Submitted 23 hours ago by sentientRant@lemmy.world to technology@lemmy.world
https://sentientrant.com/cybersecurity/passkeys-explained/
Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
It seems like the idea behind having the passkeys synced through cloud platforms is to mitigate the device failure risk as much as possible, as any device logged into the cloud account could be used to access the passkey protected accounts. It seems a little short-sighted as it means that the passkeys are limited to AAL2 (as AAL3 requires it to be non-exportable), and depends on the security of the cloud account. The cloud account can’t use anything as secure as a passkey, as it would reintroduce the device failure risk (meaning that your security has been downgraded from AAL3 to AAL2 for no reason).
It should also be noted that if the cloud account is not phishing-resistant (which it can’t be for reasons stated above), then the accounts protected by passkeys aren’t phishing resistant either, as the cloud account could be phished, which would lead to a compromise of the other accounts.
At AAL2 you could also just use a password and OTP, which doesn’t have the vendor lock-in problems with cloud synced passkeys and has a wider adoption already.
In my opinion there is no need for cloud syncing, as device failure risk is negligible if you have a backup security key (as the failure rate of a single security key is already extremely low).
While the lock-in issue is annoying and a good reason not to adopt these, the device failure issue is a tech killer. Especially when I can use a password manager. This means I can remember two passwords (email and password manager), make them secure, and then always recover all my accounts.
Passkeys are a technology that were surpassed 10 years before their introduction and I believe the only reason they are being pushed is because security people think they are cool and tech companies would be delighted to lock you into their system.
This is the only accurate take in the whole thread.
Passkeys solve “well, can’t be fished” by introducing 2 new problems and never resolving super prevalent session hijacking. Even as a basic cost-benefit analysis, it’s a net loss to literally everyone.
Cops also love them because they make getting access to your entire phone including all accounts simple as cake if you use fingerprint/faceID to unlock your device.
I think they are being pushed because cool technology on paper. Whenever I read an article about them, I can’t help but think about the human factors. How are passkeys created, often by a password or email. okay… that looks a lot like a password. Oh you lost the passkey, here lets send you one again. It stinks of a second factor without a first. Sure, the passkey itself is hard to compromise, but how about its creation. If your email is compromised I see no difference from passwords or passkeys.
They don’t email you a passkey, what are you even talking about?
You can store Passkeys in open source password managers.
I don’t know most of my passwords, so the step to passkeys doesn’t feel like a big one. I also really like the flow of pressing Login; Bitwarden pops up a prompt without me initiating it; I press confirm. Done, logged in, and arguably more secure due to the surrounding phishing and shared secrets benefits.
Sure, they probably work great when you have your password manager on the device, but that’s not when I need to have backup routes into my accounts. When using a new device, or someone else’s, having even a complicated password that can be typed or copied-pasted has way more functionality.
As far a I can tell, using passkeys would only risk locking me out of my accounts. Everyone else is already effectively locked out.
Yeah the moods in this thread, like
“[I don’t understand this]!”
“[I don’t trust this]!”
“[It doesn’t fix everything]!”
“[This doesn’t benefit me]!”
“[What’s wrong with old way]!?”
And like, all valid feelings… just the reactions are a bit… intense? Especially considering it’s a beta stage auth option that amounts to a fancy version of the old sec key industry standard, not the mark of the beast.
I was never prompted to do such a thing. It always just told me to plug in my phone (and even that didn’t work).
Password managers store passkeys. They’re portable and not device-locked. Been using them on Bitwarden for like 2 years now.
its being pushed because corporations want to control your passwords with lock-in.
no way i’m using that garbage over my own manager with recallable plaintext passwords.
I came to sorta say this. Regardless of the system if it can fail and if people have to recover an account then phishing will always be a thing. In person options to deal with an account like with bank branches or government offices are the only true way of making things more secure. I sometimes think it would make sense for this. One rare thing I have seen that gives me a bit of hope is the use of in person at the post office for us government accounts. Thats exactly how it should be done. Secretary of state for state and usps for federal. They are the only agencies with enough physical locations.
