I think they are being pushed because cool technology on paper. Whenever I read an article about them, I can’t help but think about the human factors. How are passkeys created, often by a password or email. okay… that looks a lot like a password. Oh you lost the passkey, here lets send you one again. It stinks of a second factor without a first. Sure, the passkey itself is hard to compromise, but how about its creation. If your email is compromised I see no difference from passwords or passkeys.
Comment on Passkeys Explained: The End of Passwords
Brokkr@lemmy.world 3 weeks ago
While the lock-in issue is annoying and a good reason not to adopt these, the device failure issue is a tech killer. Especially when I can use a password manager. This means I can remember two passwords (email and password manager), make them secure, and then always recover all my accounts.
Passkeys are a technology that were surpassed 10 years before their introduction and I believe the only reason they are being pushed is because security people think they are cool and tech companies would be delighted to lock you into their system.
l_b_i@pawb.social 3 weeks ago
4am@lemmy.zip 3 weeks ago
They don’t email you a passkey, what are you even talking about?
l_b_i@pawb.social 3 weeks ago
The flow I hear about when people talk about passkeys is sign up with email. Code gets sent to email. Code is entered, passkey gets generated. There always seems to be some similar step that looks like that, and often you have new device or reset that looks the same. Sure the passkey itself is secure, but how do you get it, how do you generate it, how do you validate the first time?
EncryptKeeper@lemmy.world 3 weeks ago
None of that is remotely true lol. You don’t get a passkey, you generate. Nothing is “sent” to you at any point in time, it has nothing to do with email.
lmmarsano@lemmynsfw.com 3 weeks ago
There are quite a few uninformed takes here. 😞
Sl00k@programming.dev 2 weeks ago
Lemmy has been very anti passkey at least since it’s rise in 2023, it’s very interesting how tech forward Lemmy generally is and how anti passkey and not even anti, just generally uninformed on them they are.
I for one love them. I always read everyones opinions here and just think nobody has even attempted to use them. It’s very simple.
LuigiMaoFrance@lemmy.ml 3 weeks ago
Cops also love them because they make getting access to your entire phone including all accounts simple as cake if you use fingerprint/faceID to unlock your device.
smiletolerantly@awful.systems 3 weeks ago
You can store Passkeys in open source password managers.
I don’t know most of my passwords, so the step to passkeys doesn’t feel like a big one. I also really like the flow of pressing Login; Bitwarden pops up a prompt without me initiating it; I press confirm. Done, logged in, and arguably more secure due to the surrounding phishing and shared secrets benefits.
Brokkr@lemmy.world 3 weeks ago
Sure, they probably work great when you have your password manager on the device, but that’s not when I need to have backup routes into my accounts. When using a new device, or someone else’s, having even a complicated password that can be typed or copied-pasted has way more functionality.
As far a I can tell, using passkeys would only risk locking me out of my accounts. Everyone else is already effectively locked out.
smiletolerantly@awful.systems 3 weeks ago
I can access my password manager via the browser from any device.
queermunist@lemmy.ml 3 weeks ago
Can’t you access your password manager from a web browser? Or your phone?
Brokkr@lemmy.world 3 weeks ago
Oops, meant passkey manager, fixed it.
Vittelius@feddit.org 2 weeks ago
You could also use dedicated hardware to store your keys. Any FIDO USB key will do. I have a Yubikey that cost me less than 30 bucks.
It’s really handy, because I frequently use someone else’s device for work. All I have to do is plug it in, press the button on the key and enter the master password for the passkey storage. It’s like having a password manager on a USB stick.
Septimaeus@infosec.pub 3 weeks ago
Yeah the moods in this thread, like
“[I don’t understand this]!”
“[I don’t trust this]!”
“[It doesn’t fix everything]!”
“[This doesn’t benefit me]!”
“[What’s wrong with old way]!?”
And like, all valid feelings… just the reactions are a bit… intense? Especially considering it’s a beta stage auth option that amounts to a fancy version of the old sec key industry standard, not the mark of the beast.
Rooster326@programming.dev 3 weeks ago
Because we all know it will eventually go from a “neat” to mandatory with vendor lock-in for no other reason than “fuck you”.
We’ve all seen it a few hundred times now with X, and Y.
jabberwock@lemmy.dbzer0.com 3 weeks ago
This is a fundamental misunderstanding of how the FIDO2 standard works. It is not designed to be vendor specific and as other people in this thread point out, plenty of open-source secrets managers and hardware implement passkeys.
