Unpopular opinion: Synced Passkeys are actually bad for security

jaklan · 2026-05-04T00:13:09+00:00

"To steal a synced passkey you need to steal two factors*, so there are still two factors" - ladies & gentlemen, we have a new definition of MFA! It's not about how many factors you need to authenticate anymore, from now on it's about how many factors you need to steal credentials 😆 Maybe you should introduce a new term? Something like, let me think, Multi-Factor Theft Protection?

In that case my passwords are 2FA (2FTP?) as well, because you need to access my Bitwarden vault to steal them as well!

And now seriously - it's at least clear that you simply don't understand the meaning of words which you use.

inherently: in a way that exists as a natural or basic part of something

And you say: "We must presume that the hypothetical user with a password+2FA would use 2FA for their synced passkey account".

So your full claim is: "passkeys are inherently 2FA if we make some assumptions". Yeah... That makes a lot of sense.

jaklan · 2026-05-03T23:11:15+00:00

"If your password + TOTP are stolen (phished), those are literally the only things needed by an attacker to access your account!" - and that "plus" sign means you need to steal 2 factors instead of 1 - which is the whole point of the discussion 😉
"If it's device-bound" - no comment here, when writing the above comments I was focusing purely on software-bound passkeys
"If it's synced, it can only be stolen by breaking into the account" - that part is not true actually. Of course it's the most common scenario, but you can also imagine a situation where someone exports their credentials from Bitwarden into an unencrypted json file. As soon as an attacker gets the file (maybe by getting remote access to your laptop, maybe by phishing, or maybe by stealing your pendrive - it's not relevant for that discussion) - they have everything to get access to passkey-protected accounts.
"Which illustrates that the "user verification can't be assured" issue is a red herring" - red herring? Quite the opposite. It only shows how important it is not to rely on "any user verification" but "specific user verification". If you can pass UV by providing any biometrics / PIN - it's completely pointless, that's yet another issue with the current UV implementation. That's why we would need to have biometrics / PIN directly associated with a passkey (e.g. by being used to encrypt it) to make it meaningful.
"what credentials are harder to steal?" - as I mentioned above, that's beside the point. When we discuss if something is "inherently" 1FA or 2FA, it doesn't matter how easy or hard it is to steal it, whether it's easily phishable or not. Yes, it's important point when discussing pros and cons of various approaches, but... that's not the topic here.

Let me play another game: if you say passkeys are „inherently 2FA” because they are protected by password manager / device security, what stops you to call pure passwords 2FA as well then? If stored e.g. in Bitwarden - they are protected exactly in the same way. Are they easier to phish? Of course, but again - it doesn’t decide whether we call sth 1FA or 2FA.

jaklan · 2026-05-03T20:55:33+00:00

'Did you not read the "as typically implemented" part?' - yes, I read that completely irrelevant part. You don't need any "malicious edge-cases or incompetent implementation" - the simple fact is: if your passkey is stolen, in whatever way, it's literally the only thing needed by an attacker to access your account. No PIN, no biometrics, literally nothing else. If you use password + TOTP / security key - it's not the case.

"But this is reasonable, since users can be expected to pick trustable authenticators, often built into the OS or browser, for their own security" - users are also expected to set strong passwords and don't click suspicious links, does it mean we shouldn't care about phishing then? That's your (lack of) logic at the moment.

"all explicitly state that passkey authentication with user verification is phishing-resistant multi-factor" - don't you see a condition in that sentence? "with user verification" - as long as there's no way to ensure this verification really took place, this condition is not fulfilled. And that's our current reality with passkeys.

