Google warns “passwords are not only painful to maintain, but are also more prone to phishing and often leaked through data breaches.” And that’s the real issue. “It’s important to use tools that automatically secure your account and protect you from scams,” Google tells users, and that means upgrading account security now.

Google says “we want to move beyond passwords altogether, while keeping sign-ins as easy as possible.” That includes social sign ins, but mainly it means passkeys. “Passkeys are phishing-resistant and can log you in simply with the method you use to unlock your device (like your fingerprint or face ID) — no password required.”

This is just one of their excuses, to keep their users inside google’s walled-garden

    • Kyrgizion@lemmy.world
      link
      fedilink
      arrow-up
      15
      arrow-down
      2
      ·
      1 day ago

      They also push google oauth. If you’re logging in to over a dozen sites with your google account, it becomes that much harder or at least more annoying to curate all of those. They’re banking on people choosing convenience over security - and they’ll be right.

      • tyler@programming.dev
        link
        fedilink
        arrow-up
        3
        ·
        1 day ago

        With passkeys you no longer need to use oauth at all since creating and using passkeys can be done more easily than creating a new password or using oauth. If you’re using Google services of course you’ll still log in with a Google account, but on example.com you can just create a new account with a passkey and never worry about oauth or passwords at all.

      • hypna@lemmy.world
        link
        fedilink
        arrow-up
        12
        ·
        1 day ago

        Making a new passkey when you switch services, is exactly like making a new password when you switch services.

      • tyler@programming.dev
        link
        fedilink
        arrow-up
        8
        arrow-down
        1
        ·
        1 day ago

        Where in the world are we talking about Google managing your passkeys. The article is about using passkeys for Gmail. You would manage your passkeys exactly like you would with any password, with a password manager like 1pass, bitwarden, etc. Google doesn’t manage or control any part of that.

        • B-TR3E@feddit.org
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          1 day ago

          Simple solution. Don’t use Gmail at all. Unless you’re really keen on someone else reading your mail, of course.

    • Auster@thebrainbin.org
      link
      fedilink
      arrow-up
      3
      ·
      1 day ago

      In lack of further context, and thus conjecturing, maybe as a leash/ransom? “If you walk out of our (Google’s) line, we will kill potentially decades of your history”.

      • tyler@programming.dev
        link
        fedilink
        arrow-up
        7
        arrow-down
        1
        ·
        1 day ago

        I think OP and several others in this thread just don’t understand what passkeys are replacing, which is passwords. Google doesn’t manage any part of that.

    • adarza@lemmy.ca
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      3
      ·
      edit-2
      1 day ago

      more like the garden of weeds is spreading out of control. they want passkeys and oauth so they can become the third-party gatekeeper for everything.

      the want them tied to bio because your fingertip or face are harder to share with others, harder to fake, easier to track multiple accounts with, and are tied to real people and identities that can be linked with other data their databases all to make their data and targeted adverts more profitable.

      • tyler@programming.dev
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        1 day ago

        Passkeys have nothing to do with Google. They’re a standard compliant control mechanism designed to replace passwords. https://fidoalliance.org/passkeys/

        Google doesn’t do anything with them besides store them exactly like they would your password. You authenticate using your device, which Google knows nothing about. The biometrics do not leave your device. https://www.passkeycentral.org/introduction-to-passkeys/passkey-security

        Passkeys do not have to be biometric. You can use 1Password for example and not ever use fingerprints or anything biometric and still use passkeys to log in to services. It’s literally just a different better authentication method than passwords. You can still share passkeys through a password manager.

        Literally everything you said is scaremongering and making it easier for scammers to take advantage of people. You should be switching to passkeys immediately.

  • Jo Miran@lemmy.ml
    link
    fedilink
    arrow-up
    20
    ·
    1 day ago

    I use passkeys stored iny password manager, and each is locked behind a very long and random password. No biometrics involved.

  • Phen@lemmy.eco.br
    link
    fedilink
    arrow-up
    20
    arrow-down
    1
    ·
    1 day ago

    It’s bad but at least it’s something actually secure, unlike PayPal that dropped passwords in favor of a TOTP sent by SMS.

    • LWD@lemm.ee
      link
      fedilink
      arrow-up
      1
      ·
      11 hours ago

      I love how companies like PayPal claim to need your phone number “for your security,” and then you find out they do insecure things like this

    • CosmicTurtle0@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      10
      ·
      1 day ago

      But passkeys are NOT MFA. They essentially replace “what you know” with “what you have”. Adding a second passkey like a yubikey only furthers the single factor. Also courts have ruled that you can be compelled to provide biometric data to unlock your accounts.

      I suspect Google is moving to replace passwords not out of the kindness of their hearts but to allow the government to get into your account.

      My preferred MFA combination is yubikey (or similar physical key) + Password/PIN.

  • walden@sub.wetshaving.social
    cake
    link
    fedilink
    arrow-up
    6
    ·
    1 day ago

    I tried enabling a passkey on one of my Google accounts but couldn’t wrap my brain around it. It felt like if I lost my phone I’d be screwed.

    • Colloidal@programming.dev
      link
      fedilink
      arrow-up
      6
      ·
      1 day ago

      Use a password manager and you’ll only have to set it once. And prevents you from getting screwed by lost devices.

    • CosmicTurtle0@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 day ago

      Think of a passkey as a specific “device” getting access to a service.

      Device is in quotes here since it’s really tied to the browser and your session on that browser so if you use multiple accounts or you use incognito mode, you will create a new passkey with each session.

      You set up a passkey on each “device” you are using Google and then manage those keys through Google’s account security web site, deleting keys as needed.

      I’m personally not a fan of passkeys as a replacement for passwords. They provide a second factor but should not be relied upon as the only factor for authentication.

  • Phoenixz@lemmy.ca
    cake
    link
    fedilink
    arrow-up
    4
    arrow-down
    1
    ·
    1 day ago

    Yes, passkeys are more secure but if and when Google is involved, then hell to the fuck no. I’m already moving away from Google anyway, Gmail amongst a few others, are still left.

    • AE5NE@lemmy.radio
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      3 hours ago

      passkeys are way for a token unlocked by your device’s biometric sensor to validate a request. biometric information is not sent to Google.

      The standard is implemented by multiple vendors, Just like HTTP Basic Auth is. It is not Google specific

      • tyler@programming.dev
        link
        fedilink
        arrow-up
        1
        ·
        21 hours ago

        You don’t have to use biometrics either. You can just use a password manager that manages the passkeys and only login to the pw manager with a pw.