Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Security IT

Microsoft Won't Let Customers Opt Out of Passkey Push (theregister.com) 203

Microsoft has lauded the success of its efforts to convince customers to use passkeys instead of passwords, without actually quantifying that success. From a report: The software megalith credits passkey adoption to its enrolment user experience, or UX, which owes its unspecified uptake to unavoidable passkey solicitations -- sometimes referred to as "nudges."

"We're implementing logic that determines how often to show a nudge so as not to overwhelm users, but we don't let them permanently opt out of passkey invitations," explained Sangeeta Ranjit, group product manager, and Scott Bingham, principal product manager, in a blog post. The corporation's onboarding strategy seems to suit its corporate address: One Microsoft Way.

Ranjit and Bingham describe that strategy in a post titled "Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security." But they don't disclose how many customers love passkeys enough to actually use them.

Microsoft Won't Let Customers Opt Out of Passkey Push

Comments Filter:
  • Just Microsoft (Score:3, Informative)

    by oldgraybeard ( 2939809 ) on Thursday December 19, 2024 @01:18PM (#65025905)
    being Microsoft! Abandon the darkness, Passkey, Recall and there is more bad on the way.
    • Re: Just Microsoft (Score:5, Insightful)

      by Z00L00K ( 682162 ) on Thursday December 19, 2024 @01:43PM (#65026037) Homepage Journal

      Passkeys will be around until someone figures out a fatal and unrecoverable weakness with them.

      • Re: Just Microsoft (Score:5, Insightful)

        by 93 Escort Wagon ( 326346 ) on Thursday December 19, 2024 @01:53PM (#65026099)

        Passkeys will be around until someone figures out a fatal and unrecoverable weakness with them.

        Having Microsoft manage them without your involvement might qualify as exactly that...

        • by Z00L00K ( 682162 )

          "Evil LOL!"

        • Re: (Score:2, Insightful)

          by thegarbz ( 1787294 )

          Having Microsoft manage them without your involvement might qualify as exactly that...

          You try convincing people of running a Microsoft OS that. If you don't trust Microsoft's passkey implementation then you have no logical business having their OS on your machine.

      • Passkeys will be around until someone figures out a fatal and unrecoverable weakness with them.

        From TFA... not necessarily fatal or unrecoverable, but probably super annoying or problematic:

        Passkeys are not foolproof though. A compromised device might expose private keys, and a successful social engineering attack could dupe a user into creating a passkey for a malicious service.

        There are also potential problems if the user loses access to a device that stores passkeys – another means of authenticating to a passkey-linked service would be required, which might involve passwords or a more involved recovery process.

        Also, passkey portability between credential providers (across platforms or password manager applications) is still a work in progress.

        While it notes, "a compromised device might expose private keys" it fails to be clear that it might expose *all* your private keys. I'm not a fan of having all my eggs in one basket. Also, using bio-metrics to access your passkey means no, or less, legal protections from searches -- so use a long PIN, or password - oh, wait ...

      • Re: (Score:3, Informative)

        by Darinbob ( 1142669 )

        "Microsoft" is the fatal and unrecoverable weakness with them.

        Ie, replace a strong password with a system that is badly described, and login with face, fingerprint, or PIN. Really, the 4 or 6 digit PIN is more secure? And you need the PIN because face and fingerprint isn't reliable and will change over time, and change with different devices. Even Apple requires using the PIN once a week or so instead of just fingerprint unlocking.

        It's Microsoft, we know that they screw up often, and screw up badly. We

        • While I agree to most, but "if I'm in the restroom someone can sit in my seat and quickly get onto all those sites" is solely on you yourself. Remember to lock your session as you remember to not walk out of the restroom with your pants down. Not so hard to do that.
  • by J. L. Tympanum ( 39265 ) on Thursday December 19, 2024 @01:21PM (#65025921)

    It is one of those self-canceling oxymorons, like "jumbo shrimp" or "business ethics".

