Microsoft Won't Let Customers Opt Out of Passkey Push

Microsoft has lauded the success of its efforts to convince customers to use passkeys instead of passwords, without actually quantifying that success. From a report: The software megalith credits passkey adoption to its enrolment user experience, or UX, which owes its unspecified uptake to unavoidable passkey solicitations -- sometimes referred to as "nudges."

"We're implementing logic that determines how often to show a nudge so as not to overwhelm users, but we don't let them permanently opt out of passkey invitations," explained Sangeeta Ranjit, group product manager, and Scott Bingham, principal product manager, in a blog post. The corporation's onboarding strategy seems to suit its corporate address: One Microsoft Way.

Ranjit and Bingham describe that strategy in a post titled "Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security." But they don't disclose how many customers love passkeys enough to actually use them.

Just Microsoft

[oldgraybeard]

being Microsoft! Abandon the darkness, Passkey, Recall and there is more bad on the way.

Re: Just Microsoft

[Z00L00K]

Passkeys will be around until someone figures out a fatal and unrecoverable weakness with them.

Re: Just Microsoft

[93 Escort Wagon]

Passkeys will be around until someone figures out a fatal and unrecoverable weakness with them.

Having Microsoft manage them without your involvement might qualify as exactly that...

Re:

[Z00L00K]

"Evil LOL!"

Re:

[thegarbz]

Having Microsoft manage them without your involvement might qualify as exactly that...

You try convincing people of running a Microsoft OS that. If you don't trust Microsoft's passkey implementation then you have no logical business having their OS on your machine.

Re:

[fahrbot-bot]

Passkeys will be around until someone figures out a fatal and unrecoverable weakness with them.

From TFA... not necessarily fatal or unrecoverable, but probably super annoying or problematic:

Passkeys are not foolproof though. A compromised device might expose private keys, and a successful social engineering attack could dupe a user into creating a passkey for a malicious service.

There are also potential problems if the user loses access to a device that stores passkeys – another means of authenticating to a passkey-linked service would be required, which might involve passwords or a more involved recovery process.

Also, passkey portability between credential providers (across platforms or password manager applications) is still a work in progress.

While it notes, "a compromised device might expose private keys" it fails to be clear that it might expose *all* your private keys. I'm not a fan of having all my eggs in one basket. Also, using bio-metrics to access your passkey means no, or less, legal protections from searches -- so use a long PIN, or password - oh, wait ...

Re:

[Darinbob]

"Microsoft" is the fatal and unrecoverable weakness with them.

Ie, replace a strong password with a system that is badly described, and login with face, fingerprint, or PIN. Really, the 4 or 6 digit PIN is more secure? And you need the PIN because face and fingerprint isn't reliable and will change over time, and change with different devices. Even Apple requires using the PIN once a week or so instead of just fingerprint unlocking.

It's Microsoft, we know that they screw up often, and screw up badly. We

Re:

[Uldis Segliņš]

While I agree to most, but "if I'm in the restroom someone can sit in my seat and quickly get onto all those sites" is solely on you yourself. Remember to lock your session as you remember to not walk out of the restroom with your pants down. Not so hard to do that.

Microsoft Security

[J. L. Tympanum]

It is one of those self-canceling oxymorons, like "jumbo shrimp" or "business ethics".

Re:Microsoft Security

[Brain-Fu]

Encouraging me to use a passkey is one thing. Pestering me about it forever, with no option to turn that pestering off, is quite another.

I don't like being treated like that, which is why my home devices are all Mac or Linux. Microsoft's bullying chased me away from their products a while ago, though, so this is just more reinforcement for me.

Re:

[markdavis]

^^^^ Bingo

Thankfully, I also don't have to deal with it, because all the machines I use- home and work, are Linux. I can decide how I use them.

There are perfectly valid reasons to want a LOCAL login and a LOCAL username/password on a system. Not all systems are the same or have the same connections or use cases. Pestering all users to death is just yet another annoyance.

