“Don’t be evil” to whom? Shareholders? ;)

Yeah my point is it does not protect the local device well. It does protect well from remote compromise though.

I bring my yubikey with me, it’s in my keychain. This is not only more secure against phone theft/access, which probably is not very relevant for most people, but it spreads the risk of locking yourself out.

For example, I was in Iceland with my girlfriend and she “lost” her phone. We wanted to locate it, so I logged to Google for her, which asked 2FA. If she used her phone, she would have been toast. Instead I made her use yubikeys too, and she just logged in and found her phone.

Obviously you can lose your hardware tokens too, but it’s generally less likely (you take out your home keys way less than your phone, for example). You can also backup your TOTP on multiple devices etc., of course.

If I’m on my laptop, and the 2fa code shows on that same laptop, it defeats the purpose of it. The point is sortation of security privileges, ask this just adds more work while providing no less security to the device. It does protect you from remote compromise, though.

For Apple, it’s your iCloud account that everything depends on, and it’s the weakest point. Not by itself maybe, but in practice there needs to be a way to reset your iCloud password, even without your phone. Currently I believe that’s just an Apple representative asking life questions, but that information is mostly publicly available. There needs to be a better way.

A physical 2fa device may be just what we need to securely rest our iCloud passwords, keeping everything else more secure

For the accounts that are highly important, you might want to use only keys that are bound to a device like a computer, phone, or hardware security key. This would require a bit of manual management as you swap out devices and hardware keys but for a limited number of important accounts this should be feasible. For all the other general accounts, storing them in a password manager can continue to be the most convenient way to use them. The Google/Apple/Microsoft solutions take this second approach and allow them to be synced across devices.

As for the portability, it’s still relatively early and I don’t think there’s a standardized format to export passkeys into. It’s only a matter of time before things settle down and different password/passkey managers support importing and exporting to at least one format that will work.

syncing passkeys around devices without issue?

they are syncing, but under no circumstances it let you see the passkey’s private key in a format that you can import elsewhere, which reduce the amount of damage that can be done, but still if an attacker gain access to your Google account and its “password manager” (or any other password managers tbh) it’s mostly game over at that point.

Personally I don’t have all my passkeys on a physical device, they’re mostly stored in my Bitwarden vault for the convenience of multi-device sync, and the important accounts that offers SSO into other services (Google, Facebook, Amazon, Apple, plus Bitwarden) are protected by multiple hardware tokens with a Passkey for redundancies.

Security is as strong as its weakest link.

I’m not saying it’s good, I’m saying it’s easy. It is not hard for normal consumers to setup.

Yes, you need a passkey per service, so you would quickly end up with your 25 slots full.

Having a key shared across sites wouldn’t be great. If it was great it would be an article talking about “passkey” not “passkeys” because you would just have one. Like some sort of Skeleton Passkey that unlocks all your shit when compromised.

Ideally yes, they’re supposed to eventually replace all passwords. Of which I have hundreds. And yes not 100% of them will do that on the near future but a lot more than 25 will.

No, sharing passkeys across services is way too risky. One service gets compromised, someone gets your passkey, and then they have access to all of your services. It’s the same principle with regular passwords.

I have 150 passwords in my password manager. I’m not buying 7 YubiKeys (and to be fair that’s not what they’re designated for)

/aparté: being downvoted for trying to understand gives me reddit vibes well done

You only need one per website if you want it to autofill the username, because resident keys held on the security token can be recognized and suggested automatically but otherwise you must first enter your username on the website and let the website send its challenge value for the corresponding domain and account pair so that your security token can respond correctly.

Right, now I remember reading about that, I forgot.

Passkey = Resident Key

Nonresident keys are not passkeys, they are solely a second form of authentication meaning the service you are logging into still requires a password.

.

a.k.a password-protected certificates

You setup passkeys for all your devices with biometric features. I know I have a Yubikey for my desktop, facial recognition on my phone, and a fingerprint reader on my laptop. So, I setup 3 passkeys using biometric (fingerprint or face). I also kept my password and 2FA for now because it’s all new. I wouldn’t recommend jumping in face first.

I only am using it on a few key sites and partly because I’m a web developer testing it all out. I wouldn’t advise it for the average user at the moment but it’ll mature and many password managers can store passkeys now. As it matures, I’m hopeful it becomes seamless like FaceID and fingerprint readers.

It basically performs the same function as an SSH key (providing public key authentication), yes.

