Back

BTW, this poll is inspired by conversations around my latest essay here: https://mkennedy.codes/posts/passkey-great-but-careful-of-the-lock-in/

@ryneches Sure, no need to answer if you don’t want. It’s pretty vague. I’m not sure you can see who answered what anyway on Mastodon. ;)

@mkennedy Not unless you're an instance admin, I don't think.

@Kev_Prime I hear that. As long as there is also an option to keep your username/password, then it’s probably fine. If it were only passkeys, I’d be worried.

@mkennedy Yeah some security folks have stated that by having the old username password available it defeats the security purpose of passkey.

Having the traditional private key password hashes stored on a server still allows them to be exfiltrated or abused if a a hackzer were to breach.

One benefit of passkey is that it's not stored on a company server so it's harder to mass compromise accounts and if a bad actors did gain access to a company's infrastructure they can't access your passkey as it's on your device. But if the same account has username password enabled for login without forcing 2FA of the passkey your still owned.

@Kev_Prime Hey, that’s a fair concern. Passkeys are safer for data loss. But they are also way more likely to get you locked out of a service because something didn’t sync to somewhere correctly. I would content that companies that are good enough at security to offer passkeys, probably have strong hashing/encryption and it’s the ones that don’t offer them at all are the ones that also store passwords without salt, with a one hash iteration, etc.