Passwords have problems, but passkeys have more
(world.hey.com)
from exu@feditown.com to technology@lemmy.world on 16 Oct 2024 06:58
https://feditown.com/post/744772
from exu@feditown.com to technology@lemmy.world on 16 Oct 2024 06:58
https://feditown.com/post/744772
threaded - newest
There was a related news recently, that bitwarden and other pw managers will be able to sync passkeys between devices. Won’t that solve these issues?
My thoughts exactly. I use Bitwarden and passkeys sync flawlessly between my devices. Password managers tied to a a device or ecosystem are stupid and people shouldn’t use them. This is true whether you use passwords or passkeys.
That said, we cannot blame users for bad UX that some platforms and some devs provide.
Bitwarden is not usable on Linux desktop, keeps asking for password. The password can’t be too short, so it takes some time to type it in. I turn off my computer when it’s not needed, so I would just need to type in the password when I turn it on again.
Anyone have a better solution?
You could use your
to unlock the app instead of the password
The fingerprint doesn’t work on Linux last time I tried
I think its a recent addition (08/2024) on Linux.
A better solution is to disable vault lock. It is very much usable (mostly talking about browser extension).
Is “keeps asking for the password” the definition of “unusable on Linux”?
I have zero issue using this on Linux fwiw; yes, I am asked for password again on BW when I reboot/start my system. That is not inconvenient to me.
Yes, because it doesn’t have biometric support on Linux
Isn’t your password manager tied to an ecosystem with Bitwarden ?
I’m surprised people trust third parties to hold their passwords.
Wasn’t there multiple password managers that got powned over the years ?
If you can sync Passwords you are also more exposed than some unhandy secure local password storage.
Pretty much only LastPass
I can use bitwarden on Windows, Linux, Mac, iOS, Android, on desktop app or using CLI. That’s a stark difference in comparison with built in Microsoft or Apple keychains. And yes, I trust Bitwarden.
Not in all situations. And in a way a user will not be aware of. The service or website can define what type of passkey is allowed (based in attestation). You may not be able to acutally use your “movable” keys because someone else decided so. You will not notice this until you actually face such a service. And when that happens, you can be sure that the average user will not understand what ia going on. Not all passkeys are equal, but that fact is hidden from the user.
I remain hopeful. Initially, when Keypass wanted to include a simple export option there was talk of banning them from using Passkeys.
It does*.
However when I’m trying to login with a passkey in my mobile browser, Bitwarden prompt isn’t showing up. I don’t know what’s wrong.
That’s weird, it works for me. Is there something you need to click on the mobile site?
What’s your browser-Bitwarden setup?
The same flow works for me on desktop (firefox+bw plugin).
If you’re using Android it’s more than likely just an OS issue. I have had a lot of issues on my phone trying to use passkeys let alone just the password manager.
One of many reasons I hate android. In my experience the integration with technology: late and poorly polished, early and kneecapped, initially available then removed, or non-existent.
I think its partly the fragmentation in the Android community and mostly Google’s influence.
I’ve found on my android phone that the bitwarden prompt comes up more reliably if I tap on the password field instead of the username field.
This might be true, but I’m talking about passkeys, that never work :(
Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.
Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.
The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though (Edit: Might be my specific setup‘s fault).
QR codes are good 50% of the time; when you’re trying to log in on a pc.
The reverse case is extremely annoying
Could you elaborate? I am assuming that everbody would have the password manager on their mobile phone with them, which is used to scan the qr code. I think that’s a reasonable assumption.
I agree that if you wanted the pc to act as the authenticator (device that has the passkey) it wouldn’t work with qr codes. But is that a usecase that happens at all for average people? Does anyone login to a mobile device that you don’t own, and you only have your pc nearby and not your own mobile phone?
I’m thinking of phone recovery, where you’re trying to get all your stuff back on a new device.
With a password manager, simply logging in will get you there and until passkeys can be synced automatically just like passwords this will need to be handled somehow.
I hope I am not misunderstanding you. What you are worried about is passkeys in the password manager not syncing to new devices? They are though, with password managers that support passkeys like Bitwarden, ProtonPass, 1Password etc…
Currently using it on Bitwarden, if I log in to a new device, the passkeys are there.
You understood correctly. Seems like I missed some news on the syncing front.
people will pick the corporate options that are shoved on their faces, not the sensible open source user-respecting ones.
vendor lockin will happen if we adopt passkeys as they are right now.
Bitwarden just announced a consortium with Apple, Google, 1Password, etc to create a secure import/export format for credentials; spurred by the need for passkeys to be portable between password managers (but also works for passwords/other credential types)
I’m definitely holding off on passkeys until that project is finished. I also don’t want vendor lock in and while that seems like the solution, it seems like they just started working on it.
Import export is not the same as interoperability
The interoperability already exists in the protocol webauthn, part of FIDO2 which has been around for almost a decade. Interoperability is not remotely an issue with passkeys. Imported/export is/was and also already has a solution in the works.
So I can use the same passkey from say, bitwarden and windows hello? Why do you even need import export then?
Yes you can use a passkey set up on any given service to authenticate to a service that supports passkeys. You’d need import/export to move a given passkey from bitwarden to Windows.
It could be your browser / system that is struggling to show it. When I use my work computer and Microsoft edge, I don’t think I’ve ever had a situation where the QR code didn’t work. When I use flatpak’d Firefox on my Linux laptop, I experience more trouble, probably because of the sandboxing.
According to the device support page i should be ok, but yeah there might be something weird going on.
I thought passkeys were supposed to be a hardware device?
This is typical embrace/extend/extinguish behavior from the large platforms that don’t want their web-SSO hegemony challenged because it would mean less data collection and less vendor lock-in.
The whole idea of passkeys provided by an online platform should have been ruled out by the specification. It completely defeats the purpose of passkeys which is that the user has everything they need to authenticate themself.
Did you just admit to not even knowing what a passkey is and then decide to continue to write another two paragraphs passing judgement on them and the motives behind them anyway?