Your issue with logging in on your phone vs laptop can be solved by either syncing them (like the OS/Browser platforms of Google/Apple/Microsoft or a password manager like Proton Pass/Bitwarden do) or by setting up each device separately (like most people should do with SSH keys). Each method comes with trade-offs: syncing means they aren’t device bound and can potentially be stolen, setting it up on each device can be a pain, etc.

The important thing to remember is that passkeys don’t need to be the only authentication methods attached to an account. You can use the convenience of a passkey most of the time when it’s possible and then fall back to another method (like a password/TOTP pair) when that’s not available (such as when setting up a new device). There’s also always the standard account recovery options if all else fails, those don’t necessarily go away.

The other thing to remember is that it’s not trying to be a perfectly secure solution to all authentication everywhere but to replace passwords with something better. Not having to generate and store random passwords with arbitrary complexity requirements, being able to log in with just a tap or a click, and not having anything that needs to be kept secret on the website’s side can be enough of an improvement over passwords to make the change worthwhile.

Close, but you are still trusting the device you own. If I were to compromise that device, I could capture that key and use it. Again, this is my limited understanding, but a zero trust solution works in such a way that the actual keys are not stored anywhere. During setup, new temporary keys are generated. A keypass binds to the temporary key for use of authentication. The temporary key can be revoked at any time for any reason, whether it’s due to a breach or routine policies. It can be as aggressive as it needs, and the implication is that if someone else (either you or an attacker) got issued a new temporary key then the other would not receive it. Using an incorrect temporary key would force an initialization again, using the actual keys that aren’t stored anywhere.

The initialization process should be done in a high trust environment, ideally in person with many forms of vetting. But obviously this doesn’t take place online, so there is the risk that your device is not trusted. This is why the process falls back on other established processes, like 2FA, biometrics, or using another trusted device. How this is done is up to the organization and not too important.

But don’t get too hooked on the nuances of passwords, keys, passkeys,etc. The entire purpose is to limit trust, so that if any part of the process is compromised, there is nothing of value to share.

Disclosure: Worked in military and this seems to be a consumer implementation of public/private key systems using vector set algorithms that generate session keys, but without the specialized hardware. It’s obviously different, but has a lot of parallels, the idea in this case is that the hardware binds to the private/public keys and generates temporary session keys to each unique device it communicates with, and all devices can talk with members of it’s own vector set. Capturing a session key is useless as it’s constantly being updated, and the actual keys are stored on a loading device (which is subsequently destroyed afterwards, ensuring the actual key doesn’t exist anywhere and is non recoverable, but that’s another thing altogether). My understanding of passkey systems is solely based on this observation, and I have not actually implemented such a solution myself.

They’re closer to a cooperative.

Youre get downvoted by the same MS defender chuds.

Fuck the billionaires.

Not sure what Google has to do with passkeys besides the fact that they’ve implemented them. Google implemented passwords too but I’m guessing you’re fine with those?

Passkeys are not exclusively controlled by oligarchs so I guess by your own admission you should consider them.

No one is suggesting that you secure your online accounts with the billionaire owner class. They’re suggesting you secure them with passkeys.

Proton, Bitwarden, 1Password, Yubico (via the Yubikey), and others (including big tech) already have their own independent implementations(?)

Even Keypass has at least a partial implementation github.com/keepassxreboot/keepassxc/pull/8825

Are we talking in circles here?

No. “I avoid passkeys because of Google” is avoiding an entire technology because of a bad implementation. “Passkeys implemented by Google have problems” is only avoiding passkeys implemented by Google, leaving using passkeys still on the table.

The way out of the circle that you’ve put yourself in is realizing Google isn’t the only company implementing passkeys.

Asymmetric cryptography has been ubiquitous and generally standardized by the time Google began letting you store Passkeys, so what’s your point?

Is Google supporting a particular service or system a dealbreaker for you or not? Because Google has far more fingers in the public operation of email than it does passkeys. So if you’re still ok with having an email account, then you should be just as ok with using passkeys.

Well that’s great news, then you’ll like passkeys because you can use them without being locked into anything.

The next question is does anyone actually let you import passkeys? I don’t think there is ☹️

I have a few keys in Bitwarden but before I go adding more I am going to play with Proton Pass. A lot of users were understandably annoyed when Bitwarden released passkey support but in such a limited manner.

