- cross-posted to:
- technology@lemmy.ml
- technology@beehaw.org
- cross-posted to:
- technology@lemmy.ml
- technology@beehaw.org
You must log in or register to comment.
The problem with PassKey is simply that they made it way more complicated.
Anyone who has worked with SSH keys knows how this should work, but instead companies like Google wanted to ensure they had control of the process so they proceeded to make it 50x more complicated and require a network connection. I mean, ok, but I’m not going to do that lmao.
Private keys on an anonymous, untraceable smartcard. PIN or Matching-on-card fingerprint for the second factor Everything else can go directly into the garbage bin
Would love for you to describe exactly how it’s more complicated. From my perspective I click a single button and it’s set up. To log in I get a notification on my device, I click a button and I’m logged in.
Would love for you to describe exactly how it’s more complicated.
YOU JUST DID, below
From my perspective
neat.
I click a single button
… on your device tethered to a single app by a single vendor and their closed data store
and it’s set up.
… and tethered to prevent you from churning.
To log in I
… wait online to …
get a notification on my device,
… or send it again. Or again. Try again. Maybe mail it?
I click a button and I’m logged in.
Yeah. Just click (tap) a button (enter a code).
Using a big-brand MFA setup at one job that requires ‘one button’ and ‘get a notification’ and ‘click a button’, I know you’re glossing over the network issues HEAV-I-LY.
Now do it in airplane mode. Do it when the token organization is offline. Do it when there’s no power because the hurricane hit and there’s no cell, no data, no phones, and your DC is on its last hour of battery and you have to log in because the failover didn’t run.
Do it when your phone fell on its face in the rain into a puddle and it’s not nokia.
Do it when you either have cell service and 5% battery, or 100% battery from inside the DC and no cell service.
Do it when you’re tired, hungry, drunk, lost your glasses in the car accident.
The D in DR means DISASTER. Consider it.
For somebody complaining about making things complicated you certainly complicated the s*** out of a short post.
Storing your passkey in any of the shared password managers solves almost every problem you’ve listed.
With bitwarden and I have offline access to my passkey. I don’t know why the hell you’d need offline access to your pass key because they’re designed to protect online systems, But it could if I wanted it to.
With Bitwarden I can use my phone, or I can use my browser, or any one of four other browsers, or any other computer.
If I need to reset one of my pass keys I reset it in one place and it gets reset everywhere.
Would love for you to describe exactly how it’s more complicated.
“More” is relative, ofc, so YMMV on whether you agree with me or not on this.
But the problem with pass key is that it has all of the downsides of 2FA still – you need to use a mobile device such as a cell phone, that cell phone must be connected to the internet and you often can’t register a single account to multiple devices (as in, there’s only ever 1 device that has passkey authorization.)
This isn’t an issue with ssh keys, which is a superior design despite it not being native to the web browsing experience. SSH keys can be added or removed to an account for any number of devices as long as you have some kind of login access. You can generally use SSH keys on any device regardless of network connection. There’s no security flaws to SSH keys because the public key is all that is held by 3rd parties, and it’s up to the user in question to ensure they keep good control over their keys.
Keys can be assigned to a password and don’t require you to use biometrics as the only authentication system.
I feel like there’s probably more here, but all of this adds up to a more complicated experience IMO. But again, it’s all relative. If you only ever use password + 2fa, I will give them that it’s simpler than this (even though, from the backend side of things, it’s MUCH more complicated from what I hear.)
they must have meant technically complicated, which is also meaningful in consumer technology.
like if it’s true that it requires an internet connection, that’s quite bad, partly because of yet another avenue for possible tracking, and what if the service you want to access is not on the internet, but the passkey doesn’t work without it still
This article is FUD from big password.
If we all had big passwords, this may not have been an issue to begin with lol
Probably, but the real problem has been database dumps for a good number of years now. Maybe this thing fixes that?
