Comment

Comment on Passkeys Explained: The End of Passwords

Zak@piefed.world ⁨5⁩ ⁨months⁩ ago

I've been resisting using them and decided to set one on my rarely-used and unimportant Piefed account to try it out.

Saved to Bitwarden fine on my desktop browser. When I try to log in with a browser on my phone, it asks for my username and does nothing more after that dialog closes. While I'm not sure if this is a problem with Piefed, Bitwarden, or Firefox, I'm now disinclined to try it with anything important, especially if that thing might then discourage me from logging in with a password.

I recognize the theoretical advantages, but passkeys don't do much to solve problems I actually have. All my passwords look like @A#vVukh9c$3Kw4Cs8NP9xgazEuJ3JWE and are unique. Bitwarden won't autofill the wrong domain. I don't enter credentials in links from emails I didn't trigger myself immediately before. I haven't checked whether I can reliably backup and restore them in my Bitwarden vault.

source

Sort:hotnew top

lmmarsano@lemmynsfw.com ⁨5⁩ ⁨months⁩ ago

All my passwords look like @A#vVukh9c$3Kw4Cs8NP9xgazEuJ3JWE and are unique.

You’re still transmitting the actual secret to the destination, so interception is a risk. Passkeys use asymmetric cryptography: no secret is ever transmitted, only time-sensitive challenges that prove possession of the private key. Servers only store public keys, which aren’t secret by design.

Passkeys have multifactor authentication built-in whereas passwords do not.

I find passkeys more convenient than passwords. My password manager has my passkeys. At login, my password manager raises a passkey prompt that I simply confirm.

source
- Zak@piefed.world ⁨5⁩ ⁨months⁩ ago
  If they can break intercept my password despite TLS, they can probably also steal my session. I'll grant that's marginally less bad since the attacker would have to do their evil immediately if I log out when finished.
  
  I'm going to disagree that passkeys really have multifactor authentication built in. The passkey is a single factor. If it is compromised (an attacker steals the private key), that's all the attacker needs unless the service involved requires another factor like TOTP. The fact that it's usually harder to steal the private key than a password doesn't make it MFA.
  
  I recognize the theoretical advantages, but my one attempt to use it (here, with Piefed) didn't go so well, so I'm not eager to jump in with both feet.
  
  source
  - lmmarsano@lemmynsfw.com ⁨5⁩ ⁨months⁩ ago
    
    If they can intercept my password despite TLS, they can probably also steal my session.
    
    Security is all about layers & reducing risk/surface area of attack. Anyhow, that’s not necessarily true: it could leak due to flaw or defect that doesn’t affect the session token. By getting your secret, they can leak it. Leaking a secret they don’t have, however, is impossible.
    
    I’m going to disagree that passkeys really have multifactor authentication built in.
    
    Then you’re disagreeing with standards & definitions. Passkeys are encrypted in an authenticator that needs a biometric or secret (ie, something you are or know) to unlock the key (something you have).
    
    Authenticator is a multi-factor cryptographic authenticator that uses public-key cryptography to sign an authentication assertion targeted at the WebAuthn Relying Party. Assuming the authenticator uses either a facial recognition, fingerprint or PIN for user verification, the authenticator itself is something you have while the facial recognition and fingerprint (biometric) are something you are and the PIN is something you know.
    
    my one attempt to use it
    
    While it’s fine to share, “I tried something once, it sucked” is not a great argument to draw a generalization that technology sucks or isn’t better than your limited impression. Maybe piefed sucks: if piefed implemented password authentication wrong, would you blame password authentication?
    
    source
cmhe@lemmy.world ⁨5⁩ ⁨months⁩ ago
I self host vaultwarden, and use bitwarden clients everywhere. Passkeys are stored there

Passkeys to me, are a better way to insert login information. Some developers don’t think of passwords getting automatically filled in, so this autofill sometimes breaks. Passkeys might be a improved interface to integrate password managers. Also, sometimes 2FA keys from my bitwarden client gets copied into the clipboard, which sometimes overwrites the stuff I wanted to preserve in there. This does not happen with passkeys.

source