On the contrary, companies making a profit by making things better for you as a concept is pretty close to extinct. See corporations realized they don’t have to make better products if they just box out the competition so that you no longer have a choice. Theres even a term for it now, because practically every company across every industry is doing it, enshittification. Charging more for inferior projects is the new goal.

A company that grows itself by making a better product is an objective rarity in the modern world.

I’m actually not sold that I should be putting all my keys in a single password manager like Bitwarden.

Treating social media accounts as irrelevant is fine as long as none of your real life friends associate with you on the same platform. Once that’s the case, scammers can take over your platform and send messages to your friends telling them you’re stuck and need money or other sorts of things that sound ridiculous but work all the time.

Exactly like an encryption key. Here’s a video from Security Now with Steve Gibson (a well known security researcher) who explained it in a fairly approachable fashion. That link should start at the beginning of that segment, about 1:31:00 in.

They’re the private half of a public/private key pair, much like how you make encrypted connections to websites.

The gist of passkeys are that the secret you’re using to login to your accounts is stored on your device (Or in your password manager) and is never sent to or stored on the server. So if a website you have an account on is breached, unlike with a password, your passkey can’t be stolen, because they don’t have it.

Similarly, your passkey can’t be phished. If a malicious actor directed you to a fake login page and you didn’t notice and entered your password into the fake login form, they now have stolen your password. But because your passkey is not sent to the server like a password, the fake login page wouldn’t get anything.

And because your passkey isn’t something you have to remember, you can’t create an insecure one like with a password, and you can’t reuse the same one for different accounts.

Asymmetric cryptographic signing keypairs. An ECDSA variant is used to create and validate signatures. Your device creates a unique keypair per domain you register on. It only sends signatures, which doesn’t reveal what the secret key is, and each signature is based on a single use challenge value.

It’s definitely trying to be user friendly enough that non-technical users like the family members you mention can use it to replace passwords. For your use case with a strong password and 2FAS to generate a code, it still gets rid of the phishing potential. The main advantage for the other people like your family is that they don’t have to type or autofill anything, just select an account to log into or click approve on their phone. A main advantage for the service is that the user’s diligence is taken out of the equation for a lot of it and they don’t have to worry about a user giving their password and 2FA codes to a phisher. If a user tries to use a passkey at the wrong site (like a phishing site), it won’t pop up as an option to select because the domain is wrong.

Passkeys can also help anyone who is using a service in an indirect way. The 23andMe “breach” was due to stolen credentials from other actually breached sites being used to log into accounts that have data shared with them. That 23andMe data was shared to those compromised users by people who may have actually had all their security turned up to the highest settings like 2FA but was nonetheless scraped and obtained by the bad actors anyways. If 23andMe had been using passkeys (or even magic login links in an email), there would have been no credentials from other sources to use against their 23andMe’s users. Moving everyone to more secure authentication methods is in the best interest of everyone involved, it’s just that typically it was a hassle to have to setup an authenticator app or a password manager for 2FA. Passkeys, when everything is working properly, finally provide both more security and more convenience for the average person than just a password and so people might actually adopt them.

In fact history has shown the good die out or become corrupt. Still using them for now though.

Iirc you can export everything. Most allow export of passwords of course but i think proton allows export of passkeys too.

So there’s portability if they ever do disintegrate.

True, but this is valid for every company.
Let’s say that since the company is Swiss based and, AFAIK, not quoted maybe they are not driven by the “the next quarter is all that matters” mentality of many quoted (US) companies.
There is a smaller chance that they will do something stupid to monetize more just to be ok next quarter (while risking to lose everything the next one) and will be there as long as they provide a value to the customer for the paid price.

That’s with hosting your own server. Unfortunately I only discovered this paywall after sending them $10 out of good will.

Of course it’s open source, so it’s certainly possible to break their DRM, and if it were something less sensitive I would.

I still might, but VaultWarden looks like a better alternative.

If you self host you need the $40 plan for two people. Seems kinda backwards, doesn’t it?

Yeah, they absolutely don’t make that clear or I wouldn’t have gone with Bitwarden.

Yea, I know. But my preference is for my password manager to not be cloud at all.

Why are us nerds like this? No one asked, please dont.

Eh, easier to just use the same password for everything.

I use 12345, personally.

For passkeys? My understanding is that’s not implemented yet.

No, no, no. A Witch must float like a duck.

Yes. It’s still the fact that Google monopolizes shit. Same thing with Apple by the way.