What we’ve seen is the typical Silicon Valley model of “embrace, extend, extinguish” so you’re right to be wary of any implementation by Google or Microsoft.
Same goes for biometrics - how you unlock the passkey isn’t specified in the standard. It is left up to the implementation. If you don’t want to use biometrics, you don’t have to.
smiletolerantly@awful.systems 3 weeks ago
You do not need your fingerprint or any other biometric to use a passkey.
You do not lose access to passkeys when you lose your device.
Septimaeus@infosec.pub 3 weeks ago
If we cut and run every time a big corporation “embraces” a new standard, just to lessen the pain of the day it’s inevitably “extinguished,“ we’d miss out on quite a lot.
This standard was open from the start. It was ours. Big corps sprinted ahead with commercial development, as they do, but just because they’re first to implement doesn’t mean we throw in the towel.
Also:
- Bio auth isn’t necessary. It’s just how Google/Apple do things on their phones. It’s not part of the FIDO2 standard.
- It works with arbitrary password managers including FLOSS and lots of hardware options.
- Passkeys can sync to arbitrary devices, browsers, device bound sessions, whatever.
JackbyDev@programming.dev 3 weeks ago
I was never prompted to do such a thing. It always just told me to plug in my phone (and even that didn’t work).
4am@lemmy.zip 3 weeks ago
Password managers store passkeys. They’re portable and not device-locked. Been using them on Bitwarden for like 2 years now.
Brokkr@lemmy.world 3 weeks ago
It is not portable in the sense that you need bitwarden installed on the device you are trying to connect from.
Passwords can be plain text, which means I can copy, paste, and dictate them to a device that does not have additional software installed.
umbrella@lemmy.ml 3 weeks ago
its being pushed because corporations want to control your passwords with lock-in.
no way i’m using that garbage over my own manager with recallable plaintext passwords.
Sl00k@programming.dev 2 weeks ago
You can transfer passkeys between platforms? This is a non-issue
umbrella@lemmy.ml 2 weeks ago
all at once? i don’t think so.
even then, corporate apps will always remove convenient features later for lock-in. i don’t fall for this shit anymore.
HubertManne@piefed.social 3 weeks ago
I came to sorta say this. Regardless of the system if it can fail and if people have to recover an account then phishing will always be a thing. In person options to deal with an account like with bank branches or government offices are the only true way of making things more secure. I sometimes think it would make sense for this. One rare thing I have seen that gives me a bit of hope is the use of in person at the post office for us government accounts. Thats exactly how it should be done. Secretary of state for state and usps for federal. They are the only agencies with enough physical locations.
jj4211@lemmy.world 3 weeks ago
Passkeys are a technology that were surpassed 10 years before their introduction
Question is by what? I could see an argument that it is an overcomplication of some ill-defined application of x509 certificates or ssh user keys, but roughly they all are comparable fundamental technologies.
The biggest gripe to me is that they are too fussy about when they are allowed and how they are stored rather than leaving it up to the user. You want to use a passkey to a site that you manually trusted? Tough, not allowed. You want to use against an IP address, even if that IP address has a valid certificate? Tough, not allowed.
Brokkr@lemmy.world 3 weeks ago
They were surpassed by password managers and 2fa.
psycotica0@lemmy.ca 3 weeks ago
Technically they are the 2fa. The second factor is something you have. I store all my passkeys in my password manager too, so I’m not faulting you, but technically that’s just undoing the second factor, because now my two factors are “two things that are both unlocked by the same one thing I know”. Which is one complicated factor spread across two boxes.
jj4211@lemmy.world 3 weeks ago
Password managers are a workaround, and broadly speaking the general system is still weak because password managers have relatively low adoption and plenty of people are walking around with poorly managed credentials. Also doesn’t do anything to mitigate a phishing attack, should the user get fooled they will leak a password they care about.
2FA is broad, but I’m wagering you specifically mean TOTP, numbers that change based on a shared secret. Problems there are: -Transcribing the code is a pain -Password managers mitigate that, but the most commonly ‘default’ password managers (e.g. built into the browser) do nothing for them -Still susceptible to phishing, albeit on a shorter time scale
Pub/priv key based tech is the right approach, but passkey does wrap it up with some obnoxious stuff.
Rooster326@programming.dev 3 weeks ago
password managers have relatively low adoption and plenty of people are walking around with poorly managed credentials
All of the modern browsers have built in password managers so I doubt that very much.
Are they as secure as your self-hosted bit warden that is not accessible via the Internet? No.
