My passkeys are stored in keypass, which I share between multiple devices. Phone, home servers, desktop pc and a flashdrive that stays in my car.
Obviously the flash drive needs to be manually updated but the other devices use syncthing to keep everything up to date.
I get there are some people that have concerns over such a configuration but I’m happy bopping away knowing that if my phone dies, I’ve still got access to accounts / can easily be back up and running on a fresh device.
Those are awfully dangerous on their own these days.
As soon as a poorly salted hash leaks or gasp, a hash with no salt, it’s super easy to reverse those passwords now.
2FA severely reduces the danger of rainbow tables and keyloggers. The only real worry with 2FA is login replacement and interception. and passkey solves that, allbeit at the cost of complexity.
baby steps, start with getting them secure, then when most are ready start dropping the password
iron out the kinks, give all apps a chance to implement
if you only ever login with passkey and it asks you for 2fa, you can scrutinize the page more
You can tell just from the response on this post people aren’t all ready for passkey yet, but you can’t wait fo them to decide they’re ready before you start.
What happens to the account access if the passkey-registered device dies?
My passkeys are stored in keypass, which I share between multiple devices. Phone, home servers, desktop pc and a flashdrive that stays in my car.
Obviously the flash drive needs to be manually updated but the other devices use syncthing to keep everything up to date.
I get there are some people that have concerns over such a configuration but I’m happy bopping away knowing that if my phone dies, I’ve still got access to accounts / can easily be back up and running on a fresh device.
What happens when that file gets breached?
Same thing as any file full of credentials.
You can have more than one passkey.
You can still use password + 2fa
You can use google oauth.
You can use a YUBI key
You should probably have a primary and secondary auth for every site.
So, losing a passkey isn’t a lost account?
Almost every company has some way to work around the 2FA loss.
I didn’t know about the ability to use more than one passkey per platform. Something I’ll have to investigate further.
Everybody does it differently. GitHub in particular allows multiple
If you are doing development or admin work, I would greatly advise you to pick up a Yubi Key.
My basic setup for any app/site that will allow it is two yubis and one passkey.
One yubi in the safe with next of kin instructions, one on my key ring.
Then any site that supports passkey, I’ll also have one of those there too.
Or just a password that is known to you and only you.
Those are awfully dangerous on their own these days.
As soon as a poorly salted hash leaks or gasp, a hash with no salt, it’s super easy to reverse those passwords now.
2FA severely reduces the danger of rainbow tables and keyloggers. The only real worry with 2FA is login replacement and interception. and passkey solves that, allbeit at the cost of complexity.
What’s the point of a passkey if you can still use a password
You can tell just from the response on this post people aren’t all ready for passkey yet, but you can’t wait fo them to decide they’re ready before you start.