I use them with bitwarden and a self hosted vaultwarden. If my phone breaks, no issue. If my server breaks, I got local backups… Keys are stored encrypted in a postgres database for which I have access, if I need to restore it. No lock-in issue or risk of loosing access when one or two devices break.
Passkeys are a technology that were surpassed 10 years before their introduction
Question is by what? I could see an argument that it is an overcomplication of some ill-defined application of x509 certificates or ssh user keys, but roughly they all are comparable fundamental technologies.
The biggest gripe to me is that they are too fussy about when they are allowed and how they are stored rather than leaving it up to the user. You want to use a passkey to a site that you manually trusted? Tough, not allowed. You want to use against an IP address, even if that IP address has a valid certificate? Tough, not allowed.
They were surpassed by password managers and 2fa.
Even if you are really careful, your details can always be leaked from a company server during a breach. If the companies adopt passkeys, that issue isn’t there. Because there isn’t a password anyone can randomly use. That’s why I feel big tech companies are moving towards it.
Companies should already be storing password hashes, so the risk of leaking a hash vs a public key is roughly the same. It’s just that private keys are generally longer than passwords and therefore harder to bruitforce.
Any company storing passwords in a recoverable format deserves to be hacked.
I’ve found a pretty good use for a passkey. Docusign. About every 3 months I need to docusign something at work. The process involves logging in, changing your password, logging in again, opening the document, logging in to sign, logging in to finish. The only steps you get to skip if there’s more than one document is the initial log on, and changing password. So with a passkey I just touch it a bunch of times and there’s no password change.
Sounds like a password manager would make that way easier. Changing your password would involve a few extra clicks. Also, you might want to check with your IT folks. Asking people to constantly change their password is a good way to weaken password strength. I don’t use docusign, but there is probably a setting that they can change.
sounds like a better solution is don’t use docusign
The eco-system lock-in makes this a non-starter for me. If I could store the private keys in something like a keepass vault (or that) and do the authentication magic from that I would consider it.
I am not dependent on any ecosystem for passkeys. I have a self-hosted vaultwarden instance that works with Bitwarden clients. I create and store my passkeys over there primarily and in my keepass db (which I primarily use for TOTPs) for redundancy. So if either one gets compromised, I can just delete the passkey for the accounts involved in that database.
KeePassXC supports passkeys directly through the Browser Integration service.
keepassxc.org/docs/KeePassXC_UserGuide#_browser_p…
There you go. Local, serverless passkeys in the software of your choice.
KeePass is great, it was my first password manager. Haven’t used it in a few years, but I’ll give it a go again after seeing this.
You can? At least I do that. I host vaultwarden myself and store the paaskeys there.
Passkeys to me are just a better way to autofill in login data.
OK, now think how nontechnical people will not be able to do it. They will be tied to Google/X-corp for all credentials, even government ones. Waiting to be banned if their social credit is too low.
Oh I’m stoopit. I just looked up the documentation for keepassxc and it supports it too:
keepassxc.org/docs/KeePassXC_UserGuide#_passkeys
So I guess the next time I create an account that supports it I’ll try it and see how it goes.
Just don’t take away passwords + TOTP 2FA for those of us who are actually using it correctly.
The biggest disadvantage:
Disadvantages of Passkeys
Ecosystem Lock-In – Passkey pairs are synced through each vendor’s respective clouds via end-to-end encryption to facilitate seamless access multiple devices.
More eggs in the American megacorp basket for more people, yay
Currently I use a FOSS (I think?) password manager, BitWarden, that supports passkeys. I use it across Mac, Windows and Android so I’m while my passkeys are locked yo the password manager, I am not locked to any of the aforementioned megacorps.
