Passkeys are a technology that allows your device to securely store keys to sign in and protect them by requiring a PIN, fingerprint, or face. If you want to learn more, you can look it up.

My point is, passkeys are more convenient than passwords. Adding support for passkeys means that interested users can enable it and sign into Scratch from trusted devices without needing to enter their account password. Instead, they just need their device and a PIN, face, or fingerprint.

If this is done right, I think it could really come in handy for kids. No one likes needlessly long and complex passwords.

The main reason to support passkeys on Scratch would be to increase login convenience, since you essentially skip the password. Of course, it'd also benefit security since you don't risk a keylogger picking up your password or being phished for it.

There are some barriers, though. I don't know about other systems, but iOS currently always backs up passkeys to iCloud Keychain, which requires two-factor authentication (after all, why protect 2FA with 1FA?). Unfortunately for young kids, that in turn requires that you be able to receive text messages, and you don't have the option to switch to using security keys until you set that up.

It also seems like you need a little bit of know-how to understand passkeys, as it is currently. If we're trying to make a system where kids can register passkeys on their devices without any prior knowledge, then we'd need to simplify it such that we never rely on saying “passkey”, unless we say something like “this is also known as a passkey”, unless in the future it becomes universally recognized/understood like passwords are.

But these won't matter as much if the option could just be put somewhere in account settings where users can set it up only if they want to.

Another thing to note is that repeatedly using a passkey might make you slowly forget your Scratch password, if that's how you remember it. The good thing is email recovery would still be an option.

It's okay if now is not the time, but I hope this is revisited someday.

Mockups

Settings option:


Passkey prompt:

Recovery mode: you can recover your account here if the prompt does not work


The email people get when they click recover with email in account recovery

You should still be able to use passwords. Linux doesn't support passkeys, and most PCs don't have a fingerprint sensor or camera.

mumu245 wrote:

You should still be able to use passwords. Linux doesn't support passkeys, and most PCs don't have a fingerprint sensor or camera.

Yes. This isn't a password replacement, at least not right now.

Windows Hello PIN works just as well if your Windows PC doesn't have any biometric sensors.

This gets only told to you once and wouldn't be plastered into your face, correct?
If so, I support. I don't want this to be required as people would find this abit breaching.
For some reason I have a hunch they wouldn't be able to do this, not just because of budget.

Zydrolic wrote:

This gets only told to you once and wouldn't be plastered into your face, correct?

I believe not. Google’s doesn’t plaster it right in your face.

I don't think there is any way to access biometric devices (anything involving auth from hardware) in JavaScript

Never mind, WebAuthn exists (demo)

D-ScratchNinja wrote:

Windows Hello PIN works just as well if your Windows PC doesn't have any biometric sensors.

I think I mentioned Linux in the post. Linux doesn't have PINs, image unlock, face unlock, fingerprint, instant unlock, swipe to unlock or anything, because on Linux passwords are mandatory.

bump (i know that this topic is over a year old but still relevant)

I say that this is a good suggestion as it allows an alternative to password sign-in for trusted devices.

If the device is stolen, you could say not to trust the device anymore.

Plus, you'd need to authenticate with your PIN (which is basically just a more secure password (windows)), biometric, or security key. It's still secure. Just more convenient.

This suggestion could mean hackers could lock somebody's scratch account by using pass keys

dollar2022 wrote:

This suggestion could mean hackers could lock somebody's scratch account by using pass keys

No, it doesn't. It means that some form of biometric identification would be used to sign into your Scratch account.

Anyways, I object to using a PIN to log into your Scratch account, as they tend to be significantly shorter than a password. Assuming a 4-digit PIN (which is not uncommon for Windows PCs), it would take a computer a maximum of about 16 minutes to brute-force an account, at most, because of server-side rate limiting (and if it's verified on-device, a few seconds at most).

BigNate469 wrote:

I object to using a PIN to log into your Scratch account, as they tend to be significantly shorter than a password. Assuming a 4-digit PIN (which is not uncommon for Windows PCs), it would take a computer a maximum of about 16 minutes to brute-force an account, at most, because of server-side rate limiting (and if it's verified on-device, a few seconds at most).

You have limited attempts to guess a Windows Hello PIN before it locks you out, right?

D-ScratchNinja wrote:

Passkeys are a technology that allows your device to securely store keys to sign in and protect them by requiring a PIN, fingerprint, or face. If you want to learn more, you can look it up.

My point is, passkeys are more convenient than passwords. Adding support for passkeys means that interested users can enable it and sign into Scratch from trusted devices without needing to enter their account password. Instead, they just need their device and a PIN, face, or fingerprint.

If this is done right, I think it could really come in handy for kids. No one likes needlessly long and complex passwords.

The main reason to support passkeys on Scratch would be to increase login convenience, since you essentially skip the password. Of course, it'd also benefit security since you don't risk a keylogger picking up your password or being phished for it.

There are some barriers, though. I don't know about other systems, but iOS currently always backs up passkeys to iCloud Keychain, which requires two-factor authentication (after all, why protect 2FA with 1FA?). Unfortunately for young kids, that in turn requires that you be able to receive text messages, and you don't have the option to switch to using security keys until you set that up.

It also seems like you need a little bit of know-how to understand passkeys, as it is currently. If we're trying to make a system where kids can register passkeys on their devices without any prior knowledge, then we'd need to simplify it such that we never rely on saying “passkey”, unless we say something like “this is also known as a passkey”, unless in the future it becomes universally recognized/understood like passwords are.

But these won't matter as much if the option could just be put somewhere in account settings where users can set it up only if they want to.

Another thing to note is that repeatedly using a passkey might make you slowly forget your Scratch password, if that's how you remember it. The good thing is email recovery would still be an option.

It's okay if now is not the time, but I hope this is revisited someday.

That already exists.

I mean, passkeys using a fingerprint only works on mobile devices such as phones or tablets.

va04042013 wrote:

D-ScratchNinja wrote:

snip

That already exists.

No, not on Scratch, at least.

michaeljackson1365 wrote:

I mean, passkeys using a fingerprint only works on mobile devices such as phones or tablets.

That's also not true- there are some newer computers that have touch identification technologies built-in to their power button.

D-ScratchNinja wrote:

BigNate469 wrote:

snip

You have limited attempts to guess a Windows Hello PIN before it locks you out, right?

And then it asks you to type something like “ABC123” before you can continue. If it just made you wait 5 minutes it would be better…

dollar2022 wrote:

(#10)
This suggestion could mean hackers could lock somebody's scratch account by using pass keys

Like how many other services that support this work, it would be a sign-in OPTION. It wouldn't replace passwords.

ajskateboarder wrote:

I don't think there is any way to access biometric devices (anything involving auth from hardware) in JavaScript

Never mind, WebAuthn exists (demo)

However, no browser fully supports it in a stable release. See https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API#browser_compatibility

Although that looks like it will change within the next few years.

It also has the drawback that different devices and OSes have different capabilities- for example, on a Chromebook, that's no more or less secure than a “Sign in with Google” button- because that's the only form of identification that Chromebooks have.