- cross-posted to:
- technology@lemmy.ml
- technology@beehaw.org
- cross-posted to:
- technology@lemmy.ml
- technology@beehaw.org
You must log in or register to comment.
The problem with PassKey is simply that they made it way more complicated.
Anyone who has worked with SSH keys knows how this should work, but instead companies like Google wanted to ensure they had control of the process so they proceeded to make it 50x more complicated and require a network connection. I mean, ok, but I’m not going to do that lmao.
Would love for you to describe exactly how it’s more complicated. From my perspective I click a single button and it’s set up. To log in I get a notification on my device, I click a button and I’m logged in.
they must have meant technically complicated, which is also meaningful in consumer technology.
like if it’s true that it requires an internet connection, that’s quite bad, partly because of yet another avenue for possible tracking, and what if the service you want to access is not on the internet, but the passkey doesn’t work without it stillWould love for you to describe exactly how it’s more complicated.
YOU JUST DID, below
From my perspective
neat.
I click a single button
… on your device tethered to a single app by a single vendor and their closed data store
and it’s set up.
… and tethered to prevent you from churning.
To log in I
… wait online to …
get a notification on my device,
… or send it again. Or again. Try again. Maybe mail it?
I click a button and I’m logged in.
Yeah. Just click (tap) a button (enter a code).
Using a big-brand MFA setup at one job that requires ‘one button’ and ‘get a notification’ and ‘click a button’, I know you’re glossing over the network issues HEAV-I-LY.
Now do it in airplane mode. Do it when the token organization is offline. Do it when there’s no power because the hurricane hit and there’s no cell, no data, no phones, and your DC is on its last hour of battery and you have to log in because the failover didn’t run.
Do it when your phone fell on its face in the rain into a puddle and it’s not nokia.
Do it when you either have cell service and 5% battery, or 100% battery from inside the DC and no cell service.
Do it when you’re tired, hungry, drunk, lost your glasses in the car accident.
The D in DR means DISASTER. Consider it.
For somebody complaining about making things complicated you certainly complicated the s*** out of a short post.
Storing your passkey in any of the shared password managers solves almost every problem you’ve listed.
With bitwarden and I have offline access to my passkey. I don’t know why the hell you’d need offline access to your pass key because they’re designed to protect online systems, But it could if I wanted it to.
With Bitwarden I can use my phone, or I can use my browser, or any one of four other browsers, or any other computer.
If I need to reset one of my pass keys I reset it in one place and it gets reset everywhere.
Private keys on an anonymous, untraceable smartcard. PIN or Matching-on-card fingerprint for the second factor Everything else can go directly into the garbage bin
I have never understood the goal of passkeys. Skipping 2FA seems like a security issue and storing passkeys in my password manager is like storing 2FA keys on it: the whole point is that I should check on 2 devices, and my phone is probably the most secure of them all.
That was my take too.
Security training was something you know, and something you have.
You know your password, and you have a device that can receive another way to authorize. So you can lose one and not be compromised.
Passkeys just skip that “something you have”. So you lose your password manager, and they have both?
I think you mean that passkeys potentially skip the something you know. The something you have is the private key for the passkey (however it’s stored, in hardware or in software, etc). Unlocking access to that private key is done on the local device such as through a PIN/password or biometrics and gives you the second factor of something you know or something you are. If you have your password manager vault set to automatically unlock on your device for example, then that skips the something you know part.
I find phones the least secure devices simply because of how likely they are to be damaged or stolen
More than that. You probably use them in public, where there are tons of cameras. So if you forget you phone in say a restaurant, odds are they have video of you unlocking it.
And let’s not forget all the poorly secured wifi access points people commonly connect to…
I love storing 2FA in the password manager, and I use a separate 2FA to unlock the password manager
I imagine you keep your password manager unlocked, or as not requiring 2FA on trusted devices then? Re entering 2FA each session is annoying
You still have the treat of viruses or similar. If someone gets access on your device while the password manager is unlocked (ex: some trojan on your computer), you’re completely cooked. If anything it makes it worse than not having 2FA at all.
If you can access your password manager without using 2FA on your phone and have the built in phone biometrics to open it like phone pin, finger or face, someone stealing your phone can do some damage. (Well, the same stands for a regular 2FA app, but meh, I just don’t see an improvement)
I went to see HR a month ago and they had a post-it of their password for their password manager. We use passkeys too.