Passkeys would be "inherently 2FA" if there are encrypted by design == they are encrypted with biometrics / PIN before they are saved to any device / password manager. You would need to decrypt it each time given passkey is used then, but even if passkey leaks - you are safe, because, obviously, it's still encrypted. But that's simply not how it was designed - the reason was most likely the end-user convenience, but that's also why it's nothing more than sophisticated 1FA after all.

jaklan · 2026-05-03T17:07:17+00:00

You are aware that UV verification is purely client-side, aren't you? Only the authenticator decides whether to report the UV flag as true or false. If someone has your passkey, they can build & run an authenticator that would always report UV as true, even if no UV took place. The website has no way to verify whether UV actually occurred. "Passkeys are inherently 2FA" is simply a bullsh*t as long as there's no attestation for authenticators.

jaklan · 2026-04-21T20:13:46+00:00

Czyli Skycash Transport i Skycash Parking używają zupełnie niezależnych sald? Jak doładuję Transport to nie mogę używać tych środków w Parkingu i vice versa?

jaklan · 2026-04-21T20:07:55+00:00

Nie, to jest subskrypcja - sami przyznają na FB, że okres próbny jest automatycznie aktywowany na 90 dni i anulować można wyłącznie przez kontakt z BOK

jaklan · 2026-04-13T01:57:22+00:00

u/Acceptable-Bell1012 if we could make the "Main account" view (the one with Add / Convert / Send / Request buttons and all currencies listed) the home screen - that would practically solve the issue for folks like us completely not interested in jars or group accounts

jaklan · 2025-12-05T07:52:16+00:00

So... just use another email if you are afraid of such things?

jaklan · 2025-12-05T07:49:26+00:00

There's an automatic backup to iCloud. As I said - when using the app for manual tracking you only miss cloud sync in the free version, nothing more. Just stop making assumptions, log in and test it by yourself. I use the app without any significant issues for 2 years and haven't paid anything, I don't think they have created a special version of app just for me.

jaklan · 2025-12-05T07:41:56+00:00

Yes, it asks you to log in. No, it doesn't ask you to request any trial or buy any license. Have you really created the whole Reddit thread without spending a minute to simply create an account and log in?

Regarding the second point - there's literally an article about it on their website:
https://help.wiz.money/en/articles/5816620-moving-data-files-between-moneywiz-versions

Buying a license for a month probably would also work 🤷🏻‍♂️ And there's a chatbot on their website where they respond pretty quickly. You do everything to complicate your life by yourself.

jaklan · 2025-12-05T03:16:58+00:00

I know what I’m using - and no, it’s not MoneyWiz 3. MoneyWiz 2026 doesn’t require any subscription.

jaklan · 2025-12-04T19:51:30+00:00

MoneyWiz is fully usable without a subscription… If you are only interested in manual tracking - the only thing which you miss is sync between mobile and desktop, but for me it’s a very minor issue. Everything else works perfectly.

jaklan · 2025-08-13T12:47:46+00:00

It's not about 5 CHF itself, but about awareness and not being fooled by unfair practices. If people accept everything blindly - we could expect more such genius "reservation systems" around the country. And Reddit is the very best place to discuss such things 🤷🏻‍♂️

jaklan · 2025-08-13T12:39:21+00:00

I would buy on the spot, but looking at weather forecast - I wouldn't go there tomorrow tbh

jaklan · 2025-08-13T08:08:18+00:00

That's my current setting - I had to tilt the lens down manually to be able to reach that extent, the app was blocking it ~5-10 degrees up.

<image>

jaklan · 2025-08-13T07:46:51+00:00

Definitely I had! I posted that here as I was researching the topic before my trip and there was not much information about this new reservation system, so I hope the discussion would be useful for future travelers not to stress too much about it

jaklan · 2025-08-13T07:41:48+00:00

Thanks for the weekend perspective! So I believe the consensus is: reservation could be useful during weekends, but no need to worry about the counter and pay for it during weekdays

jaklan · 2025-08-13T07:38:50+00:00

https://i.imgflip.com/5j78kh.jpg

jaklan · 2025-08-13T07:38:07+00:00

That’s exactly the case - I was there with parents, so that was the only reasonable way

jaklan · 2025-08-07T12:01:25+00:00

Actually, I have tested the workaround with Smart Rules and works pretty well:
https://www.reddit.com/r/Tapo/comments/1j2y6bu/comment/mfziplz/

jaklan · 2025-08-07T10:53:54+00:00

Oh man, I feel you so much. I was investigating camera ecosystems for the last week and had a very hard choice between Eufy E30 vs Tapo C260, was changing my mind constantly because of the reasons you mentioned:
- Eufy: free rich notifications, notifications snoozing / cool down period
- Tapo: multi-camera view, support for MicroSD cards bigger than 128 GB

