eBay

sea.n.van._60 · ‎20-01-2025

Does anyone know why eBay is so keen to get users to sign in using a PIN? Surely a short watchword using only numbers is vastly easier to brute force than a longer password composed from a larger character set? Is there any advantage to anyone except those who want to compromise our accounts?

4_bathrooms · ‎20-01-2025

It sounds like you have a passkey set up; you can manage/delete them here.

Passkeys are device-specific and are tied to the device's own unlock method. Even if someone else had your passkey as they're not using the device the passkey is tied to they wouldn't be able to log in as you. The first time you log into your eBay account on a new device that supports passkeys you will be asked if you want to use a passkey to sign in. This can be the PIN you set up on the device or the biometric unlock method if the device supports fingerprint, face ID etc.

Give me ambiguity or give me something else.

View solution in original post

4_bathrooms · ‎20-01-2025

It sounds like you have a passkey set up; you can manage/delete them here.

Passkeys are device-specific and are tied to the device's own unlock method. Even if someone else had your passkey as they're not using the device the passkey is tied to they wouldn't be able to log in as you. The first time you log into your eBay account on a new device that supports passkeys you will be asked if you want to use a passkey to sign in. This can be the PIN you set up on the device or the biometric unlock method if the device supports fingerprint, face ID etc.

Give me ambiguity or give me something else.

fotherbale · ‎20-01-2025

Before using a device specific passkey as your only means to sign in (to any account, not just ebay), please make sure you first understand the meaning of the phrase 'Single Point of Failure' and understand the full implications of that should you lose or damage your device 😉

4_bathrooms · ‎21-01-2025

@fotherbale wrote:
Before using a device specific passkey as your only means to sign in (to any account, not just ebay), please make sure you first understand the meaning of the phrase 'Single Point of Failure' and understand the full implications of that should you lose or damage your device 😉

A passkey is not a single point of failure as it is device-specific; it is not account-specific. If you lose or break the device with the passkey set up you can buy a new device, log in to your online accounts as normal using the usual password/2FA combination and after the first login can configure the current device's passkey as a means to login.

As above, once you log in to your accounts (or the new device) you can delete your old passkey(s). The main reason for using a passkey instead of the account's usual password is it prevents phishing which is the number one way people get their accounts hacked. If you're not entering your password there's zero chance of giving it away inadvertently.

Give me ambiguity or give me something else.

fotherbale · ‎23-01-2025

@4_bathrooms wrote:
..........If you lose or break the device with the passkey set up you can buy a new device, log in to your online accounts as normal using the usual password/2FA combination..........

If you still have a conventional login with password available (even with multi-factor authentication), your account is still open to being breached either via interception of the password (which is what a passkey actually prevents), via phishing or (more importantly) via a security breach of the company/organisation you have an account with (and never a week goes by without at least one major breach of a company or organisation being reported - and usually including names and passwords).

Using a passkey will prevent interception or stealing of the key because only the public part of the key is transmitted, whilst the private part remains on the device and is not shared - it also overcomes the rather stupid attitude of a great many people to use simple words as passwords (which are easily broken) or using the same password across multiple sites (and frankly, people who are that stupid probably deserve to have their account stolen!)

A Passkey will therefore only offer its full guarantee of security if it is used as the only means of logging in to an account, hence my reference to 'a single point of failure', because it is not possible to back up a Passkey as you would be able to do for a password and contact details for MFA. Therefore if you lose the device or it becomes irrepairably inoperative, you lose the key.

4_bathrooms · ‎24-01-2025

@fotherbale wrote:
A Passkey will therefore only offer its full guarantee of security if it is used as the only means of logging in to an account

eBay doesn't use a passkey as the only means of logging in. As far as I am aware neither does any major online service nor app provider. Even my mobile banking app from a major high street bank can't be configured to use a passkey as the only means of logging in.

@fotherbale wrote:
it is not possible to back up a Passkey as you would be able to do for a password and contact details for MFA. Therefore if you lose the device or it becomes irrepairably inoperative, you lose the key.

Google, Apple, Microsoft and all the major Linux distributions employ passkey syncing to the cloud meaning a user's private keys are sync'd across their trusted devices. This removes the single point of failure that a single-device passkey with no alternative log in method would cause. Virtually everyone logging in to eBay or any other online service is going to be doing so from a PC/laptop running Windows or Linux, an Apple device or an Android-based device.

In short, there's no reason for anyone not to use passkeys when logging in to their online accounts. It should actually be encouraged as it removes all future risk of being phished which is the number one way people's accounts get hacked.

Give me ambiguity or give me something else.

sea.n.van._60 · ‎26-01-2025

Thanks for the answers. eBay should probably explain the rationale on the same page they urge people to convert.

fotherbale · ‎01-02-2025

eBay doesn't use a passkey as the only means of logging in

Google, Apple, Microsoft and all the major Linux distributions employ passkey syncing to the cloud meaning a user's private keys are sync'd across their trusted devices. This removes the single point of failure that a single-device passkey with no alternative log in method would cause. V

If there is still a conventional password access, that pretty much negates the reason for using a passkey. The weaknesses and risk from phishing and website breaches still exists.

A passkey sync'd across several devices simply provides more opportunities for the passkey to be hijacked - and don't delude yourself that they are 100% secure, because they are not. Passkeys are currently of less risk than passwords and MFA, but that is because passwords are easier to breach and currently more commonly used (and all too frequently weak or the same password used across many websites). If passkeys become universally adopted, you will find that the criminals will turn their attention to them, and they will find ways of cracking them.

If it is stored in 'the cloud' (ie. on someone elses server, over which you have no control), they they are at even greater risk.