That is true. That has been, and (for some dumb reason) continues to be, a real problem.
I have never understood the goal of passkeys. Skipping 2FA seems like a security issue and storing passkeys in my password manager is like storing 2FA keys on it: the whole point is that I should check on 2 devices, and my phone is probably the most secure of them all.
That was my take too.
Security training was something you know, and something you have.
You know your password, and you have a device that can receive another way to authorize. So you can lose one and not be compromised.
Passkeys just skip that “something you have”. So you lose your password manager, and they have both?
I think you mean that passkeys potentially skip the something you know. The something you have is the private key for the passkey (however it’s stored, in hardware or in software, etc). Unlocking access to that private key is done on the local device such as through a PIN/password or biometrics and gives you the second factor of something you know or something you are. If you have your password manager vault set to automatically unlock on your device for example, then that skips the something you know part.
It’s not skipping MFA cos some media can provide more than one factor.
E.g. YubiKey 5 (presence of the device) + PIN (knowledge of some credentials) = 2 factors
Or YubiKey Bio (presence of the device) + fingerprint (biological proof of ownership) = 2 factors
And actually unless you use one password manager database for passwords, another one for OTPs, and never unlock them together on the same machine, it’s not MFA but 1FA. Cos if you have them all at one place, you can only provide one factor (knowledge of the manager password, unless you program an FPGA to simulate a write only store or something).
I love storing 2FA in the password manager, and I use a separate 2FA to unlock the password manager
I imagine you keep your password manager unlocked, or as not requiring 2FA on trusted devices then? Re entering 2FA each session is annoying
You still have the treat of viruses or similar. If someone gets access on your device while the password manager is unlocked (ex: some trojan on your computer), you’re completely cooked. If anything it makes it worse than not having 2FA at all.
If you can access your password manager without using 2FA on your phone and have the built in phone biometrics to open it like phone pin, finger or face, someone stealing your phone can do some damage. (Well, the same stands for a regular 2FA app, but meh, I just don’t see an improvement)
If your secrets enter your clipboard, they are no longer secrets
You’re right if I get a virus I’m pretty cooked. Except I think to set 2fa up on the attacker’s device they’d need the phone authenticator to set it up the first time, so hopefully they couldn’t do it unless they used my computer remotely to login to websites.
But the password manager locks after 15 min and you have to put a pin in to unlock and decrypt.
I’m not sure what brute force mechanisms it has against the pin.
Re-entering the 2fa each session is annoying but it’s way better than having to do it on each individual site from my phone.
I went to see HR a month ago and they had a post-it of their password for their password manager. We use passkeys too.
And this was after security training.
😵 some people just don’t care
It’s their job though, not their personal life, so they might care less
It feels like the goal is to get you married to one platform, and the big players are happy for that to be them. As someone who’s used Keepass for over a decade, the whole thing seems less flexible than my janky open source setup, and certainly worse than a paid/for profit solution like bitwarden.
I find phones the least secure devices simply because of how likely they are to be damaged or stolen
More than that. You probably use them in public, where there are tons of cameras. So if you forget you phone in say a restaurant, odds are they have video of you unlocking it.
And let’s not forget all the poorly secured wifi access points people commonly connect to…
The problem with passkeys is that they’re essentially a halfway house to a password manager, but tied to a specific platform in ways that aren’t obvious to a user at all, and liable to easily leave them unable to access of their accounts.
Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.
If you’re going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager
Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.
The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though (Edit: Might be my specific setup‘s fault).
people will pick the corporate options that are shoved on their faces, not the sensible open source user-respecting ones.
vendor lockin will happen if we adopt passkeys as they are right now.
Bitwarden just announced a consortium with Apple, Google, 1Password, etc to create a secure import/export format for credentials; spurred by the need for passkeys to be portable between password managers (but also works for passwords/other credential types)
I’m definitely holding off on passkeys until that project is finished. I also don’t want vendor lock in and while that seems like the solution, it seems like they just started working on it.
