Big Tech passkey implementations are a trap | Proton
proton.me
- Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security
- Passkeys were developed to replace passwords for better account security, but their rollout by Apple and Google has limited their potential
- Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
You are viewing a single comment
Yeah I've avoided passkeys. Anything that Google is pushing to me is always in their interests.
That is not the takeaway here.
The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.
Are we talking in circles here? "I avoid passkeys because of Google" "Passkeys implemented by Google have problems"
The way out of the circle that you’ve put yourself in is realizing Google isn’t the only company implementing passkeys.
And that most people are in multiple ecosystems...e.g. Android/iOS + Windows. So they can't use a solution that's not interoperable.
Fortunately there are several interoperable solutions now. There weren’t as recently as last year though.
No. "I avoid passkeys because of Google" is avoiding an entire technology because of a bad implementation. "Passkeys implemented by Google have problems" is only avoiding passkeys implemented by Google, leaving using passkeys still on the table.
People not getting phished is in their interests. That doesn't mean it's not in yours.
People getting their accounts compromised leads to spam email, spam comments, fake crypto livestreams, etc that impact others. Google definitely has an interest in preventing people from getting their accounts compromised and not just for the benefit of the individuals with the accounts but their platforms as a whole.
A lot of my hesitation is that not only are passkeys being pushed by the big vendors AND they seem to have a less than portable implementation BUT ALSO they don’t seem to give enough details. Everything is dumbed down for the less technical until it means nothing
I like that this thread already has more actual information than all the outreach of the big vendors over months
The spec behind it is solid, it creates per-domain cryptographic keyspairs which allows your device to prove you're you in a standardized and secure way while avoiding adding a new way to track you across sites, and by using the device's TPM chip to hold the key it's also resistant to most types of manipulation.
Google pushed email accounts to you, do you not have an email address either?
Email was already ubiquitous and generally standardized by the time Gmail released in 2004.
Asymmetric cryptography has been ubiquitous and generally standardized by the time Google began letting you store Passkeys, so what’s your point?
Is Google supporting a particular service or system a dealbreaker for you or not? Because Google has far more fingers in the public operation of email than it does passkeys. So if you’re still ok with having an email account, then you should be just as ok with using passkeys.
I’m not locked into Gmail: I know it implements standards and I choose it as long as it is most convenient.
A lot of what comes into my gmail account is actually addressed to various aliases from various providers, and I can point those aliases anywhere
In particular, all my recent online accounts use unique generated email addresses that I can disable at will, and that forward to my actual email
Well that’s great news, then you’ll like passkeys because you can use them without being locked into anything.