I have never understood the goal of passkeys. Skipping 2FA seems like a security issue and storing passkeys in my password manager is like storing 2FA keys on it: the whole point is that I should check on 2 devices, and my phone is probably the most secure of them all.
Technology
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
That was my take too.
Security training was something you know, and something you have.
You know your password, and you have a device that can receive another way to authorize. So you can lose one and not be compromised.
Passkeys just skip that "something you have". So you lose your password manager, and they have both?
It feels like the goal is to get you married to one platform, and the big players are happy for that to be them. As someone who's used Keepass for over a decade, the whole thing seems less flexible than my janky open source setup, and certainly worse than a paid/for profit solution like bitwarden.
I find phones the least secure devices simply because of how likely they are to be damaged or stolen
I love storing 2FA in the password manager, and I use a separate 2FA to unlock the password manager
I imagine you keep your password manager unlocked, or as not requiring 2FA on trusted devices then? Re entering 2FA each session is annoying
You still have the treat of viruses or similar. If someone gets access on your device while the password manager is unlocked (ex: some trojan on your computer), you’re completely cooked. If anything it makes it worse than not having 2FA at all.
If you can access your password manager without using 2FA on your phone and have the built in phone biometrics to open it like phone pin, finger or face, someone stealing your phone can do some damage. (Well, the same stands for a regular 2FA app, but meh, I just don’t see an improvement)
I went to see HR a month ago and they had a post-it of their password for their password manager. We use passkeys too.
And this was after security training.
OTP in the password manager Private key pkcs#12 in a contactless smart card plus maybe a pin if I'm feeling fancy
This article is FUD from big password.
If we all had big passwords, this may not have been an issue to begin with lol
Probably, but the real problem has been database dumps for a good number of years now. Maybe this thing fixes that?
Passkeys are also weirdly complex for the end user too, you can't just share passkey between your devices like you can with a password, there's very little to no documentation about what you do if you lose access to the passkeys too.
The only way I ever used passkeys is with bitwarden, and there you are sharing them between all bitwarden clients.
From my very limited experience, pass key allows to login faster and more reliable compared to letting bitwarden enter passwords and 2fa keys into the forms, but I still have the password and 2fa key stored in bitwarden as a backup in case passkey breaks.
To me, hardware tokens or passkeys are not there to replace passwords, but to offer a faster and more convenient login alternative. I do not want to rely on specific hardware (hardware token, mobile phone, etc.), because those can get stolen or lost.
Interesting, maybe I'll give it a try. I didn't know they could just be synced between devices on bitwarden.
I think that passkeys are simple, but no-one explains what they do and don't do in specific terms.
Someone compared it to generating private/public key pairs on each device you set up, which helps me a bit, but I recently set up a passkey on a new laptop when offered and it seemed to replace the option to use my phone as a passkey for the same site (which had worked), and was asking me to scan a QR code with my phone to set it up again.
So I don't know what went on behind the scenes there at all.
The passkey on your phone stopped working when you set one up on your laptop? I would expect the site to allow one per device instead of one per account.
Some sites only allow one public key per account...
It seemed that way, it asked me to scan a QR code on my phone to link it, which didn't happen before.
Or maybe the option to use my phone was some older auth method, where I'd use the fingerprint reader on the phone to confirm a login on the laptop. I thought that was a passkey, but that doesn't fit with what I'm reading about what it does now.
you can't just share passkey between your devices like you can with a password
Either you enroll a system that shares them between devices without the need for special interaction (password manager, iCloud etc) or you enroll each device separately into your account.
You can have more than one passkey for a service. This is a good thing.
Gotcha, that makes more sense when explained that way!
If you're using a hardware token to replace passwords, you're doing 2FA wrong
I wish FIDO had paid more attention to SQRL. It's long in the tooth now, but with some attention it could have been a better solution than passkeys, IMO.
Dunno, we rolled it out without issue. But of course they also had keepass. You want password AND (TOTP token or hardware token)
Why does anyone still give a fuck what DHH has to say any more?
Rails is a ghetto has been a thing for over a decade, and the man is basically just a tech contrarian at this point.
Whatever way the world is moving, expect DHH to have a different opinion about it.
I'm not gonna lie I still don't understand how passkeys work, or how they're different from 2fa. I'm just entering a PIN and it's ok somehow? I don't get it.
It is 2FA. Just easier to use.
It uses asymmetric cryptography. You sign a login request with the locally stored private key and the service verifies the signature with their stored public key. The PIN on your device is used to unlock access to the private key to sign the login request.
The passkey stored locally in some kind of hardware backed store on your device or in your password manager is the first factor: something you have.
The PIN/password or fingerprint/face to unlock the device and access the stored passkey is the second factor: something you know or something you are, respectively.
Two factors gets you to 2FA.
If you've ever used ssh it's very similar to how ssh keys work. You create a cryptographic key for the site; this is the passkey itself. When you go to "log in" the client and server exchange cryptographic challenges, which also verifies the site's identity (so you can't be phished...another site can't pretend to be your bank, and there are no credentials to steal anyway). Keys are stored locally and are generally access restricted by various methods like PIN, passphrase, security key, OTP, etc. When you're entering your PIN it's how the OS has chosen to secure the key storage. But you've also already passed one of the security hurdles just by having access to that phone/computer. It is "something you have".
Yeah I didn't understand passkeys. I'm like why is my browser asking to store them? What if I'm using another browser? Why is my password manager fighting with my browser on where to store this passkey?
I felt so uneasy.
So I decided not to use passkeys for now until I understood what's going on.
Just. Use. A. Fucking. Password. Manager.
It isn't hard. People act like getting users to remember one password isn't how it's done already anyway. At least TFAing a password manager is way fucking easier than hoping every service they log into with "password123" has it's own TFA. And since nearly every site uses shit TFA like a text or email message, it's even better since they can use a Yubikey very easily instead.
Passkeys are a solution looking for a problem that hasn't been solved already, and doing it badly.
Yes, use a password manager to store your passkeys.
Passkeys are a solution looking for a problem that hasn't been solved already, and doing it badly.
You say that and then
hoping every service they log into with "password123" has it's own TFA. And since nearly every site uses shit TFA like a text or email message
That’s literally a problem passkeys solve and password managers don’t lol
I disagree with most of those arguments in the article… Additionally, there is nearly no passkey using service that does require you to still have PW and 2FA login active even if you use passkeys
We are right now in the learning/testing phase. It is not a flip and suddenly only passkey work. Transition to passkey only will be a very long time, like it was for 2FA, like, my girlfriend has it on, only at about 2 services, lol.
The main problem I have is, that people without knowledge get grabbed into walled gardens using passkeys. People with knowledge know that you can use alternative apps for passkeys, like proton or strongbox (keepass).
The problem with passkeys is that they're essentially a halfway house to a password manager, but tied to a specific platform in ways that aren't obvious to a user at all, and liable to easily leave them unable to access of their accounts.
Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.
If you're going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager
Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.
The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though (Edit: Might be my specific setup‘s fault).