QR codes are good 50% of the time; when you’re trying to log in on a pc.
The reverse case is extremely annoyingCould you elaborate? I am assuming that everbody would have the password manager on their mobile phone with them, which is used to scan the qr code. I think that’s a reasonable assumption.
I agree that if you wanted the pc to act as the authenticator (device that has the passkey) it wouldn’t work with qr codes. But is that a usecase that happens at all for average people? Does anyone login to a mobile device that you don’t own, and you only have your pc nearby and not your own mobile phone?
I’m thinking of phone recovery, where you’re trying to get all your stuff back on a new device.
With a password manager, simply logging in will get you there and until passkeys can be synced automatically just like passwords this will need to be handled somehow.I hope I am not misunderstanding you. What you are worried about is passkeys in the password manager not syncing to new devices? They are though, with password managers that support passkeys like Bitwarden, ProtonPass, 1Password etc…
Currently using it on Bitwarden, if I log in to a new device, the passkeys are there.
Yeah I didn’t understand passkeys. I’m like why is my browser asking to store them? What if I’m using another browser? Why is my password manager fighting with my browser on where to store this passkey?
I felt so uneasy.
So I decided not to use passkeys for now until I understood what’s going on.
I’m like why is my browser asking to store them? What if I’m using another browser? Why is my password manager fighting with my browser on where to store this passkey?
The answer to all of these questions is “For the exact same reason they do all these same things with passwords”
Think of a passkey as a very, very complex password that is stored on your device (or in a password manager) that you can use to log into websites with without ever having to know what the password is, and it’s never stored on the site you’re logging into, even in a hashed format, so it literally can’t be exposed in a breach.
It’s the exact same technology you use to connect securely to every website you visit, except used in reverse.
deleted by creator
Passkeys are unique cert pairs for each site. The site gets the public key, you keep the private to login under your account. The site never stores your private key.
To store them simply, turn off your browsers password/passkey storage. Store them in your password manager along with other sites passwords.
Sounds similar to the SSL stuff, like for GitHub and stuff. I guess the preference in that case would be my password manager as it stores my password already.
Perhaps it’s best I pay for Bitwarden premium now and use those hardware keys people are recommending.
Also thanks!
Because its the same shit. passkeys are essentially passwordless ssh certificates. we’ve had functional MFA for ssh literally since its inception.
Passkeys are also weirdly complex for the end user too, you can’t just share passkey between your devices like you can with a password, there’s very little to no documentation about what you do if you lose access to the passkeys too.
I think that passkeys are simple, but no-one explains what they do and don’t do in specific terms.
Someone compared it to generating private/public key pairs on each device you set up, which helps me a bit, but I recently set up a passkey on a new laptop when offered and it seemed to replace the option to use my phone as a passkey for the same site (which had worked), and was asking me to scan a QR code with my phone to set it up again.
So I don’t know what went on behind the scenes there at all.
The only way I ever used passkeys is with bitwarden, and there you are sharing them between all bitwarden clients.
From my very limited experience, pass key allows to login faster and more reliable compared to letting bitwarden enter passwords and 2fa keys into the forms, but I still have the password and 2fa key stored in bitwarden as a backup in case passkey breaks.
To me, hardware tokens or passkeys are not there to replace passwords, but to offer a faster and more convenient login alternative. I do not want to rely on specific hardware (hardware token, mobile phone, etc.), because those can get stolen or lost.
Interesting, maybe I’ll give it a try. I didn’t know they could just be synced between devices on bitwarden.
Any of the multi-platform password managers that support pass keys will solve this.
You walk into the vault on every platform and your pass keys are magically shared between every platform you’re logged into.
In any system that I’ve used pass keys for (which is every system that supports them), you can go into the password section and delete devices/passkeys.
