https://support.microsoft.com/en-us/account-billing/how-to-go-passwordless-with-your-microsoft-account-674ce301-3574-4387-a93d-916751764c43
Uh huh...
Once you remove your password from your account, you will need to sign in using a passwordless method like the Microsoft Authenticator app, Windows Hello, physical security keys, or SMS codes.
SMS
So which 2fa method do we NEVER ask users to use anymore? You know... because lying to a phone carrier and getting a new sim card sent to someone who isn't on the account is the hardest thing in the world to do! Or cloning a sim card.
Windows Hello
Which just had some leaks about how insecure it is.
You're going to have to do way better than this...
Regardless all three of these would then rely on your specific device to login, which MUST have a recovery method. Since you know... devices break, get reformatted, etc... What does that process look like? With a password... I simply change the password. Can you guarantee that I can revoke the key and replace it without having to buy new hardware?
https://techcrunch.com/2022/09/12/apple-passkey/
They sync shit using iCloud... The private key is not secure. I don't care what your argument is if it's in relation to apple. If you need further argument on this topic... Just look at all the leaked videos from Tesla cars. Big companies DO NOT DESERVE YOUR TRUST.
Incorrect because your bio is not the password, the private key is. The private key is revocable. Your bio just unlocks your hardware key store and makes the private key accessible to the software.
And you say I don't have an understanding... It doesn't matter how many keys deep you have to go. If the end of the line is an item that has been compromised, it DOESN'T MATTER how many steps you take after that. The compromised item is already obtained when you obtained the device.
Now... Can you tell me the process to revoke the private key from your fingerprint reader on your phone? You claim it's revocable. Revoke it. Show me. I'll wait. Can you prove that the blob in your phone is doing that? These chips are written once at the manufacturer with no oversight or validation. I'm not an idiot. I know your literal fingerprint isn't sent up to the cloud. It's used to tell a local chip to authenticate a public key against the private one contained within that typically never leaves the chip (except that the passkey standard actually allows key mobility, so it's actually worse than the FIDO standard that it's built upon). It's a blob that you have no insight into and no control over.
If I were to bump into you, and lift your phone. I'd likely have your fingerprint just by lifting it off your phone and can sign into your phone. That's it... It's like you didn't have a password at all because I simply HAVE it. I've found that theft is actually much greater risk in my life than my digital footprint. But that's only because I can actually mitigate the digital stuff by not being retarded and putting everything into the internet. Theft on the other hand... Can't do much about someone who willingly knocks me the fuck out (gasp! the XKCD comic strikes again!). But I can make sure that if they knock me the fuck out, they don't just get to take my shit and unlock it without my brain remaining functional.
None of that even matters. This is a chain of trust that I can't actually audit... So it's worthless. This requires that I trust Google (android), Samsung(or other device manufacturer), their vendors(whoever makes the fingerprint reader), etc... You know who I have to to trust for my password? My password manager and myself. The fun part is that my password manager is actually audited... and opensource, AND I've looked at it enough to be happy with it. Who audited Windows Hello? https://www.theverge.com/2023/11/22/23972220/microsoft-windows-hello-fingerprint-authentication-bypass-security-vulnerability Ooops.
It's funny, because you know what this does to authentication? It puts all the power into another companies hands... and takes ALL of it out of yours. Which is interesting that someone on Lemmy is gung-ho about this.
Let's look at a real world example of something you might ACTUALLY have to do. You're crossing the border into a country. You have data you really don't want the government snooping into like hot nudes from your significant other. So you wipe your device before you cross the border to ensure the government can't violate your rights. Oops, you no longer can access ANY account you own because you relied on that device to be what unlocks everything.
Also, whats more likely... that you break a device or that a user CANNOT learn how to use a password manager?
Edit: For shits and giggles I logged into my Google account to see what the passkey setup even looks like for them... Turns out that it's automatically created keys for devices I've logged into... Including devices I don't own anymore.
Really secure that is! Nothing screams security like creating methods to access my account without my fucking knowledge. What a joke.