But it does still keep track of your usernames and even alerts you if you have a breach.
xthexder@l.sw0.com 3 weeks ago
Lack of adoption doesn’t really make password managers a workaround. What’s being worked around? People’s laziness?
Password managers actually do solve the phishing problem to an extent, since if you’re using it properly, you’ll have a unique password for every service, limiting the scope of the problem.
Putting TOTP 2fa codes in your password manager behind the same password as everything else actually destroys any additional security added by 2fa, since it puts you back to a single auth factor.
cmhe@lemmy.world 3 weeks ago
I use them with bitwarden and a self hosted vaultwarden. If my phone breaks, no issue. If my server breaks, I got local backups… Keys are stored encrypted in a postgres database for which I have access, if I need to restore it. No lock-in issue or risk of loosing access when one or two devices break.
Brokkr@lemmy.world 3 weeks ago
That sounds great, but also isn’t a solution for most people.
cmhe@lemmy.world 2 weeks ago
True. But most good stuff isn’t a solution for everyone. It takes real effort to escape vendor-lockin. Bigtech made sure of that.
If something is too simple to set up or requires no set up, or comes from a for-profit company, but doesn’t cost anything, then it always suspicious.
Fmstrat@lemmy.world 2 weeks ago
Not to mention Apple decided to make passkeys Airdropable. Fun.
I worked on a cool projected called FedID: fedid.me that creates a distributed identifier (DID) out in the world, federated with AvtivityPub, and gives you a key you can sign in with via OpenID Connect. It allows the DID to have multiple keys for multiple devices, and delegate authority, so losing a device/failure is no big deal.
That being said, Web passkeys can be stored in password managers, just like passwords.
sentientRant@lemmy.world 3 weeks ago
Even if you are really careful, your details can always be leaked from a company server during a breach. If the companies adopt passkeys, that issue isn’t there. Because there isn’t a password anyone can randomly use. That’s why I feel big tech companies are moving towards it.
xthexder@l.sw0.com 3 weeks ago
Companies should already be storing password hashes, so the risk of leaking a hash vs a public key is roughly the same. It’s just that private keys are generally longer than passwords and therefore harder to bruitforce.
Any company storing passwords in a recoverable format deserves to be hacked.
Brokkr@lemmy.world 3 weeks ago
Yes, you have to trust the company storing the passwords.
A good company can store passwords in ways that are secure to most hacking attempts. It isn’t impossible to break the encryption typically used, but it is difficult enough that most thieves will not have the resources or time to make use of the data. They want the low effort password databases, not the difficult and expensive ones.
cenzorrll@piefed.ca 3 weeks ago
I’ve found a pretty good use for a passkey. Docusign. About every 3 months I need to docusign something at work. The process involves logging in, changing your password, logging in again, opening the document, logging in to sign, logging in to finish. The only steps you get to skip if there’s more than one document is the initial log on, and changing password. So with a passkey I just touch it a bunch of times and there’s no password change.
Brokkr@lemmy.world 3 weeks ago
Sounds like a password manager would make that way easier. Changing your password would involve a few extra clicks. Also, you might want to check with your IT folks. Asking people to constantly change their password is a good way to weaken password strength. I don’t use docusign, but there is probably a setting that they can change.
cenzorrll@piefed.ca 3 weeks ago
Oh, I agree, but I have to argue enough with professionals who know better as it is. I have to do it every day with recent PhDs as a BA who’s been doing the job for 15 years. At this point it’s not my problem if something happens. I have other things that affect me every day to fight about. I’ll just continue cycling through my no repeats after 10 changes, 12 character passwords and using my yubikey for docusign for my own sanity.
pr06lefs@lemmy.ml 3 weeks ago
sounds like a better solution is don’t use docusign
cenzorrll@piefed.ca 3 weeks ago
K, I’ll go tell the CEO that they need to come up with something different.
bookmeat@lemmynsfw.com 3 weeks ago
There’s like a million other free/libre digital document signing platforms out there. Try one that doesn’t suck.
hansolo@lemmy.today 3 weeks ago
This is the only accurate take in the whole thread.
Passkeys solve “well, can’t be fished” by introducing 2 new problems and never resolving super prevalent session hijacking. Even as a basic cost-benefit analysis, it’s a net loss to literally everyone.
anomnom@sh.itjust.works 3 weeks ago
That’s what I worried, and then especially to computers that age out of updates (2 older MacBooks).
We end up having to reauthenticate on some other device at some point anyway and that means there’s still going to be a weak point.
Like with 2 auth sim jacking.