Do you people trust companies with passkeys?
I feel like big tech have started pushing for passkeys really hard lately. Microsoft has been asking me if I want to switch to passkeys pretty consistently. Google just automatically brings up the passkey registration fingerprint scan system dialogue every single time I’ve been signing in on Android. Without even asking if I want a passkey or not, it just does it without saying anything. I think the intention is pretty clear, an unknowing person sees the completely random fingerprint scan dialogue, doesn’t think much of it, scans their fingerprint, a passkey gets created automatically.
Well, I fell for their trick. I’ve been avoiding the passkey dialogue pretty consistently for a while now, but just now I was signing in while distracted and accidentally tapped my finger on the scanner by reflex on the prompt. I guess I have a passkey now. Yay.
I did some digging on my Google account settings and the internet, and I couldnt find a way to completely remove the passkey. It seems you can only disable the use of passkeys, but the passkey itself remains. There is also a setting called “Skip password when possible”, which is clearly what has been causing the non-stop passkey prompts. It’s on by default. It’s a shame I’m only aware of it now that its too late.
Theoretically, the passkey standart itself should be private and secure. Throughout the process, the biometric information used for the cryptographic challenges never leaves the device, and the server only gets access to a signature that has been signed with the client’s private keys that it can use to authenticate but can’t derive the private keys back from because of complicated math I didn’t spend enough energy to understand. Google automatically syncs the passkeys with its private keys with E2EE in the Google Password Manager tied to the account, which is where I start to get uncomfortable because I can’t bring myself to trust Google with E2EE.
What do you people think?
I know very little about passkeys and would like to make use of this question to ask my own. How does backing the passkeys up work? Can I just keep a backup somewhere like with a password manager database? Can I use it anywhere, even if I want to use it one time on a friend’s device, for example? If it’s tied to a device, what if I lose it? What other practical advantages and disadvantages are there?
I know these are probably naive and simple questions and I could find the answers myself, but I remeber when I was trying to find similar things out about authenticators. I didn’t want to use them until I learned how to make backups, use it on different devices, including those that are not mine etc. It took quite some time (of not that active looking, but still), most easily-found sources tend to not offer alternatives, especially when most people just use Google, Microsoft or Apple. I would very much appreciate some basic guidance from someone who has experience. I could probably ask AI, but honestly, I probably trust a kind internet stranger more.
Yes you can use your own password manager to store the passkeys. Like keepassxc on android. Then all your devices can use it.
Thanks, that helps.