To me, this is putting too much faith in the physical security of the devices, when we KNOW that every day many are stolen, unlocked, and abused. Having passkeys in such situations could make even more accounts instantly vulnerable, given that the passkeys wouldn't need additional authentication to be used by the thief in these scenarios.
I thought that passkeys still had to be biometrically authenticated before use, even on an open phone. Makes no sense otherwise.
@mackaj In fact, here it is explicit that biometrics are not required: "When you add a passkey to your Google Account, we will start asking for it when you sign in or perform sensitive actions on your account. The passkey itself is stored on your local computer or mobile device, which will ask for your screen lock biometrics or PIN to confirm it's really you."
I won't be recommending this to anyone who just uses a PIN then, that's just all kinds of stupid. PINs are not secure. Don't use them myself.
@mackaj I should add that even on my very recent phone with fingerprint capability, it's very hit or miss, especially when not sitting on a flat surface. No wonder so many people revert to PINs, etc. even if they've tried biometrics. Face stuff never worked for me in my tests.
You should show this to people. If it doesn't scare them off using a PIN I don't know what will. PINs can be brute forced in a day !
@mackaj Good luck. Most people won't change, because they figure the bad stuff "will never happen to them." Similar battle as 2FA.
I don't have to convince most people. Just those who are close to me and that I care about. I can do that, and already have.
@mackaj I've been working on this for many years. One problem is that even for those I've convinced to use 2FA (for example), when I check back later it turns out many have turned it off. Painfully, I know high level computer professionals who refuse to turn on 2FA, on the assumption that they use good passwords and don't share them, etc.
@lauren @mackaj I think, the hurdle with MFA is, that even the simplest solutions still require a lot of technical understanding.
Like, using several yubikeys (storing some in a secure location and carrying one), copying the secret, copying the backup keys (on a piece of paper; storing it such that it can be found again. Not all services allow for keys, hence auth apps are needed. ...
@infiniterecursion @mackaj It's all a moving target of course. Meanwhile, phishing attacks pour OUT from Gmail in a seemingly continuous stream directed at non-Gmail users.