To regenerate new passkeys they either support it directly in the spot where you deleted it or you log out log back in with username password and 2FA and it asks you again if you want to set up a passkey. I’ve not run into anything else.
you can’t just share passkey between your devices like you can with a password
Either you enroll a system that shares them between devices without the need for special interaction (password manager, iCloud etc) or you enroll each device separately into your account.
You can have more than one passkey for a service. This is a good thing.
Gotcha, that makes more sense when explained that way!
His “just use email” like that isn’t very obviously worse in every respect kind of undermines his whole premise.
His whole premise is undermined by him not doing any research on the topic before deciding to write a blog post. Proton passkeys for instance, are cross platform, and the ability to transfer passkeys between devices is one of the features being worked on by the other providers.
Proton passkeys are stored in a password manager, which he specifically calls out.
If you have a password managed and know how to use it, you’re already a lot less susceptible to the problem that passkeys are trying to solve.
Personally, I think passkeys are great for tech-savvy users, but I wouldn’t dream of recommending them to non tech-savvy people. Password managers are still used by the minority, that needs to be fixed before passkeys are useful.
Why does anyone still give a fuck what DHH has to say any more?
Rails is a ghetto has been a thing for over a decade, and the man is basically just a tech contrarian at this point.
I’m sorry but I seriously do not see any benefits to using passkeys.
I use 24 character passwords in Bitwarden with 2fa on all accounts, how is a passkey better than that?
I’m not gonna lie I still don’t understand how passkeys work, or how they’re different from 2fa. I’m just entering a PIN and it’s ok somehow? I don’t get it.
As I understand it (and assuming you know what asymmetric keys are)…
It’s about using public/private key pairs and swapping them in wherever you would use a password. Except, passwords are things users can actually remember in their head, and are short enough to be typed in to a UI. Asymmetric keys are neither of these things, so trying to actually implement passkeys means solving this newly-created problem of “how the hell do users manage them” and the tech world seems to be collectively failing to realize that the benefit isn’t worth the cost. That last bit is subjective opinion, of course, but I’ve yet to see any end-users actually be enthusiastic about passkeys.
If that’s still flying over your head, there’s a direct real-world corollary that you’re probably already familiar with, but I haven’t seen mentioned yet: Chip-enabled Credit Cards. Chip cards still use symmetric cryptography, instead of asymmetric, but the “proper” implementation of passkeys, in my mind, would be basically chip cards. The card keeps your public/private key pair on it, with embedded circuitry that allows it to do encryption with the private key, without ever having to expose it. Of course, the problem would be the same as the problem with chip cards in the US, the one that quite nearly killed the existence of them: everyone that wants to support or use passkeys would then need to have a passkey reader, that you plug into when you want to login somewhere. We could probably make a lot of headway on this by just using USB, but that would make passkey cards more complicated, more expensive, and more prone to being damaged over time. Plus, that doesn’t really help people wanting to login to shit with their phones.
I’m a fan oh having a little usb key on your keychain, that has a fingerprint scanner
All the major password managers store passkeys now. I have every passkey I’ve been able to make stored in Bitwarden, and they’re accessible on all my devices.
Article is behind the times, and this dude was wrong to “rip out” passkeys as an option.
If a password manager stores passkeys, how is that much different than just using a password manager with passwords?
Storing passwords in a password manager is storing a shared secret where you can only control the security on your end and thus is still vulnerable to theft in a breach, negligence on the part of the party you’ve shared it with, phishing, man in the middle potentially, etc.
Storing a passkey in a password manager on the other hand is storing an unshared secret that nobody but you has access to, doesn’t leave your device during use, is highly phishing resistant, can’t be mishandled by the sites you use it to connect to etc.
Can you elaborate a bit more? If I create a passkey on https://passkeys.io on my Mac, then store the passkey in a password manager like Bitwarden, I can log into that site on my phone. I was kinda under the impression that Bitwarden stored the private key on their servers, so if their site gets hacked, then the attacker has access to my passkey.io account?