If you think that I’m misunderstanding something and arguing from a false premise then please feel free to engage with the discussion.
I don’t think that, you said that. It’s the very first sentence of your comment. You literally said that you misunderstood them to be hardware keys.
And yes, everything else you said is demonstrably false as well. The FIDO alliance and even specifically the companies within it that are pushing Passkeys the most, are advocating for them to be cross platform without any lock in. 1Password is one of the companies pushing for passkeys, they’re even behind the passkeys.directory and allow you to securely import and export passkeys so you aren’t locked in. They also made recent changes to the spec itself to make moving and owning passkeys easier. And that’s not even to mention the fact that Passkeys are just key pair, which don’t require any platform or technology to implement that isn’t built into your device.
Did you read the article?
Yes, the author is also suffering from the same misconceptions and doesn’t really understand passkeys beyond the surface level, so he doesn’t know that the problems he has with them don’t exist.
He then goes on to reason that because passkeys might result in an awkward experience in exactly one extremely niche scenario, that you’re better off using passwords in a password manager that are less secure. He then proceeds to suggest the use of email as a second factor as an alternative, which destroys every shred of credibility he had. He also completely misses the fact that putting your passkeys in that very same password manager he himself is suggesting, solves the complaints that form over half of his entire argument. It’s super ironic too because the specific password manager that he’s recommending in his own article is a member of the FIDO Alliance and is literally one of the world’s biggest advocates for passkeys.
For me, I’d prefer that everyone just adds biometric authentication techniques. A couple websites do this already and it’s great. Many devices have biometrics built in already and if this was widespread I’d certainly have no problem buying a fingerprint reader for my desktop computer.
That’s literally a passkey.
Question - what do you do when the site is hacked and your biometrics are compromised? Issue new ones?
The password still works.
You don’t have interchangeable fingerprints? Keep up with the times /s
You do realize that your biometric authentication techniques don’t actually send your biometrics (e.g. fingerprint/face) to the website you’re using and that you are actually just registering your device and storing a private key? Your biometrics are used to authenticate with your local device and unlock a locally-stored private key.
That private key is essentially what passkeys are doing, storing a private key either in a password manager or locally on device backed by some security hardware (e.g. TPM, secure enclave, hardware-backed keystore).
Sure I knew that. I just didn’t know if that was a “passkey” or some other private key mechanism.
His “just use email” like that isn’t very obviously worse in every respect kind of undermines his whole premise.
His whole premise is undermined by him not doing any research on the topic before deciding to write a blog post. Proton passkeys for instance, are cross platform, and the ability to transfer passkeys between devices is one of the features being worked on by the other providers.
Yeah… Why are articles like this being upvoted… I expected better from lemmy
This is the “Technology” community which isn’t for people who are actually tech-savvy in any functional way, it’s just for gadget-head laymen.
It’s 260-40 atm. That sort of ratio is a very easy sign that there’s something wrong and I often don’t bother reading the article if the ratio is that high.
Proton passkeys are stored in a password manager, which he specifically calls out.
If you have a password managed and know how to use it, you’re already a lot less susceptible to the problem that passkeys are trying to solve.
Personally, I think passkeys are great for tech-savvy users, but I wouldn’t dream of recommending them to non tech-savvy people. Password managers are still used by the minority, that needs to be fixed before passkeys are useful.
It’s because he has an email company he wants you to use for $100 a year lol
Why not just passkeys with a “magic link” fallback though?
This is the same as forgotten password so ytf not
thats close to what i have been fucking saying and getting hate for.
so im glad someone has written it on a damn blog to legitimize it?
I always thought of passkeys as a convenient way to authenticate.
I am password-less on multiple services.
I have an authentication app on my phone that authenticate me when I am away of my computers. I have passkeys on my personal computer and another set of passkeys on my work laptop.
If I have to authenticate from your computer I simply use my auth app, click on “it’s a public computer” and I am good to go.
The dude discovered a butter knife and he tries to replace his spoon with it just to realize it doesn’t work well for eating a soup.
Do you add separate keys on every device?
If you do, how long does it take you to add a new device?
For example, when you login on Github, go in your settings, authentication & security on the left.
Click “add passkey”, enter your Windows Hello PIN, click save.
It will ask you to enter a name, so I go with ComputerName-GitHub
Click ok.
Done with this device.
How long does it take? Well, how fast can you do these steps?
This does not scale. I have 400 logins in my Bitwarden account right now.
Ok
I wish all sites using 2FA would just support hardware keys instead of authenticator apps. It’s so much easier to login to a site by just plugging in my hardware key and tapping its button, than going to my authenticator app and typing over some code within a certain time.
It’s even sinpler than email 2fa or sms 2fa or vendor app 2fa.
For authenticator app you also can’t easily add more devices unless you share the database which is bad for security. For hardware security key you can just add the key as an additional 2fa, if the site allows it.
Agreed, my main issues with hardware keys are that so few sites support them, and the OS support is kinda bad like in Windows the window pops up underneath everything and sometimes requires a pin entered.
I also hate that when I last looked nobody made a key that supports USB-C, USB-A, and NFC. So now I’ve got an awkward adapter I need to carry on my keychain.
Yeah it’s truly a shame almost no site other than google and github support hardware security keys.
For your case you would probably want a yubikey 5c and then a usb c to usb a adapter yeah. I wish for a usb a and c and nfc as well.
I’ve got one each of the USB-C and USB-A versions. The USB-A is actually the one that lives on my keychain as the connector is more robust against debris and I was able to find an adapter that is on a lanyard.
Passkeys are only good if they aren’t in a online password manager. They are better than TOTP 2FA in terms of security and phishing resistance. I see 2FA as a last resort when someone even gets into my password manager. Storing passkeys completely makes this useless, as I’m sure anyone that can log into my accounts would’ve done so by getting a hold of my unencrypted password manager database. Unless android provides a real offline way of storing passkeys in the device, I am not interested alot.