And this was after security training.
If your secrets enter your clipboard, they are no longer secrets
It’s not skipping MFA cos some media can provide more than one factor.
E.g. YubiKey 5 (presence of the device) + PIN (knowledge of some credentials) = 2 factors
Or YubiKey Bio (presence of the device) + fingerprint (biological proof of ownership) = 2 factors
And actually unless you use one password manager database for passwords, another one for OTPs, and never unlock them together on the same machine, it’s not MFA but 1FA. Cos if you have them all at one place, you can only provide one factor (knowledge of the manager password, unless you program an FPGA to simulate a write only store or something).
It feels like the goal is to get you married to one platform, and the big players are happy for that to be them. As someone who’s used Keepass for over a decade, the whole thing seems less flexible than my janky open source setup, and certainly worse than a paid/for profit solution like bitwarden.
OTP in the password manager Private key pkcs#12 in a contactless smart card plus maybe a pin if I’m feeling fancy
Yeah I didn’t understand passkeys. I’m like why is my browser asking to store them? What if I’m using another browser? Why is my password manager fighting with my browser on where to store this passkey?
I felt so uneasy.
So I decided not to use passkeys for now until I understood what’s going on.
Passkeys are unique cert pairs for each site. The site gets the public key, you keep the private to login under your account. The site never stores your private key.
To store them simply, turn off your browsers password/passkey storage. Store them in your password manager along with other sites passwords.
Sounds similar to the SSL stuff, like for GitHub and stuff. I guess the preference in that case would be my password manager as it stores my password already.
Perhaps it’s best I pay for Bitwarden premium now and use those hardware keys people are recommending.
Also thanks!
Because its the same shit. passkeys are essentially passwordless ssh certificates. we’ve had functional MFA for ssh literally since its inception.
I’m like why is my browser asking to store them? What if I’m using another browser? Why is my password manager fighting with my browser on where to store this passkey?
The answer to all of these questions is “For the exact same reason they do all these same things with passwords”
Think of a passkey as a very, very complex password that is stored on your device (or in a password manager) that you can use to log into websites with without ever having to know what the password is, and it’s never stored on the site you’re logging into, even in a hashed format, so it literally can’t be exposed in a breach.
It’s the exact same technology you use to connect securely to every website you visit, except used in reverse.
But that’s the problem isn’t it? You have no idea what the value is, your browser on your laptop or phone you are going to lose/eeplace/reset does. Password managers are still not well understood or used by the masses and browsers stepping in here is a recipe for disaster
With chrome and Firefox maybe the user is syncing them with a profile. But that profile is also probably using a passkey on that very browser. A regular user is going to walk face first into this.
The problem with passkeys is that they’re essentially a halfway house to a password manager, but tied to a specific platform in ways that aren’t obvious to a user at all, and liable to easily leave them unable to access of their accounts.
Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.
If you’re going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager
Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.
The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though (Edit: Might be my specific setup‘s fault).
people will pick the corporate options that are shoved on their faces, not the sensible open source user-respecting ones.
vendor lockin will happen if we adopt passkeys as they are right now.
Bitwarden just announced a consortium with Apple, Google, 1Password, etc to create a secure import/export format for credentials; spurred by the need for passkeys to be portable between password managers (but also works for passwords/other credential types)
I’m definitely holding off on passkeys until that project is finished. I also don’t want vendor lock in and while that seems like the solution, it seems like they just started working on it.
Import export is not the same as interoperability
The interoperability already exists in the protocol webauthn, part of FIDO2 which has been around for almost a decade. Interoperability is not remotely an issue with passkeys. Imported/export is/was and also already has a solution in the works.
So I can use the same passkey from say, bitwarden and windows hello? Why do you even need import export then?
Yes you can use a passkey set up on any given service to authenticate to a service that supports passkeys. You’d need import/export to move a given passkey from bitwarden to Windows.
QR codes are good 50% of the time; when you’re trying to log in on a pc.
The reverse case is extremely annoyingCould you elaborate? I am assuming that everbody would have the password manager on their mobile phone with them, which is used to scan the qr code. I think that’s a reasonable assumption.
