Passkeys

Tringa

Numpty of the Day'
Messages
6,170
Name
Dave
Edit My Images
Yes
I've heard quite a bit about how passkeys are going to provide better online security than using passwords to access various things online.

If I have understood correctly a passkey is in two parts. One part is on the server you are trying to access the other is on your device. Together they appear to provide access to secure servers without you having to input a password.

I've seen Q&A about passkeys and one question is, "what happens if my device is stolen." All the answers I have seen are in terms of how you will still be able to access the services you want by syncing you passkey to other devices, but I haven't see anything about what the person who stole your device can do.

If, when a device is passkey enabled, no password is needed to access servers won't a thief have free range to access you bank and credit card accounts and other places where normally a password would be needed.

What have I missed?

Dave
 
Passkeys rely on your personal device's security.

If your device uses a hard to crack login, such as facial recognition, then the system is, at the moment, more secure than passwords. However, if you use a password to access your device and the thief can crack that, you may well be in trouble because, once the thief has control of your device, they are more than likely to have access to anything protected by a passkey held on that device.

Like most security protocols, passkeys rely on you keeping bad guys out of your pocket.
 
My old phone's facial recognition was a joke. It sometimes failed to recognise me at all but would sometimes recognise me when I was wearing sunglasses.
 
It reduces the attack vectors to the device the passkeys are on only. You’re quite right if your device is stolen theres a risk an attacker can access the data

This is no worse than the current password security

However passkeys reduce many other attack paths simply and improve overall security

You should continue to have 2fa, password manager and a different password/passkey for every service you use

I have no banking apps on my phone and email anything sensitive is face id protected even after my lock screen incase its swiped in the very popular phone thefts plaguing London and every where else
 
Last edited:
It is weakening security for people like me. The banks say that the majority of people do not manage passwords properly so banks are trying to introduce an easier system for the lazy. It also uses Biometrics which is OK for a phone but my PC does not have a camera, microphone or touch screen.

Recently, after a standard software update on my Apple phone, they demanded that I prove I am over 18 before having access to some features and cut off almost all access after 2200 (e.g. emails, Google etc.). The only way they claimed I could prove I am 18 is to scan in my credit card which, of course I refused. They then suggested I scanned my Passport which I also refused. This is also seriously weakening security.

Dave
 
Thanks all. It seems even with passkeys you need good security to prevent a thief accessing eg. your phone, because if they did then the passkey would allow them access to everything.

Dave
 
Thanks all. It seems even with passkeys you need good security to prevent a thief accessing eg. your phone, because if they did then the passkey would allow them access to everything.

Dave
But there is no financial data in my phone and I never access Social media. The passkeys are a simple number whereas my passwords are randomly generated and long but remembered and managed by KeePass. I will not have to prove I am 18 for the future "child protection" mentioned above as this applies to Social Media.

Dave
 
Modern iPhones include:

  • Stolen Device Protection which, when activated, helps prevent unauthorised access, requiring biometric authentication (Face ID) or a passcode for critical changes to the device.
  • Automatic lock screen after 30 seconds, which minimises the chance of unauthorised access.
  • Face ID and strong, unique passcodes to further enhance security. iPhones do give the option of either a 4 digit or 6 digit PIN so it would be highly recommended to choose a unique 6 digit PIN to make it more difficult to guess.
  • Add Face ID protection onto specific apps to prevent unauthorised access to any specific application, such as authenticators, MFA tools or social media applications that may contain sensitive information.
  • Airplane Mode can be restricted to require Face ID, preventing thieves from quickly cutting off tracking.
  • The ability to disable the Control Centre on the lock screen to prevent thieves from quickly enabling Airplane Mode, which would block tracking efforts.
  • Find My iPhone which, when turned on, allows you to locate your device remotely if it is ever stolen.
  • Live tracking for specific contacts in messaging. Enabling this feature for a trusted friend or family member in your contacts can be an additional measure to track where your device in the event of it being stolen.
  • Lost Mode, which can be enabled through ‘Find My’. This feature locks the device, displays a message with a contact number, and tracks its location.
  • Account Recovery Contacts can be set up under your Apple ID settings ensuring a backup option for regaining access if needed.
If retrieval is unlikely, remotely erasing your iPhone can be a crucial step in protecting your data. A precautionary measure to take prior to a phone theft is regularly backing up your iCloud to ensure you will have full access to of your data on a new phone in the event of a phone theft and the need to remotely erase all data from the stolen device.
 
I'm always suspicious of things that the big tech companies are pushing heavily for "free". Apart from issues around having your device stolen, it locks you in to the platform providing the passkey service.
 
Back
Top