Actual zero knowledge encrypted password managers with 2FA?
Keepass?
Or Bitwarden (supposedly)
Bitwarden is an online password manager and no I don’t consider self hosting it offline.
A sufficiently strong password and additional TOTP should protect you well enough.
Yeah I didn’t understand passkeys. I’m like why is my browser asking to store them? What if I’m using another browser? Why is my password manager fighting with my browser on where to store this passkey?
I felt so uneasy.
So I decided not to use passkeys for now until I understood what’s going on.
Passkeys are unique cert pairs for each site. The site gets the public key, you keep the private to login under your account. The site never stores your private key.
To store them simply, turn off your browsers password/passkey storage. Store them in your password manager along with other sites passwords.
Sounds similar to the SSL stuff, like for GitHub and stuff. I guess the preference in that case would be my password manager as it stores my password already.
Perhaps it’s best I pay for Bitwarden premium now and use those hardware keys people are recommending.
Also thanks!
Because its the same shit. passkeys are essentially passwordless ssh certificates. we’ve had functional MFA for ssh literally since its inception.
The answer to all of these questions is “For the exact same reason they do all these same things with passwords”
Think of a passkey as a very, very complex password that is stored on your device (or in a password manager) that you can use to log into websites with without ever having to know what the password is, and it’s never stored on the site you’re logging into, even in a hashed format, so it literally can’t be exposed in a breach.
It’s the exact same technology you use to connect securely to every website you visit, except used in reverse.
.
All the major password managers store passkeys now. I have every passkey I’ve been able to make stored in Bitwarden, and they’re accessible on all my devices.
Article is behind the times, and this dude was wrong to “rip out” passkeys as an option.
That’s a typical DHH article, essentially. He has some interesting insights, but everything else is borderline cult-leader opinions, and some people follow it as gospel
I feel like if DHH hadn’t picked Ruby on Rails it and standalone Ruby would be much more popular today.
If a password manager stores passkeys, how is that much different than just using a password manager with passwords?
Storing passwords in a password manager is storing a shared secret where you can only control the security on your end and thus is still vulnerable to theft in a breach, negligence on the part of the party you’ve shared it with, phishing, man in the middle potentially, etc.
Storing a passkey in a password manager on the other hand is storing an unshared secret that nobody but you has access to, doesn’t leave your device during use, is highly phishing resistant, can’t be mishandled by the sites you use it to connect to etc.
Can you elaborate a bit more? If I create a passkey on passkeys.io on my Mac, then store the passkey in a password manager like Bitwarden, I can log into that site on my phone. I was kinda under the impression that Bitwarden stored the private key on their servers, so if their site gets hacked, then the attacker has access to my passkey.io account?
Your vault is encrypted on your device before it’s sent to Bitwarden’s servers, so even they don’t have access to your passwords and passkeys.
More info on how it is encrypted is here:
bitwarden.com/help/what-encryption-is-used/
Pretty much every password manager works like this. Having access to your data would be a liability for them.
Bitwarden stores your passkeys on your local device. It can sync the passkey between devices but that’s end to end encrypted, bitwarden never has access to any of your passkeys or even your passwords.
I need to sync my passkeys between all my devices–which really means I need keepass to store the private keys in its DB so I can sync it with all the other keepass-compatible apps I use in various places. Last I looked, this wasn’t solved, but it’s been a minute. I’m certainly not using a centralized password manager unless they all can freely import and export from one another. I understand this is a “being worked on” problem.
So someday, yes.
Isn’t the sync for keepass-compatible apps just syncing a normal file?
Yes, it is. I just need to know that the passkeys are in that file and that all the apps I use to read that file support them.
Whenever I read an article about security (and read the comments, even here on Lemmy) I’m constantly frustrated and depressed by a couple of things.
Corporations making things shittier with the intention of locking customers in to their stupid proprietary ecosystem. And of course, they are always seeking more data harvesting. Security itself is way down the list of their priories, if it’s even there at all.
Users being lazy trend-followers who quickly sacrifice their security on the altar of convenience and whatever shiny new FOMO thing is offered up for “better security”.
It’s a very bad combination. Doing security right is a bit inconvenient (which users hate) and expensive (which corporations hate).
You would be less constantly frustrated and depressed if you learned a little bit about security, instead of getting upset about imagined problems with technology you don’t understand.
I’m not against passkeys. They have some real advantages. And I understand more than you think.
My comment is primarily about the preferred ecosystems that tend to come along with these newer solutions (like Apple’s iCloud or Google’s Password Manager) and how the corporations take advantage of user laziness and bandwagon jumping.
They may not force you to be exclusive with them, but they definitely want you to be. And over time they will likely make it more and more inconvenient not to be locked in with them.
For contrast, I use BitWarden for password management and Bitwarden Authenticator for TOTP (and I keep safe copies of TOTP secret keys elsewhere). This is a generic open-standards-first approach to things, with relatively easy recovery should you lose something. You can export your passwords. You have copies of your secret keys. You are in no way locked in to BitWarden forever.
Passkeys can also work within that type of operational framework! Like TOTP which normally uses RFC6238, Passkeys tend to use CTAP or WebAuthn. All of the above are open standards. And this is a good thing!
But do you really think Apple, Google, Microsoft, etc, want to play nice long term? Hopefully they will. But I have also run into evil nonsense like LastPass, which even though they also used open standards, their software would not allow you to do simple things like recover your own secret keys, export your data, etc. (Not to mention the embarrassing security breach they had and the wretched response, the main reasons to dump them).
While I am not directly comparing an idiot company like GoTo Tech with Apple et al, they all have the same types of big brain MBA types working for them who love to constantly brainstorm new ideas on how to screw the users over by taking features away and calling it a “software upgrade”.
So, passkeys as a security mechanism: sure, this gets my vote. But trusting the big corporations not to change the rules on us later…come on, get real. They love limiting or removing portability and recovery options whenever they can.