I agree that if you wanted the pc to act as the authenticator (device that has the passkey) it wouldn’t work with qr codes. But is that a usecase that happens at all for average people? Does anyone login to a mobile device that you don’t own, and you only have your pc nearby and not your own mobile phone?
I’m thinking of phone recovery, where you’re trying to get all your stuff back on a new device.
With a password manager, simply logging in will get you there and until passkeys can be synced automatically just like passwords this will need to be handled somehow.I hope I am not misunderstanding you. What you are worried about is passkeys in the password manager not syncing to new devices? They are though, with password managers that support passkeys like Bitwarden, ProtonPass, 1Password etc…
Currently using it on Bitwarden, if I log in to a new device, the passkeys are there.
You understood correctly. Seems like I missed some news on the syncing front.
It could be your browser / system that is struggling to show it. When I use my work computer and Microsoft edge, I don’t think I’ve ever had a situation where the QR code didn’t work. When I use flatpak’d Firefox on my Linux laptop, I experience more trouble, probably because of the sandboxing.
According to the device support page i should be ok, but yeah there might be something weird going on.
I wish FIDO had paid more attention to SQRL. It’s long in the tooth now, but with some attention it could have been a better solution than passkeys, IMO.
His “just use email” like that isn’t very obviously worse in every respect kind of undermines his whole premise.
His whole premise is undermined by him not doing any research on the topic before deciding to write a blog post. Proton passkeys for instance, are cross platform, and the ability to transfer passkeys between devices is one of the features being worked on by the other providers.
Yeah… Why are articles like this being upvoted… I expected better from lemmy
It’s 260-40 atm. That sort of ratio is a very easy sign that there’s something wrong and I often don’t bother reading the article if the ratio is that high.
This is the “Technology” community which isn’t for people who are actually tech-savvy in any functional way, it’s just for gadget-head laymen.
It’s because he has an email company he wants you to use for $100 a year lol
If you’re using a hardware token to replace passwords, you’re doing 2FA wrong
Dunno, we rolled it out without issue. But of course they also had keepass. You want password AND (TOTP token or hardware token)
All the major password managers store passkeys now. I have every passkey I’ve been able to make stored in Bitwarden, and they’re accessible on all my devices.
Article is behind the times, and this dude was wrong to “rip out” passkeys as an option.
That’s a typical DHH article, essentially. He has some interesting insights, but everything else is borderline cult-leader opinions, and some people follow it as gospel
I feel like if DHH hadn’t picked Ruby on Rails it and standalone Ruby would be much more popular today.
If a password manager stores passkeys, how is that much different than just using a password manager with passwords?
Storing passwords in a password manager is storing a shared secret where you can only control the security on your end and thus is still vulnerable to theft in a breach, negligence on the part of the party you’ve shared it with, phishing, man in the middle potentially, etc.
Storing a passkey in a password manager on the other hand is storing an unshared secret that nobody but you has access to, doesn’t leave your device during use, is highly phishing resistant, can’t be mishandled by the sites you use it to connect to etc.
Can you elaborate a bit more? If I create a passkey on https://passkeys.io on my Mac, then store the passkey in a password manager like Bitwarden, I can log into that site on my phone. I was kinda under the impression that Bitwarden stored the private key on their servers, so if their site gets hacked, then the attacker has access to my passkey.io account?
Your vault is encrypted on your device before it’s sent to Bitwarden’s servers, so even they don’t have access to your passwords and passkeys.
More info on how it is encrypted is here:
https://bitwarden.com/help/what-encryption-is-used/
Pretty much every password manager works like this. Having access to your data would be a liability for them.
Bitwarden stores your passkeys on your local device. It can sync the passkey between devices but that’s end to end encrypted, bitwarden never has access to any of your passkeys or even your passwords.
I need to sync my passkeys between all my devices–which really means I need keepass to store the private keys in its DB so I can sync it with all the other keepass-compatible apps I use in various places. Last I looked, this wasn’t solved, but it’s been a minute. I’m certainly not using a centralized password manager unless they all can freely import and export from one another. I understand this is a “being worked on” problem.
So someday, yes.
Isn’t the sync for keepass-compatible apps just syncing a normal file?