    • by Brain-Fu ( 1274756 ) on Thursday December 19, 2024 @02:50PM (#65026319) Homepage Journal

      Encouraging me to use a passkey is one thing. Pestering me about it forever, with no option to turn that pestering off, is quite another.

      I don't like being treated like that, which is why my home devices are all Mac or Linux. Microsoft's bullying chased me away from their products a while ago, though, so this is just more reinforcement for me.

      • ^^^^ Bingo

        Thankfully, I also don't have to deal with it, because all the machines I use- home and work, are Linux. I can decide how I use them.

        There are perfectly valid reasons to want a LOCAL login and a LOCAL username/password on a system. Not all systems are the same or have the same connections or use cases. Pestering all users to death is just yet another annoyance.

  • Genuine inquiry here for someone who knows more than I. Windows 11 didn't give me the option to NOT setup a Passkey, so I did. It seems... fine? Is there an underlying issue that I don't know about? We're talking about a Desktop that lives in my house and only I ever use, so I'm not exactly super concerned.
    • by brunes69 ( 86786 )

      THere is nothing wrong with passkeys. Passkeys are way more secure than passwords and also way easier to use.

      • And yet again, this is stated as if one should just trust it. No evidence is given, no explanation is given, no documentation or ISO standard to look up. It's just "trust me, I'm an ekspert!"

        Except that for good reason, Microsoft cannot be trusted!

    • by abulafia ( 7826 ) on Thursday December 19, 2024 @01:30PM (#65025979)
      Depends on whether you are OK with someone else owning/managing your authentication to every other site out there.

      Try to get a passkey off an iPhone and in to your desktop password manager without using a third party intermediary.

      Trying that exercise was when I decided I won't use them until/unless I can manage them just like passwords.

      • ehhh, bitwarden manages my pass keys on apple/windows devices ....
      • by nightflameauto ( 6607976 ) on Thursday December 19, 2024 @01:49PM (#65026079)

        Depends on whether you are OK with someone else owning/managing your authentication to every other site out there.

        Try to get a passkey off an iPhone and in to your desktop password manager without using a third party intermediary.

        Trying that exercise was when I decided I won't use them until/unless I can manage them just like passwords.

        That seems to be the thing with almost all security in the modern age. Security is only security if it's handing the keys, sometimes literally, over to some behemoth for-profit company. You owning your security? No. You can't trust yourself. You can only trust the corporations. Only they have your best interests at heart.

        It's a sad world that trusts entities absolutely known, and proven time again, to have no interests but their own profits to "secure" us against threats. It's amazing we're still allowed outdoors without some corporate sign-off to allow it.

        • by Tora ( 65882 ) on Thursday December 19, 2024 @03:45PM (#65026499)

          This is so big, and nobody seems to care. "Something you know" on its own isn't good, but combined with "Something you have" it becomes many fold more powerful.

          CHANGING to passkey just means it is now ONLY something you have, and no longer is it MFA, and it's arguably worse than a strong password.

        • That seems to be the thing with almost all security in the modern age. Security is only security if it's handing the keys, sometimes literally, over to some behemoth for-profit company. You owning your security? No. You can't trust yourself.

          Of course you can. But for 99% of people out there they shouldn't. The average idiot can't be trusted not to write their password on a post-it and glue it to their screen. I used a friend's phone the other day and had it unlocked before they could tell me the unlock pattern. Obviously it's a C, N, Z or U like the 0000 of passwords. You think these kinds of people can manage passkeys?

          The big evil corporations just do the heavy lifting and package it into a system that can be used by an average idiot.

      • This. Really, passkeys are just a variation on SSH keys: public/private key pairs. I manage my SSH keys in an OSS password manager, easy peasy. Why are passkeys such a mess?
        • The article doesnâ(TM)t claim they are a mess â¦. Bitwarden (and similar) manages passkeys and passwords just fine across devices and platforms
        • >"Why are passkeys such a mess?"