Bottom line: don’t assume passkeys are inherently good or bad. It’s simply a security standard that can work well if implemented correctly. Passkeys make logging in easier. But will they also make recovery / export / migration easier…? Because if it’s not easy, people won’t do it.
I am very shitty on security (I would not write this reply on a post on the cybersecurity community), and I resisted MFA for several years as being too annoying having to login to mail/SMS. After finding open source apps supporting TOTP, I feel better about it and I manually do the syncing by just transferring the secrets between my devices offline.
Passkeys are another foreign thing that I think I will get used to eventually, but for now there are too many holes in support, too much vendor lock-in (which was my main distaste for MFA, I didn’t want MS or Google Authenticator), and cumbersome (when email and SMS were the only options for MFA, difficulty of portability for passkeys).
So the problems you have with them are already solved, in the exact same ways they were solved for password/MFA. If you let Apple manage everything for you, it doesn’t matter whether you’re using passwords or passkeys, you’re locked in either way. But you always have the option to manage your passkeys manually (just like you’re doing with your TOTP) or using a third party cross-platform solution that allows for passkey import and export.
I just wish that companies enabling passkeys would still allow password+MFA. There are several sites that, when you enable passkeys, lock you out of MFA for devices that lack a biometric second factor of authentication. I'd love to use passkeys + biometrics otherwise, since I've often felt that the auth problem would be best solved with asymmetric cryptography.
EDIT: I meant to say "would still allow passkeys+MFA." hooray for sleep deprivation lol.
If companies still allowed you to login via password then any benefit you get from Passkeys would be null and void. In order to implement passkeys properly you have to disable password authentication.
The thing is it’s then on you to secure your passkey with biometrics or a password or whatever you prefer. Your phone most likely will use biometrics by default. If you’re on Mac or PC you’ll need to buy a thumbprint scanner or use camera-based window hello / secure enclave
I just don't get why I can't use something like TOTP from my phone or a key fob when logging in with a passkey from my desktop. Why does my second factor have to be an on-device biometrically protected keystore? The sites I'm thinking of currently support TOTP when using passwords, so why can't they support the same thing when using passkeys? I don't want to place all my trust in the security of my keystore. I like that I have to unlock my phone to get a TOTP. Someone would have to compromise my local keystore and my phone, which makes it a better second factor in my opinion.
EDIT: like, at work, I ssh to servers all over the damn place using an ssh key. I have to get to those servers through a jump box that requires me to unlock my phone and provide a biometric second factor before it will allow me through. That's asymmetric cryptography + a second factor of authentication that's still effective even if someone has compromised my machine and has direct access to my private key. That's what I want from passkeys.
That is also the case with passkeys, if you so choose. Though they are functionally similar to your SSH key, they don’t just allow you to utilize the key just by having it loaded onto your device. When you go to use a passkey you need to authenticate your key upon use, and you can do that biometrically. For example let’s say I have a passkey on my phone which is currently unlocked and in use. If somebody runs over and steals the phone from my hand and prevents it from locking, and then attempts to authenticate to a site using my passkey, they won’t be able to.
Right, but I can't require a second factor on a different device that operates outside of my primary device's trust store. I'm sure there is some way to make my desktop hit my phone up directly and ask for fingerprint auth before unlocking the local keystore, but that still depends on the security of my device and my trust store. I don't want the second factor to be totally locked to the device I'm running on. I want the server to say, "oh, cool, here's this passkey. It looks good, but we also need a TOTP from you before you can log in," or "loving the passkey, but I also need you to respond to the push notification we just sent to a different device and prove your identity biometrically over there." I don't want my second factor to be on the same device as my primary factor. I don't know why a passkey (potentially protected by local biometric auth) + a separate server-required second factor (TOTP or push notification to a different device or something) isn't an option.
EDIT: I could make it so a fingerprint would decrypt my SSH key rather than what I have now (i.e. a password). That would effectively be the same number of factors as you're describing for a passkey, and it would not be good enough for my organization's security model, nor would it be good enough for me.
I mean you don’t have to authenticate your passkey with biometrics, you can use a password.
I guess I’m not really picking up on what the benefit is you’re going for. You already have a What You Have and a What You Know or What You Are, and you want a second What You Also Have thrown in there. I mean, I guess having that as an option couldn’t hurt. but I also don’t think it’s really necessary.
Passkeys are already more secure than what you’re doing now. If what you’re aiming for is for them to be even more secure than that, then that’s an admirable goal. But as of right now they are worth it just for the fact that they’re more secure than existing solutions.
Just. Use. A. Fucking. Password. Manager.
It isn’t hard. People act like getting users to remember one password isn’t how it’s done already anyway. At least TFAing a password manager is way fucking easier than hoping every service they log into with “password123” has it’s own TFA. And since nearly every site uses shit TFA like a text or email message, it’s even better since they can use a Yubikey very easily instead.
Passkeys are a solution looking for a problem that hasn’t been solved already, and doing it badly.
Yes, use a password manager to store your passkeys.
You say that and then
That’s literally a problem passkeys solve and password managers don’t lol
I make the assumption people are using the password managers like they should, which is generating unique, complex passwords, which is kinda the point. Once you hit a certain number of characters on a random password, you might as well not try. And passkeys don’t solve any sort of MFA problem, same as passwords.
And tell me something, do you realize how cunty you come off when you end a comment with “lol”?
They do in fact solve this problem. Passkeys are something you have, and are secured by something you know, or something you are.
They also solve an age-old problem with passwords, which is that regardless of how complex your password is, it can be compromised in a breach. Because you have no say in how a company stores your password. And if that company doesn’t offer 2FA or only offers sms or email verification, then you’re even more at risk. This problem doesn’t exist with passkeys.
Edit: lol
Sure, and then that one password is compromised. Password managers make it trivial to use unique passwords for every service, so if a service is breached, you’re basically as screwed with passwords as passkeys.
