Passkey advice (ncsc.gov.uk)
From https://www.ncsc.gov.uk/blog-post/passkeys-not-perfect-getting-better (highly condensed by me):
❝
What then are the remaining problems with passkeys?
🔸 Inconsistent support and experiences
🔸 Device loss scenarios
🔸 Migration issues
🔸 Account recovery processes
🔸 Platform differences
🔸 Implementation complexity
🔸 Inconsistent use
🔸 Uncertainty around multi-factor status
❞
🔹 I recently wrote about a number of Android an iOS/iPadOS vulnerabilities (including account lock-out risks) in https://infosec.exchange/@ErikvanStraten/113820358011090612 and a couple of follow-up toots.
🔹 People wanting to know the basics of passkeys can read a somewhat acceptable translation from Dutch to English of my writeup "Passkeys for laymen", which can be seen by opening https://www-security-nl.translate.goog/posting/798699/Passkeys+voor+leken?_x_tr_sl=nl&_x_tr_tl=en&_x_tr_hl=nl (which seems to work in Chrome). The original article, in Dutch, can be seen in https://www.security.nl/posting/798699/Passkeys+voor+leken.
🔹 A good source of (unbiased!) info is also Dan Goodin's article in https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/.
🔹 Finally: the problem with passwords starts with a 'p': it's PEOPLE. Use a password manager as I describe in https://infosec.exchange/@ErikvanStraten/113022180851761038 (with Android screenshot: https://infosec.exchange/@ErikvanStraten/113549056619471557).