Cops also love them because they make getting access to your entire phone including all accounts simple as cake if you use fingerprint/faceID to unlock your device.
Comment on Passkeys Explained: The End of Passwords
Brokkr@lemmy.world 1 day ago
While the lock-in issue is annoying and a good reason not to adopt these, the device failure issue is a tech killer. Especially when I can use a password manager. This means I can remember two passwords (email and password manager), make them secure, and then always recover all my accounts.
Passkeys are a technology that were surpassed 10 years before their introduction and I believe the only reason they are being pushed is because security people think they are cool and tech companies would be delighted to lock you into their system.
LuigiMaoFrance@lemmy.ml 20 hours ago
l_b_i@pawb.social 1 day ago
I think they are being pushed because cool technology on paper. Whenever I read an article about them, I can’t help but think about the human factors. How are passkeys created, often by a password or email. okay… that looks a lot like a password. Oh you lost the passkey, here lets send you one again. It stinks of a second factor without a first. Sure, the passkey itself is hard to compromise, but how about its creation. If your email is compromised I see no difference from passwords or passkeys.
4am@lemmy.zip 20 hours ago
They don’t email you a passkey, what are you even talking about?
lmmarsano@lemmynsfw.com 7 hours ago
There are quite a few uninformed takes here. 😞
l_b_i@pawb.social 20 hours ago
The flow I hear about when people talk about passkeys is sign up with email. Code gets sent to email. Code is entered, passkey gets generated. There always seems to be some similar step that looks like that, and often you have new device or reset that looks the same. Sure the passkey itself is secure, but how do you get it, how do you generate it, how do you validate the first time?
EncryptKeeper@lemmy.world 20 hours ago
None of that is remotely true lol. You don’t get a passkey, you generate. Nothing is “sent” to you at any point in time, it has nothing to do with email.
smiletolerantly@awful.systems 22 hours ago
You can store Passkeys in open source password managers.
I don’t know most of my passwords, so the step to passkeys doesn’t feel like a big one. I also really like the flow of pressing Login; Bitwarden pops up a prompt without me initiating it; I press confirm. Done, logged in, and arguably more secure due to the surrounding phishing and shared secrets benefits.
Brokkr@lemmy.world 21 hours ago
Sure, they probably work great when you have your password manager on the device, but that’s not when I need to have backup routes into my accounts. When using a new device, or someone else’s, having even a complicated password that can be typed or copied-pasted has way more functionality.
As far a I can tell, using passkeys would only risk locking me out of my accounts. Everyone else is already effectively locked out.
smiletolerantly@awful.systems 19 hours ago
I can access my password manager via the browser from any device.
queermunist@lemmy.ml 21 hours ago
Can’t you access your password manager from a web browser? Or your phone?
Brokkr@lemmy.world 21 hours ago
Oops, meant passkey manager, fixed it.
Septimaeus@infosec.pub 15 hours ago
Yeah the moods in this thread, like
“[I don’t understand this]!”
“[I don’t trust this]!”
“[It doesn’t fix everything]!”
“[This doesn’t benefit me]!”
“[What’s wrong with old way]!?”
And like, all valid feelings… just the reactions are a bit… intense? Especially considering it’s a beta stage auth option that amounts to a fancy version of the old sec key industry standard, not the mark of the beast.
Rooster326@programming.dev 12 hours ago
Because we all know it will eventually go from a “neat” to mandatory with vendor lock-in for no other reason than “fuck you”.
We’ve all seen it a few hundred times now with X, and Y.
smiletolerantly@awful.systems 6 hours ago
You do not need your fingerprint or any other biometric to use a passkey.
You do not lose access to passkeys when you lose your device.
JackbyDev@programming.dev 17 hours ago
I was never prompted to do such a thing. It always just told me to plug in my phone (and even that didn’t work).
4am@lemmy.zip 20 hours ago
Password managers store passkeys. They’re portable and not device-locked. Been using them on Bitwarden for like 2 years now.
umbrella@lemmy.ml 16 hours ago
its being pushed because corporations want to control your passwords with lock-in.
no way i’m using that garbage over my own manager with recallable plaintext passwords.
HubertManne@piefed.social 20 hours ago
I came to sorta say this. Regardless of the system if it can fail and if people have to recover an account then phishing will always be a thing. In person options to deal with an account like with bank branches or government offices are the only true way of making things more secure. I sometimes think it would make sense for this. One rare thing I have seen that gives me a bit of hope is the use of in person at the post office for us government accounts. Thats exactly how it should be done. Secretary of state for state and usps for federal. They are the only agencies with enough physical locations.
jj4211@lemmy.world 21 hours ago
Passkeys are a technology that were surpassed 10 years before their introduction
Question is by what? I could see an argument that it is an overcomplication of some ill-defined application of x509 certificates or ssh user keys, but roughly they all are comparable fundamental technologies.