Your vault is encrypted on your device before it’s sent to Bitwarden’s servers, so even they don’t have access to your passwords and passkeys.
More info on how it is encrypted is here:
https://bitwarden.com/help/what-encryption-is-used/
Pretty much every password manager works like this. Having access to your data would be a liability for them.
Just. Use. A. Fucking. Password. Manager.
It isn’t hard. People act like getting users to remember one password isn’t how it’s done already anyway. At least TFAing a password manager is way fucking easier than hoping every service they log into with “password123” has it’s own TFA. And since nearly every site uses shit TFA like a text or email message, it’s even better since they can use a Yubikey very easily instead.
Passkeys are a solution looking for a problem that hasn’t been solved already, and doing it badly.
Yes, use a password manager to store your passkeys.
Passkeys are a solution looking for a problem that hasn’t been solved already, and doing it badly.
You say that and then
hoping every service they log into with “password123” has it’s own TFA. And since nearly every site uses shit TFA like a text or email message
That’s literally a problem passkeys solve and password managers don’t lol
I make the assumption people are using the password managers like they should, which is generating unique, complex passwords, which is kinda the point. Once you hit a certain number of characters on a random password, you might as well not try. And passkeys don’t solve any sort of MFA problem, same as passwords.
And tell me something, do you realize how cunty you come off when you end a comment with “lol”?
And passkeys don’t solve any sort of MFA problem
They do in fact solve this problem. Passkeys are something you have, and are secured by something you know, or something you are.
They also solve an age-old problem with passwords, which is that regardless of how complex your password is, it can be compromised in a breach. Because you have no say in how a company stores your password. And if that company doesn’t offer 2FA or only offers sms or email verification, then you’re even more at risk. This problem doesn’t exist with passkeys.
Edit: lol
it can be compromised in a breach
Sure, and then that one password is compromised. Password managers make it trivial to use unique passwords for every service, so if a service is breached, you’re basically as screwed with passwords as passkeys.
The switching cost here is high, and the security benefits are marginal in practice IMO. I’m not against passkeys, but it should be something password managers handle, and I don’t have a strong preference between TOTP baked into your PW manager and passkeys.
Sure, and then that one password is compromised.
Which means that entire service you used that password to login to is compromised. If you were using passkeys however, you would have nothing compromised.
so if a service is breached, you’re basically as screwed with passwords as passkeys.
No… with a passkey you would be not screwed at all. You’d be entirely unaffected.
the security benefits are marginal in practice
I mean in your own example that’s a reduction of 100%. That’s kind of a huge difference.
There was a related news recently, that bitwarden and other pw managers will be able to sync passkeys between devices. Won’t that solve these issues?
My thoughts exactly. I use Bitwarden and passkeys sync flawlessly between my devices. Password managers tied to a a device or ecosystem are stupid and people shouldn’t use them. This is true whether you use passwords or passkeys.
That said, we cannot blame users for bad UX that some platforms and some devs provide.
Isn’t your password manager tied to an ecosystem with Bitwarden ?
I’m surprised people trust third parties to hold their passwords.
Wasn’t there multiple password managers that got powned over the years ?
If you can sync Passwords you are also more exposed than some unhandy secure local password storage.
Wasn’t there multiple password managers that got powned over the years ?
Pretty much only LastPass
I can use bitwarden on Windows, Linux, Mac, iOS, Android, on desktop app or using CLI. That’s a stark difference in comparison with built in Microsoft or Apple keychains. And yes, I trust Bitwarden.
Bitwarden is not usable on Linux desktop, keeps asking for password. The password can’t be too short, so it takes some time to type it in. I turn off my computer when it’s not needed, so I would just need to type in the password when I turn it on again.
Anyone have a better solution?
The fingerprint doesn’t work on Linux last time I tried
I think its a recent addition (08/2024) on Linux.
Add support for biometric unlock on Linux