Re:

[ChatHuant]

I've had Jumbo Shrimp the size of Hamsters.

Yeah, but those were shrimp hamsters...

Re:

[Darinbob]

Giant hamsters? From space?

Passkeys are better for everyone

[brunes69]

This summary and article makes it sound like Microsoft is the only company promoting Passkeys.

Passkeys are developed under the FIDO alliance and promoted by Google, Apple, Microsoft, Mozilla, CISA, and anyone and everyone who knows anything at all about cybersecurity.

They are infinitely more secure than passwords, and, at the same time, make life infinitely easier as well as they eliminate the need to remember and type said passwords.

Everyone and their dog should be pushing companies to abandon passwords as quickly as possible. Life without passwords is better for everyone - everyone except criminals anyway.

Re:

[Ol Olsoc]

They are infinitely more secure than passwords, and, at the same time, make life infinitely easier as well as they eliminate the need to remember and type said passwords.

Good heavens, "infinitely more secure" and "infinitely easier"? Hyperbole much?

Re:Passkeys are better for everyone -- not for me

[blahbooboo2]

No thanks. I dont want my device to be instantly allowed to login to my services. Too many scenarios exist where this will become an annoyance. Passkeys become yet another thing I have to manage and be concerned. Look at the below comments here as to reasons why passkeys are being avoided (such as having someone else owning your authentication, device lost or stolen, your biometric goes faulty, and low security devices such as a home PC etc.

IMHO they are not really any better for the end user than a decent password management app. And now, passkeys are being stored in password vaults so they can work on multiple devices, just like passwords yippee! So hows this better experience for the end user? Oh right its more "secure" than a good unique password.

vendors are trying to force (MS) and trick us (Amazon, paypal) into setting them up after spending money to implement the tech. To an end user its a confusing technology that were being told to just "trust us its better, easier, and safer" (counting down to the first security flaw being discovered btw).

Re:

[brunes69]

They are better than a password manager because they are cryptographically bound to the issuing device. That is what makes them phishing-resistant in the first place.

Password managers do not have this. A password is not bound to a device, and that instantly makes it less secure than a passkey.

Re:

[fahrbot-bot]

They are better than a password manager because they are cryptographically bound to the issuing device.

That'll be fun if/when one has to replace that device. Good thing phones/PC last, and are supported, forever... :-)

Re:

[brickhouse98]

I fail to see the distinction. Bitwarden, for instance, supports both passwords and passkeys (and is a password manager obviously.) It can fill out the passkeys on desktop, on mobile, etc. It's not "bound" to any one device but perfectly capable of exchanging passkeys with any service you like (including MS, etc.) So how is it better in the way you describe? I'm not against passkeys in general but they make a salient point- if you are already using a password manager with 2FA and random passwords, passkey

Re:

[Darinbob]

But what protects the passkey? A PIN? Soemone can sit at my computer and now have single sign on to my bank account?

Anyway, I don't even have a password on my home computer. It's behind lock and key anyway, and I don't store any passwords there so that they can get into the bank account. At a work computer I have a password, but with single sign on I use that password only once a day and then all the stupid Microsoft accounts never bother double checking that it's really me, they just let me in. If I w

Re:

[techno-vampire]

To an end user its a confusing technology that were being told to just "trust us its better, easier, and safer" (counting down to the first security flaw being discovered btw).

Before starting to read the comments, I looked up passkey in Wikipedia, and found a dense, confusing mass of jargon that nobody who isn't already familiar with the subject is likely to understand. This type of "explanation" is going to chase large numbers of potential users away, because they'll come to the conclusion that the art

Re:

[Darinbob]

The vaults are replicated? Or they're on some third party server? As in I need to contact a server over the network in order to login to my home computer to look at a local file? What happens if the internet is unavailable? WTF is wrong with a strong password, used ONLY for logging in, then unique strong passwords for each and every account? Why is access to my computer once with a fingerprint (or PIN!) more secure than using passwords multiple times as they're needed?