Yes, it is. I just need to know that the passkeys are in that file and that all the apps I use to read that file support them.
I just wish that companies enabling passkeys would still allow password+MFA. There are several sites that, when you enable passkeys, lock you out of MFA for devices that lack a biometric second factor of authentication. I’d love to use passkeys + biometrics otherwise, since I’ve often felt that the auth problem would be best solved with asymmetric cryptography.
EDIT: I meant to say “would still allow passkeys+MFA.” hooray for sleep deprivation lol.
If companies still allowed you to login via password then any benefit you get from Passkeys would be null and void. In order to implement passkeys properly you have to disable password authentication.
The thing is it’s then on you to secure your passkey with biometrics or a password or whatever you prefer. Your phone most likely will use biometrics by default. If you’re on Mac or PC you’ll need to buy a thumbprint scanner or use camera-based window hello / secure enclave
I just don’t get why I can’t use something like TOTP from my phone or a key fob when logging in with a passkey from my desktop. Why does my second factor have to be an on-device biometrically protected keystore? The sites I’m thinking of currently support TOTP when using passwords, so why can’t they support the same thing when using passkeys? I don’t want to place all my trust in the security of my keystore. I like that I have to unlock my phone to get a TOTP. Someone would have to compromise my local keystore and my phone, which makes it a better second factor in my opinion.
EDIT: like, at work, I ssh to servers all over the damn place using an ssh key. I have to get to those servers through a jump box that requires me to unlock my phone and provide a biometric second factor before it will allow me through. That’s asymmetric cryptography + a second factor of authentication that’s still effective even if someone has compromised my machine and has direct access to my private key. That’s what I want from passkeys.
I have to get to those servers through a jump box that requires me to unlock my phone and provide a biometric second factor before it will allow me through.
That is also the case with passkeys, if you so choose. Though they are functionally similar to your SSH key, they don’t just allow you to utilize the key just by having it loaded onto your device. When you go to use a passkey you need to authenticate your key upon use, and you can do that biometrically. For example let’s say I have a passkey on my phone which is currently unlocked and in use. If somebody runs over and steals the phone from my hand and prevents it from locking, and then attempts to authenticate to a site using my passkey, they won’t be able to.
Right, but I can’t require a second factor on a different device that operates outside of my primary device’s trust store. I’m sure there is some way to make my desktop hit my phone up directly and ask for fingerprint auth before unlocking the local keystore, but that still depends on the security of my device and my trust store. I don’t want the second factor to be totally locked to the device I’m running on. I want the server to say, “oh, cool, here’s this passkey. It looks good, but we also need a TOTP from you before you can log in,” or “loving the passkey, but I also need you to respond to the push notification we just sent to a different device and prove your identity biometrically over there.” I don’t want my second factor to be on the same device as my primary factor. I don’t know why a passkey (potentially protected by local biometric auth) + a separate server-required second factor (TOTP or push notification to a different device or something) isn’t an option.
EDIT: I could make it so a fingerprint would decrypt my SSH key rather than what I have now (i.e. a password). That would effectively be the same number of factors as you’re describing for a passkey, and it would not be good enough for my organization’s security model, nor would it be good enough for me.
I mean you don’t have to authenticate your passkey with biometrics, you can use a password.
I guess I’m not really picking up on what the benefit is you’re going for. You already have a What You Have and a What You Know or What You Are, and you want a second What You Also Have thrown in there. I mean, I guess having that as an option couldn’t hurt. but I also don’t think it’s really necessary.
Passkeys are already more secure than what you’re doing now. If what you’re aiming for is for them to be even more secure than that, then that’s an admirable goal. But as of right now they are worth it just for the fact that they’re more secure than existing solutions.
I am very shitty on security (I would not write this reply on a post on the cybersecurity community), and I resisted MFA for several years as being too annoying having to login to mail/SMS. After finding open source apps supporting TOTP, I feel better about it and I manually do the syncing by just transferring the secrets between my devices offline.
Passkeys are another foreign thing that I think I will get used to eventually, but for now there are too many holes in support, too much vendor lock-in (which was my main distaste for MFA, I didn’t want MS or Google Authenticator), and cumbersome (when email and SMS were the only options for MFA, difficulty of portability for passkeys).