The switching cost here is high, and the security benefits are marginal in practice IMO. I’m not against passkeys, but it should be something password managers handle, and I don’t have a strong preference between TOTP baked into your PW manager and passkeys.
Which means that entire service you used that password to login to is compromised. If you were using passkeys however, you would have nothing compromised.
No… with a passkey you would be not screwed at all. You’d be entirely unaffected.
I mean in your own example that’s a reduction of 100%. That’s kind of a huge difference.
If the password is compromised, it means the service is compromised and the password isn’t really protecting anything anymore. So to me, there’s no functional difference between passwords and passkeys once a service is compromised, the data is already leaked. If I’m using proper MFA, there’s no rush to reset my PW unless the service has a stupid “backdoor” that can just bypass MFA entirely, in which case passkeys wouldn’t help either (attackers would just use the backdoor).
The main value of passkeys, AFAICT, is that they’re immune to phishing attacks. Other than that, they’re equivalent to TOTP + random password, so a password manager that supports both provides nearly equivalent security to a passkey (assuming the service follows standards like storing salted hashes). And honestly, if you use a solid form of TOTP (i.e. an app, not text or email), password security isn’t nearly as critical since you can make up for it by improving the TOTP vault security.
I honestly haven’t bothered setting up passkeys anywhere, because I don’t see any real security benefit. If a service provides passkeys, it probably already supported decent MFA and random passwords. The services that should upgrade won’t, because they’ve already shown they don’t care about security by not providing decent MFA options.
In short:
The venn diagram of companies that support passkeys and companies that supported/support random passwords + TOTP is essentially a circle, with the former enclosed in the latter. So I don’t really see any rush to “upgrade.”
Not even close. To be honest you’re operating on so many incorrect assumptions and have such a lack of general knowledge of common attack surfaces or even the average scope of modern breaches, that digging you out of this hole would take so much more than what I can fit in a single comment.
So
No… just no. That isn’t how it works. In reality, what commonly happens is metadata around the service is what’s targeted and compromised. So your password, email, and other data like that are what’s stolen. Maybe in plain text, maybe something hashed that a malicious actor can brute force offline without you knowing. If you’re someone using a password in this situation, your password is then used to access your account, and that actor can do any number of things while masquerading as you, potentially entirely undetected. If you’re using a passkey on the other hand, this isn’t even something you need to worry about. They cannot get access to your passkey because the service doesn’t even have it. You are entirely immune. That is something that no amount of Passwords or bolt-ons will fix.
This is the main value of passkeys, they are not shared secrets. Not only is that a huge difference, it’s the single largest paradigm shift possible. The secondary value of passkeys is that they are immune to phishing. This is also huge, as phishing is hands down the most successful way to break into someone’s account, and happens to even the most security conscious people. If a cybersecurity researchers who write books on the topic can be phished, so too can a layman such as yourself. Hand waving away a phishing immune authentication system is unhinged behavior. And it goes to show you’re not even coming from a place of curiosity or even ignorance, but likely misinformation.
In short:
Passwords are almost never stolen, because most orgs follow OWASP best practices and do salting and hashing, as well as lockouts.
The real issue here is reused passwords, since a breach at one of those orgs that don’t follow best practices could be used to gain access to another service with better practices. If you’re using a password manager to generate random passwords for each service, this most common attack method is neutralized. A salted password hash makes brute forcing completely non-viable, so 99.99% of attackers won’t bother, and the only ones left are state-level actors doing targeted attacks (in which case they’d just use a wrench to get your details).
Sure, but if they can access your password in a breach, they can access anything they want to on the service, so they don’t need your login credentials. If the service is following best practices, leaking login creds doesn’t actually help, so they’ll instead sell the PII they collect from the breach (including email and whatnot). Nobody is going to crack every password in a breach, so if an attacker sees argon2, scrypt, or bcrypt with sufficient work factor/cost (and orgs can easily swap this to keep up w/ standards completely transparently).
If the service isn’t following best practices, they’re not going to offer passkeys because they obviously don’t care about security. The services that could really benefit from passkeys won’t use them, and the services that already follow best practices wouldn’t get much benefit from them because their security is already good enough.
Which is also true of hashed passwords. So if you use randomized passwords and the service hashes those passwords, there is no shared secret. If you add a shared secret (TOTP) as a second factor, and that shared secret is verified using some challenge/response mechanism, you’re covering the same ground as passkeys, just with an extra step.
From a security perspective, passkeys generally double-down on the security protections TOTP (and similar) provides. Yes, they’re theoretically better, but in practice, if a service is using TOTP properly (i.e. no fallback to SMS or whatever), you’re just as protected in practice as with passkeys.
I’d much rather see us switch to something like hardware security keys and FIDO U2F than yet another software solution. A hardware solution ensures you actually have a thing, whereas a digital option like passkeys can be duplicated in enough places that there’s no guarantee you actually have that thing. For example, if you sync your passkeys with your desktop and get a virus, an attacker could login as you w/o you knowing, and that cannot happen w/ hardware keys like Yubikey. A passkey, to me, is a lateral step, whereas a hardware key is a clear step forward because it restricts the ways you can be compromised. I recommend having multiple of these (say, one on your keys and another in a safe), and if you lose one, just disable the key and order another.
True, but it’s rarely end customers that get phished successfully, it’s support staff granting access that they shouldn’t, or other forms of social engineering where they get access to credentials that can access data w/o needing to compromised individual accounts (e.g. get a dev token to access prod data). Passkeys don’t help with that type of attack at all.
That said, I was almost compromised with a phishing-style attack. Basically, I got a call from someone claiming to be from the fraud department for my bank, and they asked me to confirm a SMS code. I fell for the first confirmation (was out and about and didn’t read the text carefully), but caught the second (the one where they were adding a new account to transfer money out). If my bank had supported TOTP, this wouldn’t have happened because an agent will never ask for my TOTP code, so I’d only get SMS from an official rep or TOTP if I’m logging in myself. Passkeys could have helped here, but so could TOTP, and honestly getting an org to support TOTP is probably easier than getting them to use passkeys.