The biggest gripe to me is that they are too fussy about when they are allowed and how they are stored rather than leaving it up to the user. You want to use a passkey to a site that you manually trusted? Tough, not allowed. You want to use against an IP address, even if that IP address has a valid certificate? Tough, not allowed.
Brokkr@lemmy.world 21 hours ago
They were surpassed by password managers and 2fa.
psycotica0@lemmy.ca 21 hours ago
Technically they are the 2fa. The second factor is something you have. I store all my passkeys in my password manager too, so I’m not faulting you, but technically that’s just undoing the second factor, because now my two factors are “two things that are both unlocked by the same one thing I know”. Which is one complicated factor spread across two boxes.
jj4211@lemmy.world 20 hours ago
Password managers are a workaround, and broadly speaking the general system is still weak because password managers have relatively low adoption and plenty of people are walking around with poorly managed credentials. Also doesn’t do anything to mitigate a phishing attack, should the user get fooled they will leak a password they care about.
2FA is broad, but I’m wagering you specifically mean TOTP, numbers that change based on a shared secret. Problems there are: -Transcribing the code is a pain -Password managers mitigate that, but the most commonly ‘default’ password managers (e.g. built into the browser) do nothing for them -Still susceptible to phishing, albeit on a shorter time scale
Pub/priv key based tech is the right approach, but passkey does wrap it up with some obnoxious stuff.
Rooster326@programming.dev 12 hours ago
password managers have relatively low adoption and plenty of people are walking around with poorly managed credentials
All of the modern browsers have built in password managers so I doubt that very much.
Are they as secure as your self-hosted bit warden that is not accessible via the Internet? No.
But it does still keep track of your usernames and even alerts you if you have a breach.
xthexder@l.sw0.com 13 hours ago
Lack of adoption doesn’t really make password managers a workaround. What’s being worked around? People’s laziness?
Password managers actually do solve the phishing problem to an extent, since if you’re using it properly, you’ll have a unique password for every service, limiting the scope of the problem.
Putting TOTP 2fa codes in your password manager behind the same password as everything else actually destroys any additional security added by 2fa, since it puts you back to a single auth factor.
cmhe@lemmy.world 15 hours ago
I use them with bitwarden and a self hosted vaultwarden. If my phone breaks, no issue. If my server breaks, I got local backups… Keys are stored encrypted in a postgres database for which I have access, if I need to restore it. No lock-in issue or risk of loosing access when one or two devices break.
sentientRant@lemmy.world 20 hours ago
Even if you are really careful, your details can always be leaked from a company server during a breach. If the companies adopt passkeys, that issue isn’t there. Because there isn’t a password anyone can randomly use. That’s why I feel big tech companies are moving towards it.
xthexder@l.sw0.com 13 hours ago
Companies should already be storing password hashes, so the risk of leaking a hash vs a public key is roughly the same. It’s just that private keys are generally longer than passwords and therefore harder to bruitforce.
Any company storing passwords in a recoverable format deserves to be hacked.
cenzorrll@piefed.ca 22 hours ago
I’ve found a pretty good use for a passkey. Docusign. About every 3 months I need to docusign something at work. The process involves logging in, changing your password, logging in again, opening the document, logging in to sign, logging in to finish. The only steps you get to skip if there’s more than one document is the initial log on, and changing password. So with a passkey I just touch it a bunch of times and there’s no password change.
Brokkr@lemmy.world 21 hours ago
Sounds like a password manager would make that way easier. Changing your password would involve a few extra clicks. Also, you might want to check with your IT folks. Asking people to constantly change their password is a good way to weaken password strength. I don’t use docusign, but there is probably a setting that they can change.
cenzorrll@piefed.ca 20 hours ago
Oh, I agree, but I have to argue enough with professionals who know better as it is. I have to do it every day with recent PhDs as a BA who’s been doing the job for 15 years. At this point it’s not my problem if something happens. I have other things that affect me every day to fight about. I’ll just continue cycling through my no repeats after 10 changes, 12 character passwords and using my yubikey for docusign for my own sanity.
pr06lefs@lemmy.ml 21 hours ago
sounds like a better solution is don’t use docusign
cenzorrll@piefed.ca 21 hours ago
K, I’ll go tell the CEO that they need to come up with something different.
bookmeat@lemmynsfw.com 20 hours ago
There’s like a million other free/libre digital document signing platforms out there. Try one that doesn’t suck.
hansolo@lemmy.today 1 day ago
This is the only accurate take in the whole thread.
Passkeys solve “well, can’t be fished” by introducing 2 new problems and never resolving super prevalent session hijacking. Even as a basic cost-benefit analysis, it’s a net loss to literally everyone.