Just curious, nostr:npub1wmr34t36fy03m8hvgl96zl3znndyzyaqhwmwdtshwmtkg03fetaqhjg240, how is a PIN more secure than a password?
Google has made passkeys the default sign-in option for all users, as part of efforts to move towards passwordless authentication. Passkeys enable users to sign into apps and websites using biometric sensors, such as fingerprint or facial recognition, PIN, or pattern. They are phishing resistant, more secure than passwords, and remove the need for multi-factor authentication. The shift towards passkeys is part of a wider industry trend to reduce reliance on passwords. #CyberMonth #Passkeys #PasswordlessAuthentication #BiometricAuthentication
https://www.infosecurity-magazine.com/news/google-passkeys-default-sign-in/
Discussion
A pin to unlock a key is better than people reusing the same password everyone.
Just reusing the same key instead?
Replacing one single point with another really.
I don't think this is the case. Becasuse as far as I understand every site MUST have a different key. It is a bit like U2F and FIDO2. Every site has a different pair of keys.
But the private keys are held in the same piece of hardware not unlike a Yubikey right?
So much like a physical key, if you can grab the device, you have the universal password.
PINs provide some protection in this scenario but only if they're secure. Someone using an insecure password is likely to put their birthday, or something else equally easy to guess, as their PIN.
Biometrics fixes the above but creates a whole new rabbit hole of privacy violation for obvious reasons.
The attack vector is almost always a password that's too simple, or reused. Passkeys are pub/priv based and not reused. It's a challenge and response auth versus basic auth. The PIN makes it something you have and something you know so adds another layer of security.
I hate Google too but passkeys are sound.
They're sound as 2FA but I think for replacing passwords it's just replacing one problem with another.
Explained further below: