Google recently announced that passkeys are now by default for all users. See [1]. Passkeys belong to a category of credential free login methods. Such methods are very convenient (they do not require passwords from users) but they are very insecure and dangerous for account holders.

Instead of authentication of users (account holders) such technologies authenticate users’ devices. This is the Achilles weak spot of this method. There are many scenarios in which not authorized users can access accounts and withdrew money or other assets from these accounts.

Scenario 1.

Imagine a situation, where you leave your device (for example a smartphone) in your office and go for lunch. Now, any person can access your phone and access your bank or any other online account, because such systems authenticate not the owner of accounts but the devices registered on the owner’s name.

Scenario 2.

Imagine a situation, where you lost your device (for example a smartphone). Now, any person who find your device can get access to your accounts.

Scenario 3.

Imagine a situation, where your device (for example a smartphone) was stolen. Now, the person who has your device can get access to your accounts.

Scenario 4.

Imagine a situation, where hackers use SIM swapping to get authentication tokens (see [2]). Now, they can get access to your accounts.

Scenario 5.

Passkeys, authentication tokens, application IDs, random keys, etc. are stored in some files on the device. These files can be hacked, broken, stolen, damaged, confiscated, etc. If such files will be broken or damaged then you will not be able to access your accounts. In all other cases, other persons will be able to access your accounts.

In many ways, this method is similar to a method used in hot crypto wallets, with private keys stored online in some files. It is well known that such method is not secure and that hot wallets are hacked regularly. Those who give control of their private keys to others, as a rule, are victims of such hacks and lose their assets, secured by the private keys.

You are not in control of your phone’s operating system (Google, Apple, etc. control them), you are not in control of apps installed on your phone (apps developers control them), but you can control your passwords and private keys (you can create and change them).

The danger for account holders is that it is almost impossible in some scenarios to prove that somebody else get access to your account and withdrew money or crypto from it. If you can not prove it, you can not recover stolen from your account funds or assets back, even in cases when laws and regulations protect you. See [3].

Conclusions:

1. Control of our own passwords and private keys forms the last bastion of freedom in the digital world. If this bastion will be destroyed (the control will be given to corporations and governments) then we will lose everything!!!

2. If we give governments and corporations control of our accounts (by using credential free login methods) then they do not need CBDC to control us.

References

[1] https://www.hackread.com/google-makes-passkeys-default-for-all-users/

[2]Millions Microsoft’s accounts were hacked via SMS based 2FA monthly (!!!) until the company replaced this 2FA on alternative methods https://www.forbes.com/sites/zakdoffman/2020/11/17/microsoft-warning-about-sms-security-codes-sent-to-apple-iphone-and-google-android-phones/?sh=2d12b0f9242f

[3] https://www.cp24.com/video?playlistId=1.6596608