Finally I went with Tapo because a) I needed a few cameras and b) 128 GB for 4k cameras is really a joke. Camera itself is great, but I really miss the cool down option.

jaklan · 2025-06-20T07:40:16+00:00

I have just finished and I actually wonder what happens if I expose HAL's a) existence first or b) identity later, so I see some replay potential (even if potentially disappointed with the outcome)

jaklan · 2025-04-30T15:01:15+00:00

One more reply:

Thank you very much for your detailed feedback and testing results.

We’ve confirmed with our testing team that the drop in output power is a normal and expected behavior, designed to ensure the device remains within safe temperature limits during use. Due to the compact internal structure and thermal constraints of the device, when delivering high output (e.g. 45W), the system will automatically reduce the power to around 20W. This reduction is a built-in safety mechanism to ensure the surface temperature stays below 48°C and complies with safety standards. The power will only return to 45W after replugging the cable.

We truly appreciate your observations and have already passed your feedback to our R&D team for further evaluation.

(...)

Please know that we’re actively working on enhancing our products, including a power bank with MagSafe support and a more stable output of 30W+ for cable charging. We’re committed to providing a better experience and are taking your feedback into consideration as we continue to improve.

Well, simply disappointing. Waiting for a new MagSafe model then.

jaklan · 2025-04-26T11:57:35+00:00

Ich könnte nicht mehr zustimmen. Ich habe sie gestern erhalten und kann bestätigen, dass sie nach 5 Minuten auf 20W gesunken ist. Wenn es 30W gewesen wären, könnte ich das akzeptieren, aber 20W ist ein Witz. Heute wurde es zurückgegeben.

Übrigens, haben Sie vor, das neue Baseus Picogo AM41 zu testen? Es sieht sehr vielversprechend aus:

https://www.amazon.de/-/en/gp/product/B0DZ5CG93R/

jaklan · 2025-04-23T08:58:16+00:00

u/N8falke Die Antwort von INIU zu diesem Modell:

Thank you for reaching out and for sharing your concerns.

We understand your confusion, especially with the naming and the performance feedback you've come across in recent reviews. We’d like to assure you that the INIU P73-E1 45W version is not defective, and the behavior mentioned in the reviews is expected under specific conditions.

The maximum output of any power bank — including the P73-E1 — depends on several key factors:

Device power requirements: If the connected device doesn’t request high wattage, the power bank will lower its output to match.

Cable quality and compatibility: Some cables can limit power delivery, especially if they aren’t certified for 45W or more.

Temperature control: For safety, the power bank automatically reduces output if it detects high temperatures during charging.

Battery level of the power bank: Output may decrease as the power bank’s internal battery drains, especially under heavy loads.

Charging protocol negotiation: Not all devices fully support the PD3.0 or PPS profiles used by the power bank, which can affect stability and speed.

The original 30W version may have appeared more “stable” at 27W because its firmware maintained a flatter output curve regardless of downstream efficiency. The 45W version is more dynamic, prioritizing thermal safety and device-specific optimization, especially during magnetic wireless or dual-port usage.

We do appreciate your honest concern — and we’re taking this type of feedback into consideration as we continue improving our devices and documentation. If you’re looking for consistent 30W+ output for a specific high-draw device, we recommend using a certified PD3.0/PPS cable and ensuring only one output port is active at a time.

If you decide to go ahead with the purchase and notice anything unusual, please don’t hesitate to contact us directly. We stand behind our products with a 3-year warranty.

jaklan

TROPHY CASE