Microsoft's story here is weak and

Re:

[Waffle Iron]

Then don't enable that option

That's a nice theory you have, but any time Windows does a semiannual update, they feel free to reset any options they wish to the defaults without warning.

Re:

[MachineShedFred]

Which is an awesome reason to stop using Windows.

Stop letting them victimize you with their shitty behavior.

Re:Passkeys are better for everyone

[systemd-anonymousd]

Passwords are covered by fourth amendment protections. Passkeys are not.

Re:

[brunes69]

If you're that paranoid, then use a password-protected passkey. Problem solved.

Re:Passkeys are better for everyone

[systemd-anonymousd]

Doesn't that defeat the purpose? Why not a password at that point?

Also what do you mean, "that" paranoid? We're in a post-Snowden world. Arguments that rely on "erm, actually, illegal government surveillance is rare and they don't actually care enough about you to want to tap your MODEM phone line" no longer work.

Re:Passkeys are better for everyone

[RUs1729]

Except when somebody has access to my device for whatever reason - e.g. because they stole it: they will have immediate access to all the sites in which I use a passkey. There is no doubt that passkeys are very convenient, but they are not a cybersecurity nirvana: they just come with other problems peculiar to them.

Re:Passkeys are better for everyone

[ewibble]

Since you said everyone.

Ok what if i don't have, or want a smart phone?

How is forcing me to buy a new phone every X years since I assume for security reasons I have to keep it up to date, charge it regularly.

And before you say I can use it on computer, I had Authy and they now no longer support there desktop version, in order to log to my company sites, or see my I pay slip, the entire site is read only, I have a company provided phone sitting on my desk consuming power so I can do so.

For low security things I don't care about I see absolutely no need for this.

Also in reply to a post below may people their only computing device is their phone so loosing it loses their passkey.

Furthermore most people use an app on their phone, which use to log into their sites, if the phone is compromised then they are compromised. Personally I much prefer something like Yubi key but I am not given that option.

Re:

[brunes69]

You don't need a phone.

Not bothering typing more since you obviously don't even know the basics - read my other replies, or go do basic research on how passkeys work.

Re:

[fahrbot-bot]

I had Authy and they now no longer support there desktop version, ...

That annoyed me too, enough that I switched to 2FAS on my Pixel 5a. Of course, that didn't solve that issue, but I like that the tokens can be exported from 2FAS as JSON, in either a clear-text or encrypted file and stored offline. I don't have another physical device to run 2FAS, but it will run in virtual device, like in Android Studio, though I don't have to go that far. KeePassXC supports TOTP tokens and you can copy/paste the manual keys from the 2FAS JSON export; it runs pretty much everywhere...

Re:

[MeNeXT]

They are infinitely more secure than passwords, and, at the same time, make life infinitely easier as well as they eliminate the need to remember and type said passwords.

Magic, wow.

Re:

[fluffernutter]

Sorry, passwords are secure enough for me. I'm not hiding any government secrets, and my life is pretty boring. On the other hand, I find passkeys extremely inconvenient. You can use passkeys if you feel you have stuff hackers are trying to get to, but as a customer I demand convenience.

Re:

[Darinbob]

How are they more secure? If a 4 letter PIN gets you into the account instead of the 20 character password? How do you define "infinitely" without assuming that a password is 0?

And why should I trust Microsoft? What has Microsoft ever done to prove that they know the first thing about security?

Re:Passkeys are better for everyone

[brunes69]

First of all, passkeys don't need to just be "on your phone". They can be stored anywhere. Microsoft and Apple both have them built into the OS. So you have a passkey on your laptop, as well as your phone. You can also store them in a U2F key like a Yubikey.

To answer your question - if you lose one passkey, presumably, you can use your other one. Everyone should always have at least two passkeys for any one account, for exactly that reason.

If you lose *ALL* of the passkeys for an account - then you presumably should be having to go through some kind of in-person security procedure.

This is why, ideally, the government should be the one issuing passkeys, not Microsoft and Google and Apple. So that if you lost them, a trustworthy authority that you can go to locally - like the DMV - can fix it and restore your access. But we unfortunately are not there yet.

Re:Passkeys are better for everyone

[Rockoon]

ah yes, the DMV, renowned for its attention to security procedures.

Re:Passkeys are better for everyone

[drinkypoo]

The government should be issuing passkeys for dealing with the government, but I sure as shit wouldn't want to use them for anything else.

Re: Passkeys are better for everyone

[reanjr]

Well, in reality, this would really need to be federal to be successful, so you'd be dealing with the Department of State most likely. The guys who secure our passports. And of course, if you can get a fraudulently issued passport, there's a good chance you can circumvent many private system for passkey recovery by "proving" you are the person you say.

Re: Passkeys are better for everyone

[Viol8]

And if I want to log into something from a 3rd party machine? Load the passkey on to it [somehow] then make sure I delete it again after [somehow]. Fuck that. A login and password takes seconds even with a 2fa sms.

Re:Passkeys are better for everyone

[DarkOx]

and there it is. This is a terrible idea. Its not unlikely at all for a person to lost both or all their pass keys. Frequently my smart phone is in the same bag as my laptop. Both might be left on the bus, at the same time, or ripped from my shoulder as I head down the street.

Same thing with personal stuff. Odds are all of my passkey devices are in the same home which if catches fire at night are likely to be abandon in said building to burn.

So while I am already having a no good horrible very bad day, I won't be able to use some other computer to access my bank, insurance companies portal, my employers self help portal to report the stolen laptop etc, without first jumping through a mountain of BS if someone will even help me... ever see how much personal attention someone gets when they lost access to their gmail and don't have a current recovery account etc? Right they get NO HELP.

Or I could do what I do now, remember a few strong passwords for my primary banking institutions, my email, and work; and keep everything else in a password manager. Worst case I reset the passwords to the other stuff via email if somehow the password manager is destroyed. Which it won't be because its encrypted and I just e-mail to myself.

The entire passkey's are a overly complex solution to the problem that while might seem elegant to geeks are likely to leave Joe Public with a lot of availability problems. Could you solve most of them by tossing an extra pass key device in a safe deposit box or maybe just mom's basement, sure but most people will not understand the need or have the foresight; for all the SAME reasons they can't handle passwords securely now. It does not magically make SE not a thing either. The same rube that be vished/phished/quished into giving up their password will be convinced login and then run support.exe from https://bad.actors.crime/ [bad.actors.crime] or send that $5000 deposit to .... in Moscow so he can ship that million dollar artwork the Nazis stole form great grandma out of the country..

Re:

[AnOnyxMouseCoward]

Thanks for the explanation. Follow-up question if I may, what happens if someone steals my phone with my passkey, and somehow figures out my PIN? Do they just automatically get access to a bunch of websites under my login?

I want to like the technology, but am afraid of introducing a single point of failure. Plus, if you do have an issue, your point about in-person security procedure is another concern, since it is tech companies in control today and good luck speaking to a human at Microsoft or Google. Ho

What's bad about Passkey?

[Rinnon]

Genuine inquiry here for someone who knows more than I. Windows 11 didn't give me the option to NOT setup a Passkey, so I did. It seems... fine? Is there an underlying issue that I don't know about? We're talking about a Desktop that lives in my house and only I ever use, so I'm not exactly super concerned.

Re:

[brunes69]

THere is nothing wrong with passkeys. Passkeys are way more secure than passwords and also way easier to use.

Re:

[Darinbob]

And yet again, this is stated as if one should just trust it. No evidence is given, no explanation is given, no documentation or ISO standard to look up. It's just "trust me, I'm an ekspert!"

Except that for good reason, Microsoft cannot be trusted!

Re:What's bad about Passkey?

[abulafia]

Depends on whether you are OK with someone else owning/managing your authentication to every other site out there.

Try to get a passkey off an iPhone and in to your desktop password manager without using a third party intermediary.

Trying that exercise was when I decided I won't use them until/unless I can manage them just like passwords.

Re:

[BeepBoopBeep]

ehhh, bitwarden manages my pass keys on apple/windows devices ....

Re:What's bad about Passkey?

[nightflameauto]

Depends on whether you are OK with someone else owning/managing your authentication to every other site out there.

Try to get a passkey off an iPhone and in to your desktop password manager without using a third party intermediary.

Trying that exercise was when I decided I won't use them until/unless I can manage them just like passwords.

That seems to be the thing with almost all security in the modern age. Security is only security if it's handing the keys, sometimes literally, over to some behemoth for-profit company. You owning your security? No. You can't trust yourself. You can only trust the corporations. Only they have your best interests at heart.

It's a sad world that trusts entities absolutely known, and proven time again, to have no interests but their own profits to "secure" us against threats. It's amazing we're still allowed outdoors without some corporate sign-off to allow it.

It's a fundamental shift from something you know

[Tora]

This is so big, and nobody seems to care. "Something you know" on its own isn't good, but combined with "Something you have" it becomes many fold more powerful.

CHANGING to passkey just means it is now ONLY something you have, and no longer is it MFA, and it's arguably worse than a strong password.

Re:

[thegarbz]

That seems to be the thing with almost all security in the modern age. Security is only security if it's handing the keys, sometimes literally, over to some behemoth for-profit company. You owning your security? No. You can't trust yourself.

Of course you can. But for 99% of people out there they shouldn't. The average idiot can't be trusted not to write their password on a post-it and glue it to their screen. I used a friend's phone the other day and had it unlocked before they could tell me the unlock pattern. Obviously it's a C, N, Z or U like the 0000 of passwords. You think these kinds of people can manage passkeys?

The big evil corporations just do the heavy lifting and package it into a system that can be used by an average idiot.

Re: What's bad about Passkey?

[bradley13]

This. Really, passkeys are just a variation on SSH keys: public/private key pairs. I manage my SSH keys in an OSS password manager, easy peasy. Why are passkeys such a mess?

Re: What's bad about Passkey?

[BeepBoopBeep]

The article doesnâ(TM)t claim they are a mess â¦. Bitwarden (and similar) manages passkeys and passwords just fine across devices and platforms

Re:

[markdavis]

>"Why are passkeys such a mess?"

Because Microsoft is trying to be the one forcing, controlling, and managing them. This isn't like an ssh passkey for an account you create and control on your own systems.

Re:

[The-Ixian]

What are you talking about?

A passkey is just public key authentication. You own the private key and only give a public key to the site as their secret to keep.

It's the exact opposite of what you are talking about. You keep all the secrets, the other side has nothing of consequence. They could lose that information in a breach and it wouldn't matter.

Unlike today where you are trusting others with your secrets.

Re:

[brunes69]

Passkeys are bound to the device issuing them. The idea of "moving them" makes no sense.

That said, you should not have only one passkey in the first place, that is a HORRIBLE idea.

IE - you shouldn't be trying to "get a passkey off an iPhone" in the first place because you should have a second one (either on your laptop, or your keychain, or elsewhere) somewhere else, which you can then use to enroll a third, fourth, or fifth passkey if you need to.

Re:

[Waffle Iron]

My locally run password manager program has hundreds of passwords accumulated over the decades (don't worry, its database is robustly backed up). That was inconvenient enough when I had to add each new account when it was created.

Now, every time do a transaction with a new business I have to create and save at least two passkeys, then save them on different devices that can't get destroyed in the same natural disaster? Then when I upgrade to a new device, I have to go through *all* those accounts and create

Re:

[Waffle Iron]

Keeping a password on an account is not a requirement. Passkey enthusiasts think that passwords will eventually go away entirely.

If you do keep a backup password for an account, then passkeys have done nothing to improve security. For most users, the password is probably the same as the one on their luggage.

Re: What's bad about Passkey?

[Z00L00K]

The Windows 11 pin code does not equal a passkey since you can't remove it when you leave your computer temporarily.

Add to it that if you set it up on a computer you use temporarily and someone figures out your pin key it's not safer than a password.

Re:

[MpVpRb]

They are not accepted at very many places. Many banks don't accept them. Out of all of the things I log into, only one accepts passkeys.
AFIK, they either can't be totally local or local storage is discouraged. Most want you to use a service like google.
I have also read that they are either difficult or impossible to backup and restore.
I have spent several hours searching, and have not found clear answers to my questions.
Can they be used totally without a smartphone, for any reason, ever?
Can they be managed

Re:

[markdavis]

I wish I had modpoints to MOD YOU UP.

I *WANT* to use 2-factor with my bank and several other places. But most ONLY want to do SMS, and I refuse to give ANY business my cell phone number, period. So I am stuck with 1-factor on most (but they are all different and strong).

And those that DO offer some non-SMS option for 2-factor, most only do it through their own crappy "app", which again, I am not going to use.

I want what you want. We have an OPEN and FREE and SECURE standard for this, it is TOTP https:// [wikipedia.org]

Passkeys

[systemd-anonymousd]

I didn't know much about passkeys, but now that I hear that MSFT is making it mandatory I know they're bad for me, probably dox me, likely steal all my data somehow or prove my identity to the government at all times, I should hate and fear them, and will resist adopting it forever.

Re:

[thegarbz]

I didn't know much about passkeys, but now that I hear that MSFT is making it mandatory I know they're bad for me

That's funny. I looked at your username and knew you'd post nonsense without even reading your post. That's how bias and judgements work. They make us stupid. They make us stop learning and understanding a subject.

Re:

[systemd-anonymousd]

Yes, I'm well aware that your thinking doesn't extend beyond looking at usernames and deciding things based on how that makes you feel.

Passkeys are GREAT!

[darkain]

They're totally great!!!

Except when I forget my Yubikey at home.
Except when the fingerprint reader is routinely faulty.
Except when I dock my laptop so the "hello" camera can't even see me.
Except when every god damn fucking program is trying to be the "passkey manager" and their prompts are all overriding each other before I can get to the one that is actually used for a particular login.
Except on ultra-low-security devices, like an at-home gaming machine or test VM for development.
Except for countless other reasons too.

Re: Passkeys are GREAT!

[Z00L00K]

Keep the yubikey on the same ring as your home key and vehicle key. That'll solve the first problem.

But for all other cases I agree. On a process operator station with 24/7 online work with multiple computers and multiple users you can never log out or lock a computer because everything from the 100ft underground to 400ft above ground has to be accessible by any operator without delay for security reasons.

Re:

[fluffernutter]

Why would I have my keys with me when I'm logging in from home? You always have your keys in your pocket?

Re:

[drinkypoo]

If your keys aren't with you at home, you've got a problem anyway.

You can solve this problem if you are a chronic key-loser by having two keys and registering them both, and keeping one at home.

Re:

[mce]

My keys are with me at home and I know where they are, but not with me as in "always on my body". If I have to carry them literally everywhere where I might need them to log in (3 computers in 2 fixed and 1 mobile location, spread over 3 floors) and also every time I change between regular clothes, military clothes, and DIY clothes, then that is when I will "loose" them all the time.

Re:

[fluffernutter]

Exactly my point.... or I will try to log into something and realize I need to spend time looking for my keys just to log into something.

Re:

[flink]

Keep the yubikey on the same ring as your home key and vehicle key. That'll solve the first problem.

