A better login system compared to Passkeys
The SQRL home page
Advantages:

• A third party server is not needed. This is better for privacy and security
• Phising proof

Passkeys are public key credentials synced via the iCloud, Microsoft, Google or other account of the user and protected by the Face ID, Touch ID, Windows Hello, device PIN or device gesture of the user

Januari 2025, the UK's National Cyber Security Centre about the status of passkeys

Wise passkey information page

SQRL¹⁾

• Needs a smartphone which costs money and has privacy issues
• A third party online service, server, to register the public key can be used
  • That is a privacy issue. This service must be trusted. It can track where one logs in, when one logs in and the location via the IP-address and maybe more
• Not phising proof. The authentication responsibility is outsourced to a 3rd party provider
  • Rather than doing the work of upgrading their own servers to become a first-party passkeys provider, a company can outsource their authentication responsibility to a 3rd party provider like OwnID. But in doing so, by punting in this way, they've bypassed passkeys phishing protections. This gives their visitors the false belief that they're getting the hack-proof benefits of passkeys without actually having them. This could be transient. But OwnID will presumably be selling their “instant onboarding” services and most websites will simply want easy logon without really caring about their visitor’s security. Source
• Bluetooth has to be turned on on a mobile device in order to initiate passkeys. On an Android device that means de GPS is also turned on. So the application can harvest the location of the owner and send it home
• If a password manager is used and breached, the hackers can gain access to every account that was secured with the passkeys in the password manager. This is less secure than a username, good password and 2FA on an other device
• Saving passkeys other than in a password manager is not possible. They can not be printed or written down
• The passkey functionality build into the operating system like Windows 11 can conflict with the passkey functionality build into the web browser
• There is always the alternative option to still login with a username and password. So why are passkeys needed?
• Passkeys are not transportable to an other device
• The device lock mechanism needs to be active via biometric, pin or other login credentials. If one uses a device without any of these passkeys can not work
• From: Unixsheikh with title: “Are passkeys really the beginning of the end of passwords? I certainly hope not.”:
  • My password is mine. I control my password. I own my password. I am not dependent upon some third party closed proprietary operating system or device to handle my security.
  • The Passkey concept pushes data ownership one step closer to the Big Tech industry.
  • Biometric-based authentication factors are favoured.
• There is the risk of “vendor lock-in”: becoming dependent on a specific service provider or technology. For example, using passkeys built into a particular operating system or device. Like with Google and Apple
• William Brown, author of a high quality Webauthn library for RUST web servers: Passkeys are now seen as a way to capture users and audiences into a platform. What better way to encourage long term entrapment of users then by locking all their credentials into your platform, and even better, credentials that cannot be extracted or exported in any capacity
• Passkeys uniquely identify a person. GAFAM²⁾ and others will benefit because the profiling will be precise

Since many if not all websites have the ability to reset the password that means that the e-mail provider, say Google or Microsoft, or a hosting provider where someone hosts their e-mail account, have full access to all websites where that e-mail address is provided as part of the login credentials (usually e-mail address and password).

So without OPT or some other 2FA authentication method, you can never be sure what happens to your account.

On the other hand, to log in, the password has to be reset. So if you can't get logged in then the above might be a cause. Then request a log of IP addresses from which was logged in so you can be sure it wasn't you yourself.

The fact that the password has to be reset and that you notice this the moment you want to log in makes it not as unsecure as it seems at first glance because it gets noticed and if it happens more often the suspected will come to light. It does put a sizeable responsibility on the hosting companies. If they leak then the account is probably comprimized

The e-mail account is a single point of failure

Main subjects on this wiki: Linux, Debian, HTML, Microcontrollers, Privacy

RSS
Disclaimer
Privacy statement
Bugs statement
Cookies
Copyright © : 2014 - 2026 Webevaluation.nl and the authors
Changes reserved.