Hi,
Since it’s been ‘democratised’, I’d like to know if some people have switched to passkeys or if you continue to connect with password + double authentication?
I’d also like to know what you think of passkeys in terms of security and what tools you use?
I do. I appreciate them for the phishing resistance. I started to actively convert to passkey’s in my password manager after this blog post. I figure if Troy can fall victim, then I certainly can.
I still have issues with portability especially when it comes to password managers. I will definitely convert when I feel like there is sufficient maturity. The implementation seems very beta right now.
I don’t. I don’t see any benefit. My important passwords and 2FA (TOTP, separate database) are completely offline, available on my computers & phone (synced via syncthing), and also backup disk and USB on my keychain.
As for phishing, I rely on my attention, but also try to avoid clicking links in my mails
While I do have a passkey or two, I have not full transitioned to it. But it looks like we may not have a choice (to some degree)
I have but only a few accounts actually have it enabled, and those that have don’t function like a passkey should.
Proton - requires TOTP to be enabled in order to use passkey
Amazon - cannot remove username and password after enabling passkey
GitHub - the only true passkey I’ve encountered
I don’t think GitHub allows you to remove your password or TOTP after setting up a passkey. You can definitely log in with just the passkey, but you cannot completely remove either.
Yes, I should have mentioned for GitHub I only checked if I was able to log in with a passkey and needed nothing else. Didn’t see if a password still needed to be enabled or if it could be removed.