 PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all. Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey. #passkeys #fido2 #webauthn #yubikey #2fa #otp #authentication #cryptography #security #passwords #passkey #password #securityKey #google 11 comments
Where do you keep your two-factor auth backup codes?  @adr I use a USB stick, but I print a paper copy too as a backup in case the flash memory burns out. @schizanon I struggled with this a lot. I wanted to be able to recover my digital life if itโs just me, standing alone, with none of my worldly possessions (house fire, luggage stolen, whatever). Ultimately that means cloud. No way around it. I minimized my risk by using a file-based password manager, and a separately also encrypted e2e sync service. Only I know the password to the file, but a close friend can help me get back into the sync service. (1/2) The main risk vector would be a malicious payload to the password manager or other software on my computer. (2/2) @schizanon There are a couple of exceptions - usually opt-in (like Google's Advanced Protection Program - they make you register a minimum of two security keys, and require active Google intervention to recover if you lock yourself out.) @schizanon I use zero knowledge access. I just make passwords impossible to remember, then reset them with my email every time. Only my email needs to be secure. This is a good plan, right? Right??   @schizanon |
Gregory's Server
The funniest part is that no matter how many security factors we use to replace passwords (two factor auth, passkeys, security keys, etc) there's always a backup that's just another password.
#twoFactorAuth #2fa #password #auth #authentication #security #passkeys #webauthn #fido2 #passkey #passwords