Attackers were able to compromise 23andMe over five months beginning April 2023, enabling access to 5.5 million DNA Relatives profiles and details from 1.4 million users of the Family Tree feature, said the company in a disclosure in October.
Most people will store in their ecosystem (Microsoft or Apple). Lose your device, recover via logging back into your service. That effectively means that logging in to your ecosystem is your “one password”. Of course you can shield that login with a passkey that sits in another instantiation of your account (laptop, home PC).
The nerds will use a platform-neutral password manager (last pass, 1Password) etc. That is likely to either be protected by a strong password AND a recovery key (to print on paper) OR a passkey stored in your platform ecosystem.
Personally I’m in 1Password, using a very long passphrase and a recovery key (two print outs, kept in two different locations).
If you ONLY use one device to enter your ecosystem you do have some risk if it is passkey secured. The end of the chain ought to be a highly secure password that you never reuse anywhere else (your “one” password). Best to go completely random and write it down on paper.
But the risk of never being able to access your ecosystem are really quite low.
It’s directly related. If it’s in Apple’s system… or M$'s systems… They get to control your passkeys (not you). Including arbitrarily locking you out for whatever reason they want. Including “oops our datacenter died”. Hell… case and point. I bought new pixel phones (GrapheneOS), Google store didn’t charge my card at all, a card that’s been associated with my account for at least 10 years now, they marked it as “Suspicious” and locked my entire google account. Talking to support… None of them can even see that my account is locked.
This is what “normal” people will get shoved into. This is not a win for any consumer. It’s a win for corporations. They get to see each request you make and use that metadata for themselves.
And if you lose your device, get fucked forever!
Passkeys are passwords but worse.
No.
Most people will store in their ecosystem (Microsoft or Apple). Lose your device, recover via logging back into your service. That effectively means that logging in to your ecosystem is your “one password”. Of course you can shield that login with a passkey that sits in another instantiation of your account (laptop, home PC).
The nerds will use a platform-neutral password manager (last pass, 1Password) etc. That is likely to either be protected by a strong password AND a recovery key (to print on paper) OR a passkey stored in your platform ecosystem.
Personally I’m in 1Password, using a very long passphrase and a recovery key (two print outs, kept in two different locations).
If you ONLY use one device to enter your ecosystem you do have some risk if it is passkey secured. The end of the chain ought to be a highly secure password that you never reuse anywhere else (your “one” password). Best to go completely random and write it down on paper.
But the risk of never being able to access your ecosystem are really quite low.
You’ll own nothing and be happy!
Yeah it’s not for me but that’s a different point to “will they be locked out of their passkey storage”.
It’s directly related. If it’s in Apple’s system… or M$'s systems… They get to control your passkeys (not you). Including arbitrarily locking you out for whatever reason they want. Including “oops our datacenter died”. Hell… case and point. I bought new pixel phones (GrapheneOS), Google store didn’t charge my card at all, a card that’s been associated with my account for at least 10 years now, they marked it as “Suspicious” and locked my entire google account. Talking to support… None of them can even see that my account is locked.
This is what “normal” people will get shoved into. This is not a win for any consumer. It’s a win for corporations. They get to see each request you make and use that metadata for themselves.
Nope. The private key can be backed up, stored in an online password vault, copied automatically to other devices, whatever.
There are good and simple answers to this issue.