I’m not against passkeys, I just think they’re a largely lateral change from TOTP + password manager, and thus don’t feel a need to switch.
To use the “something you have, and something you know” analogy, your PW manager password can be either (ideally “something you know”), and TOTP is
You’re looking at this from the perspective of an educated end user. You’re pretty secure already from some common attack vectors. You’re also in the minority. Passkeys are largely about the health of the entire ecosystem. Not only do they protect against credentials being stolen, they also protect against phishing attacks because identity verification is built in. That is of huge value if you’re administering a site. Yes if everyone used a password manager there would be less value, but only about a third of users do that. And as an admin you can’t just say “well that guy got phished but it’s his own fault for not using a password manager.”
Password managers have only really taken off in the last half-decade, so one-third is kind of to be expected. I know they’ve been around a long time, but major adoption has been recent.
Passkeys will take a while to get wide adoption as well, especially with syncing problems that we’ve seen.
Password managers are never going to hit anywhere near 100% adoption rate. It requires knowledge on the part of the user and in many cases money. No grandma isn’t going to roll her own with keepass. Most likely she’ll never even know what a password manager is. And as long as those users are still out there, admins still have to deal with all the problems they bring.
Incidentally I looked and it’s been over a decade since I started using my first password manager. They’re not that new.
Password managers are too hard for the boomers
I have a sub to dashlane that came with ten additional subs and despite trying to literally give them away to family and friends and you’d think I was trying to pull teeth.
I do think that we need more standard procedures around what a reset/authorize new device looks like in a passkey world. There’s a lot about that process that just seems like it’s up to the implementer. But I don’t think that invalidates passkeys as a whole, and most people are going to have access to their mobile device for 2 factor no matter where they are.
Incidentally I have no idea who this is or whether his opinion should be lent more weight.
I disagree with most of those arguments in the article… Additionally, there is nearly no passkey using service that does require you to still have PW and 2FA login active even if you use passkeys
We are right now in the learning/testing phase. It is not a flip and suddenly only passkey work. Transition to passkey only will be a very long time, like it was for 2FA, like, my girlfriend has it on, only at about 2 services, lol.
The main problem I have is, that people without knowledge get grabbed into walled gardens using passkeys. People with knowledge know that you can use alternative apps for passkeys, like proton or strongbox (keepass).
DHH with a pants-on-head stupid argument just because he hates the big players in tech? Must be a day ending in Y again.
I’m not gonna lie I still don’t understand how passkeys work, or how they’re different from 2fa. I’m just entering a PIN and it’s ok somehow? I don’t get it.
It uses asymmetric cryptography. You sign a login request with the locally stored private key and the service verifies the signature with their stored public key. The PIN on your device is used to unlock access to the private key to sign the login request.
So isn’t the pin now the weakest link and shorter than a password
Typically in most situations where a PIN is used on a modern device, it is not just the number you enter but some kind of hardware backing that is limited to the local device and also does things like rate limiting attempts.
The passkey stored locally in some kind of hardware backed store on your device or in your password manager is the first factor: something you have.
The PIN/password or fingerprint/face to unlock the device and access the stored passkey is the second factor: something you know or something you are, respectively.
Two factors gets you to 2FA.
If you’ve ever used ssh it’s very similar to how ssh keys work. You create a cryptographic key for the site; this is the passkey itself. When you go to “log in” the client and server exchange cryptographic challenges, which also verifies the site’s identity (so you can’t be phished…another site can’t pretend to be your bank, and there are no credentials to steal anyway). Keys are stored locally and are generally access restricted by various methods like PIN, passphrase, security key, OTP, etc. When you’re entering your PIN it’s how the OS has chosen to secure the key storage. But you’ve also already passed one of the security hurdles just by having access to that phone/computer. It is “something you have”.
So one password to access them all basically?
That’s quite a weakness.
If you get my master keepass password, you have all my passwords, too.
As I said to Spotlight7573 yes true, I just hoped for something better.
If you’re paranoid about this, go buy a yubikey and use that to secure your device/access to your passkeys. Being able to secure your own data instead of relying on the admin who may or may not know what they’re doing to secure the server is an advantage of passkeys.
That’s essentially how all password managers work currently though?
True, I hoped for something better :-/
If it makes you feel better, most PINs on modern devices are hardware backed in some way (TPM, secure enclave, etc) and do things like rate limiting. They’ll lock out using a PIN if it’s entered incorrectly too many times.
It’'s really up to the end device (and the user of said device) to decide how much security to put around the local keys. But importantly, it also requires access to the device the passkeys are stored on which is a second factor. And notably many of the implementations of it require biometrics to unlock.
The “one password” thing is also true of password managers, of course. One thing about having one master passphrase is that if you do not have to remember 50 of them, then you can make that passphrase better then you otherwise might, plus it should be unique, which prevents one of the most common attack vectors.
It is 2FA. Just easier to use.
As I understand it (and assuming you know what asymmetric keys are)…
It’s about using public/private key pairs and swapping them in wherever you would use a password. Except, passwords are things users can actually remember in their head, and are short enough to be typed in to a UI. Asymmetric keys are neither of these things, so trying to actually implement passkeys means solving this newly-created problem of “how the hell do users manage them” and the tech world seems to be collectively failing to realize that the benefit isn’t worth the cost. That last bit is subjective opinion, of course, but I’ve yet to see any end-users actually be enthusiastic about passkeys.
If that’s still flying over your head, there’s a direct real-world corollary that you’re probably already familiar with, but I haven’t seen mentioned yet: Chip-enabled Credit Cards. Chip cards still use symmetric cryptography, instead of asymmetric, but the “proper” implementation of passkeys, in my mind, would be basically chip cards. The card keeps your public/private key pair on it, with embedded circuitry that allows it to do encryption with the private key, without ever having to expose it. Of course, the problem would be the same as the problem with chip cards in the US, the one that quite nearly killed the existence of them: everyone that wants to support or use passkeys would then need to have a passkey reader, that you plug into when you want to login somewhere. We could probably make a lot of headway on this by just using USB, but that would make passkey cards more complicated, more expensive, and more prone to being damaged over time. Plus, that doesn’t really help people wanting to login to shit with their phones.
