Passkey? (email account)

[Mark Kaine]

So I just bought some stuff from a rather expensive clothing brand , used guest checkout which I generally prefer, but I always have this issue the seller will then use the paypal email address which I barely ever use (and I'm frankly surprised it still exists, I made it like decades ago lol) so anyway, due to new phone I couldn't login to check, which I usually don't do but since it's a rather high amount (almost 1000 bucks) I wanted to confirm, also to check if I still have the password (I didn't!) so I did the whole shebang of "forgot password" and then it asked me to make a keypass or not now... thought hey maybe that's a good idea and used keypass... everything worked fine... But now I have the problem I don't have a password anymore??? So if I switch phones or change my number I can't sign in...?

 

That was always the good thing about passwords, even if you can't access your device at least you can still get your emails (I would have remembered the password or remade it - in fact I remembered it 20 seconds later anyway!)

 

So I'm just curious... can I still make a password...? Is this key shebang saved in my google account...? (it's not gmail but a google phone, obviously)

 

How does this work if I lose the device or it randomly doesn't take my fingerprint, etc?

[Eigenvektor]

Do you mean a passkey? You should still be able to sign in with a username and password as a fallback option.

 

A passkey is a private key stored on a specific device, which should make sign in from that device faster and more secure. But as with every other piece of critical information, you want backups and fallback options. Meaning you should have things like a working recovery email or phone number, multiple devices with passkeys on them, or some other option or device to sign in

 

If you lose a device and that device is the only one with a working passkey or the only device able to work as a second factor, yeah you're screwed

[Mark Kaine]

40 minutes ago, Eigenvektor said:

Do you mean a passkey? You should still be able to sign in with a username and password as a fallback option.

 

A passkey is a private key stored on a specific device, which should make sign in from that device faster and more secure. But as with every other piece of critical information, you want backups and fallback options. Meaning you should have things like a working recovery email or phone number, multiple devices with passkeys on them etc, or some other option or device to sign in

Yeah it's passkey I guess... I only saw that the icon kinda looked like it's from google... which seemed a bit weird because it's a Samsung browser and that *should* have my passwords saved... (but that didn't even show up)

So yeah and my other Samsung browser has it now saved in my google account... lol...

 

40 minutes ago, Eigenvektor said:

If you lose a device and that device is the only one with a working passkey or the only device able to work as a second factor, yeah you're screwed

Idk, shouldn't it be saved im my google account, like just make a new "passkey" I'm already identified by logging into my google account? plus I could always request a new "password" from email provider as long I have my phone number... so simply losing the phone shouldn't screw me over, but idk...

 

I was just thinking it would be great to have this for all (most) accounts, just login with your fingerprint!  For example Firefox doesn't even give me that option, only option is to save passwords in plain sight, aka everyone with access to my phone can log in! NOT SECURE AT ALL

 

And as said, it should work, it did on my Samsung phone (Samsung pass) and it did on this phone a few times (Sony) but now it seems Samsung pass doesn't even exist anymore, even though I'm logged into my Samsung account... 

 

Ie. A "unified" solution that's secure and works everywhere would be great (google also tends to forget passwords randomly) so maybe passkey is it, ie. As long you need your fingerprint or pin it should be good.

 

(as said the problem with that is fingerprints aren't stored online, allegedly, and pins can change, so it's not perfect I guess)

 

 

PS: basically the ONLY real risk is someone spoofing your phone number...if it works like I think it does (tied to google account and not just the device, because if it's device only that's actually a security risk... yikes)

[OddOod]

8 hours ago, Mark Kaine said:

the paypal email address which I barely ever use (and I'm frankly surprised it still exists, I made it like decades ago lol)

Have you considered changing the email acct associated with the paypal account?

[TetraSky]

13 minutes ago, OddOod said:

Have you considered changing the email acct associated with the paypal account?

This right here.

If you don't want to use that old email, just... change it in the account settings.

[Mark Kaine]

1 hour ago, TetraSky said:

This right here.

If you don't want to use that old email, just... change it in the account settings.

Well I WANT to use it... all I ever get is emails from paypal.

I was just wondering how this passkey stuff works, not sure why I should change my mail after 20+ years...

[NinJake]

12 hours ago, Mark Kaine said:

PS: basically the ONLY real risk is someone spoofing your phone number...if it works like I think it does (tied to google account and not just the device, because if it's device only that's actually a security risk... yikes)

Unless your only form of 2 factor is a cell number, then spoofing your phone number (moreso, hijacking the phone number via simswap or other methods) would be a security risk. 

 

If you utilize any other forms of 2 factor such as a physical security key or authenticator (that should also be locked down with it's own 2 factor), you'd be fine. 

 

I may also be misunderstanding what you mean and personally I still haven't changed over any of my accounts to passkeys yet.

[TetraSky]

4 hours ago, Mark Kaine said:

Well I WANT to use it... all I ever get is emails from paypal.

I was just wondering how this passkey stuff works, not sure why I should change my mail after 20+ years...

Well I was more so thinking about this particular quote of yours

13 hours ago, Mark Kaine said:

I always have this issue the seller will then use the paypal email address which I barely ever use (and I'm frankly surprised it still exists, I made it like decades ago lol

Figured it meant you had a different email that you normally use and that the paypal email was an oldie that you don't use and keep forgetting to change. To me it sounded like you were complaining that the seller uses that email. Hence suggesting you change the email to one you actually use. 

But hey, if whatever system you got going works for you, great.

[OddOod]

On 10/3/2025 at 3:06 PM, NinJake said:

Unless your only form of 2 factor is a cell number, then spoofing your phone number (moreso, hijacking the phone number via simswap or other methods) would be a security risk. 

In fairness, this is getting more and more difficult to do. Finally. It's 1000% a risk if you're a high value target, but for the general schmo, it's gotten more hard enough that it's not super worth it.