          Because Microsoft is trying to be the one forcing, controlling, and managing them. This isn't like an ssh passkey for an account you create and control on your own systems.

      • What are you talking about?

        A passkey is just public key authentication. You own the private key and only give a public key to the site as their secret to keep.

        It's the exact opposite of what you are talking about. You keep all the secrets, the other side has nothing of consequence. They could lose that information in a breach and it wouldn't matter.

        Unlike today where you are trusting others with your secrets.

      • by brunes69 ( 86786 )

        Passkeys are bound to the device issuing them. The idea of "moving them" makes no sense.

        That said, you should not have only one passkey in the first place, that is a HORRIBLE idea.

        IE - you shouldn't be trying to "get a passkey off an iPhone" in the first place because you should have a second one (either on your laptop, or your keychain, or elsewhere) somewhere else, which you can then use to enroll a third, fourth, or fifth passkey if you need to.

        • My locally run password manager program has hundreds of passwords accumulated over the decades (don't worry, its database is robustly backed up). That was inconvenient enough when I had to add each new account when it was created.

          Now, every time do a transaction with a new business I have to create and save at least two passkeys, then save them on different devices that can't get destroyed in the same natural disaster? Then when I upgrade to a new device, I have to go through *all* those accounts and create

    • The Windows 11 pin code does not equal a passkey since you can't remove it when you leave your computer temporarily.

      Add to it that if you set it up on a computer you use temporarily and someone figures out your pin key it's not safer than a password.

    • by MpVpRb ( 1423381 )

      They are not accepted at very many places. Many banks don't accept them. Out of all of the things I log into, only one accepts passkeys.
      AFIK, they either can't be totally local or local storage is discouraged. Most want you to use a service like google.
      I have also read that they are either difficult or impossible to backup and restore.
      I have spent several hours searching, and have not found clear answers to my questions.
      Can they be used totally without a smartphone, for any reason, ever?
      Can they be managed

  • Passkeys (Score:4, Insightful)

    by systemd-anonymousd ( 6652324 ) on Thursday December 19, 2024 @01:24PM (#65025945)

    I didn't know much about passkeys, but now that I hear that MSFT is making it mandatory I know they're bad for me, probably dox me, likely steal all my data somehow or prove my identity to the government at all times, I should hate and fear them, and will resist adopting it forever.

    • I didn't know much about passkeys, but now that I hear that MSFT is making it mandatory I know they're bad for me

      That's funny. I looked at your username and knew you'd post nonsense without even reading your post. That's how bias and judgements work. They make us stupid. They make us stop learning and understanding a subject.

  • Passkeys are GREAT! (Score:5, Informative)

    by darkain ( 749283 ) on Thursday December 19, 2024 @01:27PM (#65025965) Homepage

    They're totally great!!!

    Except when I forget my Yubikey at home.
    Except when the fingerprint reader is routinely faulty.
    Except when I dock my laptop so the "hello" camera can't even see me.
    Except when every god damn fucking program is trying to be the "passkey manager" and their prompts are all overriding each other before I can get to the one that is actually used for a particular login.
    Except on ultra-low-security devices, like an at-home gaming machine or test VM for development.
    Except for countless other reasons too.

    • Keep the yubikey on the same ring as your home key and vehicle key. That'll solve the first problem.

      But for all other cases I agree. On a process operator station with 24/7 online work with multiple computers and multiple users you can never log out or lock a computer because everything from the 100ft underground to 400ft above ground has to be accessible by any operator without delay for security reasons.

      • Why would I have my keys with me when I'm logging in from home? You always have your keys in your pocket?
        • If your keys aren't with you at home, you've got a problem anyway.

          You can solve this problem if you are a chronic key-loser by having two keys and registering them both, and keeping one at home.