Why does anyone still give a fuck what DHH has to say any more?
Rails is a ghetto has been a thing for over a decade, and the man is basically just a tech contrarian at this point.
Random email auth is some thought leadering for sure.
Whatever way the world is moving, expect DHH to have a different opinion about it.
Passkeys aren’t a full replacement in my opinion, which is what DHH gets wrong. It’s a secure, user-friendly alternative to password+MFA. If the device doesn’t have a passkey set up you revert to password+MFA.
And the fewer times that people are entering their password or email/SMS-based 2FA codes because they’re using passkeys, the less of an opportunity there is to be phished, even if the older authentication methods are still usable on the account.
Passkeys are also weirdly complex for the end user too, you can’t just share passkey between your devices like you can with a password, there’s very little to no documentation about what you do if you lose access to the passkeys too.
You would just sign into your password manager or browser on both devices and have access to them?
Additionally, whatever app or service you’re storing them in can provide sharing features, like how Apple allows you to share them with groups or via AirDrop.
If you lose your password, there are recovery options available on almost all accounts. Nothing about passkeys means the normal account recovery processes no longer apply.
Does it work like that? Everything I see says they’re tied to that device.
Fair, I guess I’ve never lost a password because it’s just a text string in my PW manager, not some auth process that can fail if things don’t work just right.
It depends on what kind you want to use. If you want the most security, you can store them on something like a Yubikey, with it only being on that device and not exportable. If you get a new device, you’ll need to add that new device to your accounts. For less security but more convenience, you can have them stored in a password manager that can be synced to some service (self-hosted or in the cloud) or has a database file that can be copied.
That’s fair. It can be a bit of a mess with different browser, OS, and password manager support and their interactions but it has continued to get better as there is more adoption and development.
I’m excited to see where it is in another year or so, the idea of using public/private keys for logins is neat for sure.
Either you enroll a system that shares them between devices without the need for special interaction (password manager, iCloud etc) or you enroll each device separately into your account.
You can have more than one passkey for a service. This is a good thing.
Gotcha, that makes more sense when explained that way!
I think that passkeys are simple, but no-one explains what they do and don’t do in specific terms.
Someone compared it to generating private/public key pairs on each device you set up, which helps me a bit, but I recently set up a passkey on a new laptop when offered and it seemed to replace the option to use my phone as a passkey for the same site (which had worked), and was asking me to scan a QR code with my phone to set it up again.
So I don’t know what went on behind the scenes there at all.
The passkey on your phone stopped working when you set one up on your laptop? I would expect the site to allow one per device instead of one per account.
It seemed that way, it asked me to scan a QR code on my phone to link it, which didn’t happen before.
Or maybe the option to use my phone was some older auth method, where I’d use the fingerprint reader on the phone to confirm a login on the laptop. I thought that was a passkey, but that doesn’t fit with what I’m reading about what it does now.
Some sites only allow one public key per account…
Which is really stupid of them but technically within spec currently.
The only way I ever used passkeys is with bitwarden, and there you are sharing them between all bitwarden clients.
From my very limited experience, pass key allows to login faster and more reliable compared to letting bitwarden enter passwords and 2fa keys into the forms, but I still have the password and 2fa key stored in bitwarden as a backup in case passkey breaks.
To me, hardware tokens or passkeys are not there to replace passwords, but to offer a faster and more convenient login alternative. I do not want to rely on specific hardware (hardware token, mobile phone, etc.), because those can get stolen or lost.
Interesting, maybe I’ll give it a try. I didn’t know they could just be synced between devices on bitwarden.
+1 for Bitwarden. Seamless experience so far. EBay hasn’t yet worked properly, but GitHub does for sure. It’s very convenient, especially if your browser doesn’t store cookies
Any of the multi-platform password managers that support pass keys will solve this.
You walk into the vault on every platform and your pass keys are magically shared between every platform you’re logged into.
In any system that I’ve used pass keys for (which is every system that supports them), you can go into the password section and delete devices/passkeys.
To regenerate new passkeys they either support it directly in the spot where you deleted it or you log out log back in with username password and 2FA and it asks you again if you want to set up a passkey. I’ve not run into anything else.
I wish FIDO had paid more attention to SQRL. It’s long in the tooth now, but with some attention it could have been a better solution than passkeys, IMO.
This article is FUD from big password.
If we all had big passwords, this may not have been an issue to begin with lol
Probably, but the real problem has been database dumps for a good number of years now. Maybe this thing fixes that?
That is true. That has been, and (for some dumb reason) continues to be, a real problem.
Fuck DHH
FIDO Alliance Publishes New Specifications to Promote User Choice and Enhanced UX for Passkeys
Dunno, we rolled it out without issue. But of course they also had keepass. You want password AND (TOTP token or hardware token)
If you’re using a hardware token to replace passwords, you’re doing 2FA wrong
I have never understood the goal of passkeys. Skipping 2FA seems like a security issue and storing passkeys in my password manager is like storing 2FA keys on it: the whole point is that I should check on 2 devices, and my phone is probably the most secure of them all.
OTP in the password manager Private key pkcs#12 in a contactless smart card plus maybe a pin if I’m feeling fancy
I find phones the least secure devices simply because of how likely they are to be damaged or stolen
More than that. You probably use them in public, where there are tons of cameras. So if you forget you phone in say a restaurant, odds are they have video of you unlocking it.
