パスワードキーは本来安全で簡単と予想されていましたが、なぜそれらは失敗するのか以下に説明します。

I have long claimed that passwords are the worst and have actively adopted a better approach than Passkeys.

Passkeys were expected to be the Holy Grail of an ideal approach, which was safer and more convenient for anyone to adopt than passwords. However, new articles reveal four issues with Passkeys.

There are safer passkeys than passwords.

Passwords have many security problems.

• Websites may claim that they are encrypted, but they might know them too.
• Unskilled users tend to reuse passwords, leading to very problematic data leaks.
• Passwords are vulnerable to phishing attacks.

Passkeys solve all of these. Instead of asking for a username and password during login, users are invited using a passkey. This system asks websites or apps to authenticate us on our device using Face ID or Touch ID. Our device tells the website who we are and confirms their identity, thus authenticating us.

Web servers authenticate you in the same way they would when your device is authenticated for Apple Pay transactions with an iPhone or Apple Watch — because you already know that you have authenticated locally with biometrics.

Theoretically, passkeys are simpler than passwords.

When creating an account, there is an option to use a passkey and only consent is needed. The device authenticates us, and the service creates our account. Next time we log in, we can simply authenticate with face recognition or fingerprint authentication.

However, there are four major issues.

"If you use Apple devices only and always use Safari as a web browser, passwords get closer to that simplicity. With iCloud synchronization, an account created on the first Apple device is accessible from all other devices."

As Ars Technica points out, real-world situations are often different from promises, and can start with inconsistent user experiences.

The experience of logging into PayPal using a passkey in Windows differs from that of logging into the same site on iOS or Android's Edge. And if you try to log into PayPal using a passkey in Firefox, give up. Payment sites do not support that browser on any OS.

"Worse yet, passkeys are associated with specific browsers."

Another example is creating a passkey in Firefox at Linkdin. I use a wide range of browsers across the platform and chose to synchronize my passkey with 1Password password manager. Theoretically, this choice should allow me to automatically use this passkey wherever I can access my 1Password account. However, it does not seem as simple as that. When looking at the settings for Linkdin, it shows that the passkey was created on Firefox on Mac OS X 10, but in reality, it works on all browsers and operating systems I use.

Companies like Google and Apple might force their own passkey management system even if users have different preferences. And they do this from time to time even if you already have a passkey set up.

I just want to open LinkedIn using the passkey that is synchronized across all devices by 1Password. However, the mysterious entity involved in this message (here Google) tried to hack the process to convince us to use their platform.

Also, consider the experience at WebAuthn.io. This site demonstrates how standards function in different scenarios. If a user wants to log in to macOS with a physical security key, the site recommends using a passkey and shows a dialog for synchronization via iCloud.

In conclusion, while password keys aim to replace all security holes created by passwords, almost every service forces you to create a password login.

Among sites that support hundreds of passwords, there are no sites where users can completely abandon passwords. Passwords are still required […] Implicit threats use this flaw for hacking and social engineering attacks. And we return to the original situation.

The full text is worth reading.

Photo: TheRegisti, Unsplas