          • by mce ( 509 )
            My keys are with me at home and I know where they are, but not with me as in "always on my body". If I have to carry them literally everywhere where I might need them to log in (3 computers in 2 fixed and 1 mobile location, spread over 3 floors) and also every time I change between regular clothes, military clothes, and DIY clothes, then that is when I will "loose" them all the time.
            • Exactly my point.... or I will try to log into something and realize I need to spend time looking for my keys just to log into something.
      • by flink ( 18449 )

        Keep the yubikey on the same ring as your home key and vehicle key. That'll solve the first problem.

        I've pretty much eliminated physical keys from my life. My house uses all z-wave locks with fingerprint readers and push button codes for backup. My car can be started via NFC with my phone. Having to remember a separate physical key just to unlock my computer or login to websites seems like a step back to me. I'd rather just be enrolled in TOTP, then I can just use the password manager that is already on my phone & PC. I can also very easily backup that TOTP secret and make a physical hard copy.

        • "I've pretty much eliminated physical keys from my life...My car can be started via NFC with my phone."

          Doesn't that make your phone a physical key?

      • by darkain ( 749283 )

        That doesn't work too well when the work issued Yubikey is a 5C Nano

    • This is literally why there are multiple fail-safes in the design. Oh your Hello camera doesn't work? What a calamity that it took you literally 2 seconds to type your pin in instead. The world won't cope with that loss.

  • by ThePhilips ( 752041 ) on Thursday December 19, 2024 @01:31PM (#65025983) Homepage Journal

    They already don't. Got new Win11* corporate laptop.

    The standard log-in configuration is only possible with passkey. Later can be changed - but first N reboots during setup/etc - only passkey. (IT had no idea if that could be changed or not.) So I had to promptly find another PostIt to write down one more password...

    *With the brand new shittiest taskbar of all Windows OSs ever. After I've seen it and experienced it... No way I'm downgrading Win10 at home to Win11.

    • by Zak3056 ( 69287 )

      No way I'm downgrading Win10 at home to Win11

      Win10 EOS is ten months away, so you're either going to need to airgap that thing, move to some *NIX, or bite the bullet and move to Win11 unless you want the probability of being pwned to be even higher than it is now.

      • No way I'm downgrading Win10 at home to Win11

        Win10 EOS is ten months away, so you're either going to need to airgap that thing, move to some *NIX, or bite the bullet and move to Win11 unless you want the probability of being pwned to be even higher than it is now.

        EOS is when a Windows OS becomes stable. Airgapping Windows 10 - seriously just how natively and unfixably insecure is Windows anyhow - if what you say is true, you are better off on everything else. It is unfixable. And so is W11.

      • by ukoda ( 537183 )
        True, but I get the felling many Windows user treat being pwned as a normal part of using a computer. They simply balance when the crappiness of using their system becomes higher the crappiness of doing a system reinstall. I have found many people accept a crappy situation as their best option and will make excuses to defend that choice. I no longer waste my time trying to help them, it is their choice. I'm happy to help people move to Linux, but only if they reach out and ask for help first.
      • so you're either going to need to airgap that thing

        Why? Few people have anything that important.

        • It doesn't matter if you have any important data, the state of computer security is such that you will probably get owned by an automated attack eventually. You'll open a website up (maybe it will be a redirect to an ad) and get owned through a browser image loading vulnerability or something else equally stupid and preventable with best practices which aren't employed.

        • So you absolutely wouldn't mind if someone installed a crypto miner worm on your machine and ran it at 100% until it burns out the hardware, using your electricity to make them money?

          What a silly assertion. There is far more opportunity for cyber crime now than just simple data theft.

    • After 3 logins in a row with password (use another login method) our computers select password as suggested alternative instead of pin code.

  • by rossdee ( 243626 ) on Thursday December 19, 2024 @01:42PM (#65026029)

    Nudge nudge, wink wink
    Say no more

  • There is nothing Microsoft will be able to do to prevent future customers from
    opting out of the Windows Operating System all-together.