While I use and love bitwarden, it’s not exactly foss. Although there is a foss implementation of their server backend
I use BitWarden too. OS , device and browser agnostic is a win
But I imagine the vast amount of people will use whatever their platform is pushing, so Apple Google or Microsoft. And in 5 years time “3rd party passkeys” are not “secure enough” and blocked by the OS. (Ok that’s a bit tinfoil hat, but Google’s recent Android app developer verification scheme is fresh in mind)
KeePassXC has begun rollout of their own implementation, and I’m pretty sure they’re considered FOSS.
From a quick scan of the white paper, it appears they’re currently using on-device passkey discovery and otherwise “intercepting” passkey registration workflows, which I take to mean they aren’t originating the request as a passkey registrar. This may be the easiest method to satisfy FIDO’s dID requirements.
Does your FOSS password manager support exports or backups? Allow you to access your own keys? It may me blocked in the future. https://github.com/keepassxreboot/keepassxc/issues/10407#issuecomment-1994182200
That hasn’t been true since password managers stored passkeys, which I’ve been doing for years. Into the trash. 🗑️
This is a big one. Lock-in and the threat of provider blacklisting means it will remain a shortcut like SSO (“sign in with ____”), albeit higher security, until we’ve established federated providers with open standards.
That’s not the biggest disadvantage “if used properly.” Any account you have should get a passkey on every device you own. Each device has it’s own passkey system. If you have an iPhone, yeah, you get an apple passkey, but then if you have a windows laptop, you have a microsoft passkey, a FLOSS system will have it’s own, and so on. You are already on whatever system would contain the passkey and can easily add different ones each time you get a new device.
The biggest issue is that most people use a small number of devices (including many who use 1). Passkeys work best if you have many devices, so if you lose one, you just use another to access your services. If you have 1, you need to use recovery codes (and people don’t save them).
A key for each service for each device is too impractical in real life.
Getting a new device would mean logging in to hundreds of services to link up the new device. Or somehow keep track of which services have keys with which devices. And signing up to a new service would mean having to remember to generate keys for a a handfull of devices, some of which might not be available at the time (like a desktop computer at home when you are out). Or you risk getting logged out if you loose the one device that had a key for that particular service.
I agree passkeys can make sense with something like BitWarden or KeyPassX. Something that is FOSS, and is OS and device agnostic, and let’s you sync keys across devices. And should have independent backups too. Sync is not backup.
Your password hashes (assuming they even hash them) already live on their servers…
Cool, they know the hash to that one service I signed up with them. Not every account ever.
Better title:
Passkeys: still trying to explain why it’s worth the hassle when it isn’t
A better, well defined API for password managers to insert login information to the site compared to text boxes.
There’s a hassle?
Every time I was prompted to use one by plugging my phone in to my computer nothing happened. That was a little over a year ago.
No, thanks. I’ll keep using password+2FA and I hope that passkeys never become “mandatory”.
Thanks to our dystopian hellscape we live in it’ll become mandatory just like useless online ids. I hate having to explain passkeys to my family. Some fuckface suit who doesn’t use it properly pushed for a portfolio addition.
But what’s dystopian about passkeys. They are actually more secure than Password + TOTP. Phishing out a passkey is practically impossible.
The promise of passkeys when i first grad about them was that it would be quick and easy - that you wouldn’t need to enter a username or use 2fa. The reality appears to be that this is that it’s used ** as** 2fa
Personally, I found that It works well with Microsoft, Paypal, Google, Shopify and Proton. I was really surprised to find the option on German government sites, worked there as well. Tested in Ungoogled Chromium and Librewolf. The only thing I find dissappointing is adoption
Most of the sites I’ve seen use it as the single auth source. That said, using multiple forms of authentication in a layered model only improves security.
I've been resisting using them and decided to set one on my rarely-used and unimportant Piefed account to try it out.
Saved to Bitwarden fine on my desktop browser. When I try to log in with a browser on my phone, it asks for my username and does nothing more after that dialog closes. While I'm not sure if this is a problem with Piefed, Bitwarden, or Firefox, I'm now disinclined to try it with anything important, especially if that thing might then discourage me from logging in with a password.
