Is it just me, or are websites getting super-aggressive in trying to force the use of Passkeys?
I don’t want to use it yet, fine, that should be my choice.
But it seems lately that many more websites, including Amazon, PayPal, and others I regularly need to use, keep throwing up pop-up cards almost demanding that I switch my login to Passkeys and they are very hard to dismiss.
So far, my Google-fu has said there is no system-wide setting in macOS or iOS, or app setting in Safari, to disable these unwelcome Passkey solicitations?
It is so irritating, I’m soured on the whole Passkey thing, including Apple’s approach.
I use them where they are availalbe so I don’t get many, but expect them to become more aggressive as companies try to push you into them. There is so much fraud on e-commerce sites, let along the PayPal types that if this cuts that down they have reason to do so.
It is, but I seriously doubt you can do anything to stop the “unwelcome Passkey solicitations”.
Before I retired we were required by the Payment Card Industry to change passwords at least every 90 days. Just about everyone, employees and managers alike, complained about this requirement. Most people don’t think about security until it’s too late.
I wouldn’t be surprised to see some sites start making passkeys mandatory in the not too distant future.
I’ve read conflicting information from security professionals. Some say constant changing of passwords is less secure as users will write them down or try to game the algorithm to recycle previous passwords on alternating change periods.
I’ve read the same thing. But if you take credit cards in the US, Visa, Mastercard, AMEX, etc. require you remain complaint with PCI.
If the surveys are correct that estimate only 36% of people use a password manager, that means just about everyone else is using passwords that they can remember. I supported users for many years and while I never watched them log in, I could tell that very few of them typed very many characters.
I get that some organizations need to comply with PCI, but PCI is now requiring things that are in direct contravention of NIST’s best practices and I submit that PCI needs to get with the times.
Sheesh. I was hoping current PCI DSS would’ve caught up, but while they suggest you could require sufficient complexity to not have to rotate, so long as you expire when compromise is detected (this meets “not indefinitely”):
Passwords/passphrases for any application and system accounts are protected against misuse as follows:
• Passwords/passphrases are changed periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise.
• Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases.
they still say:
Best practices are to consider password changes at least once a year, a password/passphrase length of at least 15 characters, and complexity for the passwords/passphrase of alphanumeric characters, with upper- and lower-case letters, and special characters.
which still weasel-worded to encourage requiring frequent changes “just to be safe”, “out of an abundance of caution”, etc. Basically, slowing down actual best practices…
And they cite NIST 800-63 which doesn’t back them up.
Is this the same PCI that dragged its feet on the implementation of tap & pay chip card payment processing at point of sale because retail stores would have to replace their card readers?
And worse, the same PCI that ultimately did not require the use of a user-entered PIN code to process tap & pay chip card payments, as required in the entire rest of the world because they thought it was “too inconvenient” for the consumer and would hurt retail purchases?
For those not playing along closely, by not requiring a PIN entry, the majority of the enhanced security of tap & pay is completely negated. Since in the US, someone can steal your physical credit card and be able to use it without needing to enter your PIN card.
Thank our lucky stars that at least banks demanded PIN codes must still be entered for any debit card tap & pay transactions.
I suffered from this (the 90 days) at almost every company I have ever worked for, but that would no longer be an issue when they would finally adopt passkeys:
One of these keys is public, and is stored on the server. This public key is not a secret. The other key is private, and is what is needed to actually sign in. The server never learns what the private key is.
(A breach would only reveil public parts, not private ones)
When NIST changed their guidance to no longer require password changes, the place I was working at followed suit, encouraging longer passphrases and telling employees “hey, we have this password manager that you all have access to, please use it.”
On the flip side, I’ve had to set up several accounts recently with financial institutions and insurance companies (the one of the many joys of changing jobs) where the password rules scream “we aren’t handling passwords properly” to me. Things like:
Don’t use these special characters
You have to use at least one special character, but it can only be from this approved list of three
Password must be 8-16 characters long and will be rejected if too long
I use Passkeys when there is no friction is obtaining them. Certainly, there are quirks that need to be worked out. Passkeys work best for me with my Google accounts. The Passkey pops up, I click on it, and I’m logged in. Amazon keeps trying add a new Passkey even though I just logged in with one. Many sites require second factor, even with Passkeys, so there is no help with convenience. Note that Passkeys don’t increase security as long as you still have access to a site with a username and password. I understand that Microsoft is planning to make elimination of usernames and passwords optional.
This one just boggles my mind, frankly. I see it all the time, but…are they not just using an MD5 hash or something similar? If so, the password could be the entire contents of “War And Peace” and, apart from the huge HTTP POST request, it would be all the same to their database.
In my experience, that’s probably applies to about 90% of users. Anybody that’s not using a password manager is either using one of three memorized passwords, or has them written down on a Post-It. Although to be fair, a well-formed password written on a Post-It on a desk is relatively resistant to online hackers.
Sorry, I had to fall back on Perplexity to evaluate your point: “If you always use your passkey and never use the password, your risk of being phished is dramatically reduced—but only as long as you never fall back to using the password, and as long as attackers cannot force a password-based login (e.g., by triggering a password reset).”
As you can see, the AI agrees with you. I believe I am correct in saying that a password manager, e.g. 1Password, offers similar protection as it will not fill in on a fake site. Of course, if the password manager doesn’t fill in, and you enter your credentials manually, that protection is lost.
Here is Perplexity’s summary:
Passkeys provide strong phishing protection and are more secure than passwords.
If passwords remain enabled, the account is still vulnerable to password-based attacks, even if you personally always use your passkey.
You do benefit from phishing protection when using passkeys, but the overall security is maximized only when passwords are fully phased out.
I’m with you. I switch devices in and out so often, I just don’t want to deal with Passkeys in the early days. 1Password accomplishes everything I need for login security.
Really frustrating is the number of less-technical family members who have been opted-in to passkeys without even being aware. It’s created some login frustrations that took a while to diagnose.
This is what bothers me the most. They just force you through the passkey flow unless you know what’s happening and actively derail it, without any education that your login is now tied to your device. It’s setting people up for failure.
Passkeys are vastly more secure, both individually and collectively. There has to be a certain amount of pressure on people to use them or people won’t adopt.
There will be more than a few people who either get bugged more than they wish by nag screens, or who accidentally start using them without understanding why and fall foul. But that’s a small price to pay for the upsides they bring.
If we reach a point where phishing, MITM, brute forcing etc all stop being worth the effort for attackers, even late adopters benefit.