And let’s not forget all the poorly secured wifi access points people commonly connect to…
I love storing 2FA in the password manager, and I use a separate 2FA to unlock the password manager
I imagine you keep your password manager unlocked, or as not requiring 2FA on trusted devices then? Re entering 2FA each session is annoying
You still have the treat of viruses or similar. If someone gets access on your device while the password manager is unlocked (ex: some trojan on your computer), you’re completely cooked. If anything it makes it worse than not having 2FA at all.
If you can access your password manager without using 2FA on your phone and have the built in phone biometrics to open it like phone pin, finger or face, someone stealing your phone can do some damage. (Well, the same stands for a regular 2FA app, but meh, I just don’t see an improvement)
I went to see HR a month ago and they had a post-it of their password for their password manager. We use passkeys too.
And this was after security training.
😵 some people just don’t care
It’s their job though, not their personal life, so they might care less
If your secrets enter your clipboard, they are no longer secrets
You’re right if I get a virus I’m pretty cooked. Except I think to set 2fa up on the attacker’s device they’d need the phone authenticator to set it up the first time, so hopefully they couldn’t do it unless they used my computer remotely to login to websites.
But the password manager locks after 15 min and you have to put a pin in to unlock and decrypt.
I’m not sure what brute force mechanisms it has against the pin.
Re-entering the 2fa each session is annoying but it’s way better than having to do it on each individual site from my phone.
It feels like the goal is to get you married to one platform, and the big players are happy for that to be them. As someone who’s used Keepass for over a decade, the whole thing seems less flexible than my janky open source setup, and certainly worse than a paid/for profit solution like bitwarden.
That was my take too.
Security training was something you know, and something you have.
You know your password, and you have a device that can receive another way to authorize. So you can lose one and not be compromised.
Passkeys just skip that “something you have”. So you lose your password manager, and they have both?
I think you mean that passkeys potentially skip the something you know. The something you have is the private key for the passkey (however it’s stored, in hardware or in software, etc). Unlocking access to that private key is done on the local device such as through a PIN/password or biometrics and gives you the second factor of something you know or something you are. If you have your password manager vault set to automatically unlock on your device for example, then that skips the something you know part.
It’s not skipping MFA cos some media can provide more than one factor.
E.g. YubiKey 5 (presence of the device) + PIN (knowledge of some credentials) = 2 factors
Or YubiKey Bio (presence of the device) + fingerprint (biological proof of ownership) = 2 factors
And actually unless you use one password manager database for passwords, another one for OTPs, and never unlock them together on the same machine, it’s not MFA but 1FA. Cos if you have them all at one place, you can only provide one factor (knowledge of the manager password, unless you program an FPGA to simulate a write only store or something).
The problem with PassKey is simply that they made it way more complicated.
Anyone who has worked with SSH keys knows how this should work, but instead companies like Google wanted to ensure they had control of the process so they proceeded to make it 50x more complicated and require a network connection. I mean, ok, but I’m not going to do that lmao.
Private keys on an anonymous, untraceable smartcard. PIN or Matching-on-card fingerprint for the second factor Everything else can go directly into the garbage bin
Would love for you to describe exactly how it’s more complicated. From my perspective I click a single button and it’s set up. To log in I get a notification on my device, I click a button and I’m logged in.
they must have meant technically complicated, which is also meaningful in consumer technology.
like if it’s true that it requires an internet connection, that’s quite bad, partly because of yet another avenue for possible tracking, and what if the service you want to access is not on the internet, but the passkey doesn’t work without it still
YOU JUST DID, below
neat.
… on your device tethered to a single app by a single vendor and their closed data store
… and tethered to prevent you from churning.
… wait online to …
… or send it again. Or again. Try again. Maybe mail it?
Yeah. Just click (tap) a button (enter a code).
Using a big-brand MFA setup at one job that requires ‘one button’ and ‘get a notification’ and ‘click a button’, I know you’re glossing over the network issues HEAV-I-LY.
Now do it in airplane mode. Do it when the token organization is offline. Do it when there’s no power because the hurricane hit and there’s no cell, no data, no phones, and your DC is on its last hour of battery and you have to log in because the failover didn’t run.
Do it when your phone fell on its face in the rain into a puddle and it’s not nokia.
Do it when you either have cell service and 5% battery, or 100% battery from inside the DC and no cell service.
Do it when you’re tired, hungry, drunk, lost your glasses in the car accident.
The D in DR means DISASTER. Consider it.
For somebody complaining about making things complicated you certainly complicated the s*** out of a short post.
Storing your passkey in any of the shared password managers solves almost every problem you’ve listed.
With bitwarden and I have offline access to my passkey. I don’t know why the hell you’d need offline access to your pass key because they’re designed to protect online systems, But it could if I wanted it to.
With Bitwarden I can use my phone, or I can use my browser, or any one of four other browsers, or any other computer.
If I need to reset one of my pass keys I reset it in one place and it gets reset everywhere.
“More” is relative, ofc, so YMMV on whether you agree with me or not on this.
But the problem with pass key is that it has all of the downsides of 2FA still – you need to use a mobile device such as a cell phone, that cell phone must be connected to the internet and you often can’t register a single account to multiple devices (as in, there’s only ever 1 device that has passkey authorization.)
This isn’t an issue with ssh keys, which is a superior design despite it not being native to the web browsing experience. SSH keys can be added or removed to an account for any number of devices as long as you have some kind of login access. You can generally use SSH keys on any device regardless of network connection. There’s no security flaws to SSH keys because the public key is all that is held by 3rd parties, and it’s up to the user in question to ensure they keep good control over their keys.
Keys can be assigned to a password and don’t require you to use biometrics as the only authentication system.
I feel like there’s probably more here, but all of this adds up to a more complicated experience IMO. But again, it’s all relative. If you only ever use password + 2fa, I will give them that it’s simpler than this (even though, from the backend side of things, it’s MUCH more complicated from what I hear.)
I’m a fan oh having a little usb key on your keychain, that has a fingerprint scanner
I’m sorry but I seriously do not see any benefits to using passkeys.
I use 24 character passwords in Bitwarden with 2fa on all accounts, how is a passkey better than that?