I recognize the theoretical advantages, but passkeys don't do much to solve problems I actually have. All my passwords look like @A#vVukh9c$3Kw4Cs8NP9xgazEuJ3JWE and are unique. Bitwarden won't autofill the wrong domain. I don't enter credentials in links from emails I didn't trigger myself immediately before. I haven't checked whether I can reliably backup and restore them in my Bitwarden vault.
All my passwords look like
@A#vVukh9c$3Kw4Cs8NP9xgazEuJ3JWEand are unique.
You’re still transmitting the actual secret to the destination, so interception is a risk. Passkeys use asymmetric cryptography: no secret is ever transmitted, only time-sensitive challenges that prove possession of the private key. Servers only store public keys, which aren’t secret by design.
Passkeys have multifactor authentication built-in whereas passwords do not.
I find passkeys more convenient than passwords. My password manager has my passkeys. At login, my password manager raises a passkey prompt that I simply confirm.
I self host vaultwarden, and use bitwarden clients everywhere. Passkeys are stored there
Passkeys to me, are a better way to insert login information. Some developers don’t think of passwords getting automatically filled in, so this autofill sometimes breaks. Passkeys might be a improved interface to integrate password managers. Also, sometimes 2FA keys from my bitwarden client gets copied into the clipboard, which sometimes overwrites the stuff I wanted to preserve in there. This does not happen with passkeys.
You missed some disadvantages. For example the UX and complexity are terrible.
The passkey options I’ve come across so far are as close to push-button as I can imagine.
Do you mean from the developer perspective, like the complexity of the API/workflow?
Perhaps he means the process of setting it up. Or when it doesn’t work. Or when passkeys are lost. Or using another device. A lot of people’s complaints about passkeys aren’t really about when it works.
It’s valid I think, but also some people forget passwords can have similar experiences. For one, there seems to be this idea that if you lose your passkey you get locked out of your account forever. The recovery process should be no different than losing your password.
They’re device-bound certificate based authentication with some shiny bits.
Or they’re portable-via-certain-services certificate based authentication with some shiny bits.
Either way they’re new and try explaining that the user needs a new one for every device (or needs a new app to carry them around in) and that if the device dies, or the app dies, they lose it all. I have quite a few people in my life who can’t wrap their heads around using a password manager.
Personally, I find them irritating. My chosen password manager on iPhone doesn’t support them, so I need to have the iOS password vault turned on (yes, this is a dark pattern Apple has created to try to increase adoption of their password vault) to use them. Adoption needs to be much higher, interoperability needs to be better, and they need to put back the hint for which vault to use (which was removed early on to keep Microsoft and google from forcing chrome/edge vaults, but has the actual effect that chrome/edge tend to win the race over other options and means that the passkey prompt might be for a different app than the one that you prefer, leading to further user confusion)
I really don’t want to turn my devices into hardware keys. I can’t imagine how difficult it would be to recover if, say, there was a fire or flood. Hardware breaks, gets lost, stolen. How about people who can’t afford multiple devices? What about the unhoused? How about if you get arrested and your one device gets confiscated- you can’t even give anyone else access to your data. What if you’re a good witness recording something and the police decide to make your device into evidence (or destroy it).
MFA? Absofuckinglutely. I’ll pass on passkeys, sorry.
Yeah this is my situation. My personal computer is really infrequently used and as such I’m already in a dangerous situation when it comes to sign-in risk detection kicking off and asking for further authn proofs. I’ve had my phone die (and come to life when its replacement arrived) and that was a harrowing situation because all the MFA is stored there. Passkeys seem to make it worse, unless I subscribe to a sync service, which I need to infallibly trust (and I’m iffy on that; 1Password has a good security model and all that but passkeys are a different level of trust).
I mean, I wouldn’t mind if I could use my flipper for it, but the big issue is “if flipper break get fucked.” I can back up my .kdbx file in 14 luks encrypted locations, I can’t backup a whole ass flipper as easily.
Might I suggest Bitwarden.
It’s open source, syncs across every platform I know of, and supports passkeys.