I've pretty much eliminated physical keys from my life. My house uses all z-wave locks with fingerprint readers and push button codes for backup. My car can be started via NFC with my phone. Having to remember a separate physical key just to unlock my computer or login to websites seems like a step back to me. I'd rather just be enrolled in TOTP, then I can just use the password manager that is already on my phone & PC. I can also very easily backup that TOTP secret and make a physical hard copy.

Re:

[Chris Mattern]

"I've pretty much eliminated physical keys from my life...My car can be started via NFC with my phone."

Doesn't that make your phone a physical key?

Re:

[darkain]

That doesn't work too well when the work issued Yubikey is a 5C Nano

Re:

[thegarbz]

This is literally why there are multiple fail-safes in the design. Oh your Hello camera doesn't work? What a calamity that it took you literally 2 seconds to type your pin in instead. The world won't cope with that loss.

Won't?

[ThePhilips]

They already don't. Got new Win11* corporate laptop.

The standard log-in configuration is only possible with passkey. Later can be changed - but first N reboots during setup/etc - only passkey. (IT had no idea if that could be changed or not.) So I had to promptly find another PostIt to write down one more password...

*With the brand new shittiest taskbar of all Windows OSs ever. After I've seen it and experienced it... No way I'm downgrading Win10 at home to Win11.

Re:

[Zak3056]

No way I'm downgrading Win10 at home to Win11

Win10 EOS is ten months away, so you're either going to need to airgap that thing, move to some *NIX, or bite the bullet and move to Win11 unless you want the probability of being pwned to be even higher than it is now.

Re:

[Ol Olsoc]

No way I'm downgrading Win10 at home to Win11

Win10 EOS is ten months away, so you're either going to need to airgap that thing, move to some *NIX, or bite the bullet and move to Win11 unless you want the probability of being pwned to be even higher than it is now.

EOS is when a Windows OS becomes stable. Airgapping Windows 10 - seriously just how natively and unfixably insecure is Windows anyhow - if what you say is true, you are better off on everything else. It is unfixable. And so is W11.

Re:

[ukoda]

True, but I get the felling many Windows user treat being pwned as a normal part of using a computer. They simply balance when the crappiness of using their system becomes higher the crappiness of doing a system reinstall. I have found many people accept a crappy situation as their best option and will make excuses to defend that choice. I no longer waste my time trying to help them, it is their choice. I'm happy to help people move to Linux, but only if they reach out and ask for help first.

Re:

[fluffernutter]

so you're either going to need to airgap that thing

Why? Few people have anything that important.

Re:

[drinkypoo]

It doesn't matter if you have any important data, the state of computer security is such that you will probably get owned by an automated attack eventually. You'll open a website up (maybe it will be a redirect to an ad) and get owned through a browser image loading vulnerability or something else equally stupid and preventable with best practices which aren't employed.

Re:

[fluffernutter]

So I won't go to any shady websites. Is CNN going to hack me?

Re:

[MachineShedFred]

So you absolutely wouldn't mind if someone installed a crypto miner worm on your machine and ran it at 100% until it burns out the hardware, using your electricity to make them money?

What a silly assertion. There is far more opportunity for cyber crime now than just simple data theft.

Re:

[fafalone]

Incorrect. Windows 10 EOS is 8 years away, if you use the best and only acceptable version, Win10 IoT Enterprise LTSC

Re: Won't?

[Z00L00K]

After 3 logins in a row with password (use another login method) our computers select password as suggested alternative instead of pin code.

"nudges."

[rossdee]

Nudge nudge, wink wink
Say no more

Re:

[mhocker]

Nod as as a wink to a blind man

Say no more

No worries

[nehumanuscrede]

There is nothing Microsoft will be able to do to prevent future customers from
opting out of the Windows Operating System all-together.

Problem solved.