So the problems you have with them are already solved, in the exact same ways they were solved for password/MFA. If you let Apple manage everything for you, it doesn’t matter whether you’re using passwords or passkeys, you’re locked in either way. But you always have the option to manage your passkeys manually (just like you’re doing with your TOTP) or using a third party cross-platform solution that allows for passkey import and export.
There was a related news recently, that bitwarden and other pw managers will be able to sync passkeys between devices. Won’t that solve these issues?
My thoughts exactly. I use Bitwarden and passkeys sync flawlessly between my devices. Password managers tied to a a device or ecosystem are stupid and people shouldn’t use them. This is true whether you use passwords or passkeys.
That said, we cannot blame users for bad UX that some platforms and some devs provide.
Isn’t your password manager tied to an ecosystem with Bitwarden ?
I’m surprised people trust third parties to hold their passwords.
Wasn’t there multiple password managers that got powned over the years ?
If you can sync Passwords you are also more exposed than some unhandy secure local password storage.
Wasn’t there multiple password managers that got powned over the years ?
Pretty much only LastPass
I can use bitwarden on Windows, Linux, Mac, iOS, Android, on desktop app or using CLI. That’s a stark difference in comparison with built in Microsoft or Apple keychains. And yes, I trust Bitwarden.
Bitwarden is not usable on Linux desktop, keeps asking for password. The password can’t be too short, so it takes some time to type it in. I turn off my computer when it’s not needed, so I would just need to type in the password when I turn it on again.
Anyone have a better solution?
Is “keeps asking for the password” the definition of “unusable on Linux”?
I have zero issue using this on Linux fwiw; yes, I am asked for password again on BW when I reboot/start my system. That is not inconvenient to me.
Yes, because it doesn’t have biometric support on Linux
The fingerprint doesn’t work on Linux last time I tried
I think its a recent addition (08/2024) on Linux.
Add support for biometric unlock on Linux
A better solution is to disable vault lock. It is very much usable (mostly talking about browser extension).
Not in all situations. And in a way a user will not be aware of. The service or website can define what type of passkey is allowed (based in attestation). You may not be able to acutally use your “movable” keys because someone else decided so. You will not notice this until you actually face such a service. And when that happens, you can be sure that the average user will not understand what ia going on. Not all passkeys are equal, but that fact is hidden from the user.
I remain hopeful. Initially, when Keypass wanted to include a simple export option there was talk of banning them from using Passkeys.
It does*.
However when I’m trying to login with a passkey in my mobile browser, Bitwarden prompt isn’t showing up. I don’t know what’s wrong.
If you’re using Android it’s more than likely just an OS issue. I have had a lot of issues on my phone trying to use passkeys let alone just the password manager.
One of many reasons I hate android. In my experience the integration with technology: late and poorly polished, early and kneecapped, initially available then removed, or non-existent.
I think its partly the fragmentation in the Android community and mostly Google’s influence.
That’s weird, it works for me. Is there something you need to click on the mobile site?
What’s your browser-Bitwarden setup?
The same flow works for me on desktop (firefox+bw plugin).
I’ve found on my android phone that the bitwarden prompt comes up more reliably if I tap on the password field instead of the username field.
This might be true, but I’m talking about passkeys, that never work :(
I do think that we need more standard procedures around what a reset/authorize new device looks like in a passkey world. There’s a lot about that process that just seems like it’s up to the implementer. But I don’t think that invalidates passkeys as a whole, and most people are going to have access to their mobile device for 2 factor no matter where they are.
Incidentally I have no idea who this is or whether his opinion should be lent more weight.
Passkeys are only good if they aren’t in a online password manager. They are better than TOTP 2FA in terms of security and phishing resistance. I see 2FA as a last resort when someone even gets into my password manager. Storing passkeys completely makes this useless, as I’m sure anyone that can log into my accounts would’ve done so by getting a hold of my unencrypted password manager database. Unless android provides a real offline way of storing passkeys in the device, I am not interested alot.
Actual zero knowledge encrypted password managers with 2FA?
Keepass?
Or Bitwarden (supposedly)
Bitwarden is an online password manager and no I don’t consider self hosting it offline.
A sufficiently strong password and additional TOTP should protect you well enough.