Thanks. Will check it out.
Okay, so long as a passkey is something I can memorise. Otherwise, it’s significantly worse than a regular password (assuming you use good passwords and don’t reuse passwords etc).
It seems like they want to tie it to a physical computer (like the one in your pocket), which sucks big time. What happens if I don’t have access to that computer at all times, or it breaks, or is lost?
I’m planning on getting rid of my smartphone for something that just does calls and texts for example, because I’m sick of how unhealthily reliant I, and everyone, have become on this thing, and I want to be more connected to the real world. What then?
My brain is the best place to store passkeys, it can’t be hacked, stolen, lost, etc, unlike every other option. It’s the clear winner.
Somehow PieFed is she to make them work but simultaneously many companies are shifting to “magic links” sent to your email. 😡
Ok I see a lot if discussion on this topic but no one seems to have mentioned the main feature of the spec that makes them phishing resistant: presence detection. This is what makes FIDO resistant to credential replay. The spec is not perfect but it prevents most common phishing attacks.
Nope.
I’ve been mostly too lazy to look into how to use passkeys. If my normal flow is using 1password for 2fa (on mobile and on the computer), is there a way I can still use that with passkeys? It says they’re supported but I’m not sure how that’d work, because aren’t they device specific?
I just don’t want me losing access to my phone for whatever reason mean that I lose access to my accounts.
Passkeys are cool but you still need 2fa. Which may as well be a passkey itself.
One factor is not great even if it’s a passkey.
Hardly anyone supports it: www.passkeys.io/who-supports-passkeys
So to use it I will have to log in with my google/microsoft account everywhere? Thanks but no thanks.
I like passkeys but ONLY as the second factor. Using them as the primary makes no sense in majority of cases.
My company’s online product uses passkeys (I implemented it) more as a convenience method for login. 2FA is the base standard, and authenticated users can create a passkey for each device they want to use. Subsequent logins can then use the passkey or 2FA. Rather than having to dig out my phone, open the authenticator app, and put in the digits, I can simply use the fingerprint reader and I’m right in.
It’s the never ending battle between what’s secure and what’s practical. In order to have widespread adoption, it has to be easy. In order to be secure it requires layers of complication.
It’s a yin/yang battle.
A bank vault with walls 2 feet thick, 24/7 surveillance and requiring a two key unlock mechanism is secure compared to a house door lock on a regular suburban bungalow, but is it very practical?
The level of digital security generally attainable is limited by how likely someone is to use it.
2FA using keys is the closest I’ve seen to a happy medium, but it has to be implemented correctly. If the private keys are sitting on a cloud server somewhere and it gets hacked, is it more secure? Maybe not.
Just like real defence, the walls are only as good as the foundation or weakest point.
I have a couple in my Bitwarden (Vaultwarden)
But I already have issues with Android trying to force me to use the system Passkey provider, and companies like Apple only supporting their own device’s built in manager for Apple accounts.
What am I dependent on to access by stuff if I use a passkey? A smart phone?
Thanks for the great article! I had a question re: the top disadvantage you mention (lock-in).
Background: Although the on-device integration for Apple, Google, etc. use their cloud for E2E sync between devices, it appears KeePassXC using their passkey interception, discovery, and import procedures accomplish the same cross-device passkey implementation without needing a particular vendor cloud lock-in. As best I can tell, this meets the original standard’s sync fabric requirements (whether or not the big providers like it) and relies on platform-specific APIs mostly for interoperability.
Question: If KeePass has been able to implement their own sync this way, and the FIDO standard accommodates non-OS providers (e.g. browsers or PW managers), what is currently the biggest technical hurdle remaining for FOSS-based passkey providers?
Aren’t passkeys just passwords but numbers? Like passnumbers?
nuko147@lemmy.world 2 hours ago
Tried Passkey in the past. I had many problems, especially could not understand why they must use my google account. Now my google account is gone, don’t gonna go that rabbit hole again, i am happy with my Bitwarden and Aegis.