Not your choice

[ukoda]

This attitude: "We're implementing logic that determines how often to show a nudge so as not to overwhelm users, but we don't let them permanently opt out of passkey invitations," tells you everything you need to know about M$'s attitude to users. Passkeys may be a good thing but it still should be a user's choice if they want to use them. They may as well have said "We're implementing logic that determines how often to beat them with a stick so as not to kill users, but we don't let them permanently opt out of beatings,". Clearly a company that has not heard of the principle that "No means no".

Re:

[sinij]

It is your fault for dressing^H^H^H^H using Microsoft personal account.

Re:

[brunes69]

As a cybersecurity expert, I disagree.

Humans have a lot of inertia and they fight change constantly.

Sometimes, they need to be forced to adopt new things for their own good.

Passkeys are not only more secure, but they are better for everyone because you no longer need to remember passwords. They are so, so much better. But if we relied on users to adopt them at-will, then we would be waiting a decade - a decade where we'd have to continue to be funding terrorist networks with the proceeds of cybercrime.

Re:

[rickrickles]

I don't necessarily agree they are immediately better. You're moving "something you know" to "something you have". For some people, this might be better, but as a whole, you're leaving out a very important part of the security equation.

Re:

[ukoda]

I will concede your point for computers used to store data about people other than the system owner or to control systems other use. I was defending the rights of home users to make stupid choices. However for companies and governments, then forcing them meet minimum security standards is a good thing.

By the same token I assume you are not happy with what M$ is doing because they are not forcing users to use passkeys, but rather nagging them as much as they think they can get away with.

Re:

[VertosCay]

Sometimes, they need to be forced to adopt new things for their own good.

I for one welcome our new corporate overlords, it's for our own good. What a douche.

Re:

[PPH]

Sometimes, they need to be forced to adopt new things for their own good.

Yeah. Like socialism [imgflip.com].

Digital ID is waiting there in the background

[Rujiel]

whether you like it or not, just like with vaccine passports a couple years ago. In some states google and apple's Wallets are already an option for drivers' licenses

Your Latest Trick

[rossdee]

You must of had a PassKey made out of Whacks

The Apple way of doing things

[Timoteous]

Microsoft has adopted the Apple way of forcing users to do things a certain way, just like Apple has been doing for years. I'm ready to switch as many systems as I can to Linux.

Not 2FA

[Ronin Developer]

This is the biggest gripe about passkeys - they are not suitable for a Two-Factor Authentication mechanism.

The rule, something you know, something you have , and something you are is broken with Passkeys - it becomes something you have. Additionally, passkeys can be transferred or shared (depending upon implementation).

This is why financial institutions won't use Passkeys in their current form.

There are ways to fix the holes, but they are not in the standard yet nor a default standard.

Still, a step in the

I'm going to be brief...

[Arrogant-Bastard]

...because I'm sitting in an airport with flaky wi-fi. That said:

I've seen a lot of dumb security ideas during my 40+ years on the Internet and ARPAnet. Passkeys are right up there with the best/worst of them. They are incredibly stupid, and what's more, the people pushing them know they're incredibly stupid but are doing it anyway because they don't want security: they want control.

In fact, they want control so badly they don't care who gets hurt. And in particular, they don't care how many who l

What's the difference to a client-side cert?

[Zarhan]

To my understanding, passkey is just a cert you hand over to a client, that has a passphrase or some other unlocking mechanism. Or something you have used with SSH forever. Client certs have also been a thing forever, they just never really took off (because random websites didn't really want to start acting as CA's for their users).

However, not exactly the most convenient method. I can sync my KeepassXC database across devices trivially and make backups just as easily. What exact advantages does this provi

Passkey is based on biometrics

[Schoenlepel]

A password, when it gets stolen, you can change.

Your fingerprint or face will never change.

This is an absolute gold mine for criminals.

They will find a way to steal this information and people will have no way to change this.

Re:

[sinij]

May also be illegal in the EU.

Hating MS more will likely remain legal even in EU, but you never know.