    Problem solved.

  • Not your choice (Score:5, Insightful)

    by ukoda ( 537183 ) on Thursday December 19, 2024 @01:53PM (#65026095) Homepage
    This attitude: "We're implementing logic that determines how often to show a nudge so as not to overwhelm users, but we don't let them permanently opt out of passkey invitations," tells you everything you need to know about M$'s attitude to users. Passkeys may be a good thing but it still should be a user's choice if they want to use them. They may as well have said "We're implementing logic that determines how often to beat them with a stick so as not to kill users, but we don't let them permanently opt out of beatings,". Clearly a company that has not heard of the principle that "No means no".
    • by sinij ( 911942 )
      It is your fault for dressing^H^H^H^H using Microsoft personal account.
    • by brunes69 ( 86786 )

      As a cybersecurity expert, I disagree.

      Humans have a lot of inertia and they fight change constantly.

      Sometimes, they need to be forced to adopt new things for their own good.

      Passkeys are not only more secure, but they are better for everyone because you no longer need to remember passwords. They are so, so much better. But if we relied on users to adopt them at-will, then we would be waiting a decade - a decade where we'd have to continue to be funding terrorist networks with the proceeds of cybercrime.

      • Re: (Score:3, Insightful)

        I don't necessarily agree they are immediately better. You're moving "something you know" to "something you have". For some people, this might be better, but as a whole, you're leaving out a very important part of the security equation.
      • by ukoda ( 537183 )
        I will concede your point for computers used to store data about people other than the system owner or to control systems other use. I was defending the rights of home users to make stupid choices. However for companies and governments, then forcing them meet minimum security standards is a good thing.

        By the same token I assume you are not happy with what M$ is doing because they are not forcing users to use passkeys, but rather nagging them as much as they think they can get away with.
      • Sometimes, they need to be forced to adopt new things for their own good.

        I for one welcome our new corporate overlords, it's for our own good. What a douche.

      • by PPH ( 736903 )

        Sometimes, they need to be forced to adopt new things for their own good.

        Yeah. Like socialism [imgflip.com].

  • whether you like it or not, just like with vaccine passports a couple years ago. In some states google and apple's Wallets are already an option for drivers' licenses
  • You must of had a PassKey made out of Whacks

  • Microsoft has adopted the Apple way of forcing users to do things a certain way, just like Apple has been doing for years. I'm ready to switch as many systems as I can to Linux.

  • This is the biggest gripe about passkeys - they are not suitable for a Two-Factor Authentication mechanism.

    The rule, something you know, something you have , and something you are is broken with Passkeys - it becomes something you have. Additionally, passkeys can be transferred or shared (depending upon implementation).

    This is why financial institutions won't use Passkeys in their current form.

    There are ways to fix the holes, but they are not in the standard yet nor a default standard.

    Still, a step in the

  • ...because I'm sitting in an airport with flaky wi-fi. That said:

    I've seen a lot of dumb security ideas during my 40+ years on the Internet and ARPAnet. Passkeys are right up there with the best/worst of them. They are incredibly stupid, and what's more, the people pushing them know they're incredibly stupid but are doing it anyway because they don't want security: they want control.

    In fact, they want control so badly they don't care who gets hurt. And in particular, they don't care how many who l
  • To my understanding, passkey is just a cert you hand over to a client, that has a passphrase or some other unlocking mechanism. Or something you have used with SSH forever. Client certs have also been a thing forever, they just never really took off (because random websites didn't really want to start acting as CA's for their users).

    However, not exactly the most convenient method. I can sync my KeepassXC database across devices trivially and make backups just as easily. What exact advantages does this provi

  • A password, when it gets stolen, you can change.

    Your fingerprint or face will never change.

    This is an absolute gold mine for criminals.

    They will find a way to steal this information and people will have no way to change this.

It is better to live rich than to die rich. -- Samuel Johnson

Working...