Submitted 2 weeks ago by sentientRant@lemmy.world to technology@lemmy.world
https://sentientrant.com/cybersecurity/passkeys-explained/
Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
The biggest disadvantage:
Disadvantages of Passkeys
Ecosystem Lock-In – Passkey pairs are synced through each vendor’s respective clouds via end-to-end encryption to facilitate seamless access multiple devices.
More eggs in the American megacorp basket for more people, yay
Currently I use a FOSS (I think?) password manager, BitWarden, that supports passkeys. I use it across Mac, Windows and Android so I’m while my passkeys are locked yo the password manager, I am not locked to any of the aforementioned megacorps.
While I use and love bitwarden, it’s not exactly foss. Although there is a foss implementation of their server backend
KeePassXC has begun rollout of their own implementation, and I’m pretty sure they’re considered FOSS.
From a quick scan of the white paper, it appears they’re currently using on-device passkey discovery and otherwise “intercepting” passkey registration workflows, which I take to mean they aren’t originating the request as a passkey registrar. This may be the easiest method to satisfy FIDO’s dID requirements.
I use BitWarden too. OS , device and browser agnostic is a win
But I imagine the vast amount of people will use whatever their platform is pushing, so Apple Google or Microsoft. And in 5 years time “3rd party passkeys” are not “secure enough” and blocked by the OS. (Ok that’s a bit tinfoil hat, but Google’s recent Android app developer verification scheme is fresh in mind)
This is a big one. Lock-in and the threat of provider blacklisting means it will remain a shortcut like SSO (“sign in with ____”), albeit higher security, until we’ve established federated providers with open standards.
And they can be hardware based as well. I have a cheap Yubikey USB dongle, which works as a passkey vault as well. Completely OS independent.
That’s not the biggest disadvantage “if used properly.” Any account you have should get a passkey on every device you own. Each device has it’s own passkey system. If you have an iPhone, yeah, you get an apple passkey, but then if you have a windows laptop, you have a microsoft passkey, a FLOSS system will have it’s own, and so on. You are already on whatever system would contain the passkey and can easily add different ones each time you get a new device.
The biggest issue is that most people use a small number of devices (including many who use 1). Passkeys work best if you have many devices, so if you lose one, you just use another to access your services. If you have 1, you need to use recovery codes (and people don’t save them).
A key for each service for each device is too impractical in real life.
Getting a new device would mean logging in to hundreds of services to link up the new device. Or somehow keep track of which services have keys with which devices. And signing up to a new service would mean having to remember to generate keys for a a handfull of devices, some of which might not be available at the time (like a desktop computer at home when you are out). Or you risk getting logged out if you loose the one device that had a key for that particular service.
I agree passkeys can make sense with something like BitWarden or KeyPassX. Something that is FOSS, and is OS and device agnostic, and let’s you sync keys across devices. And should have independent backups too. Sync is not backup.
Your password hashes (assuming they even hash them) already live on their servers…
Cool, they know the hash to that one service I signed up with them. Not every account ever.
That hasn’t been true since password managers stored passkeys, which I’ve been doing for years. Into the trash. 🗑️
Better title:
Passkeys: still trying to explain why it’s worth the hassle when it isn’t
There’s a hassle?
Every time I was prompted to use one by plugging my phone in to my computer nothing happened. That was a little over a year ago.
I haven’t even bothered into understanding what passkeys are (I know, I should check it out thoroughly) but I think that at its core it requires your phone, and as I like messing around with my hardware installing custom roms and rooting I suppose this method will be pursued by Google so, just as NFC payments, I don’t give a single fuck about it 🤣
A better, well defined API for password managers to insert login information to the site compared to text boxes.
The eco-system lock-in makes this a non-starter for me. If I could store the private keys in something like a keepass vault (or that) and do the authentication magic from that I would consider it.
You can? At least I do that. I host vaultwarden myself and store the paaskeys there.
Passkeys to me are just a better way to autofill in login data.
OK, now think how nontechnical people will not be able to do it. They will be tied to Google/X-corp for all credentials, even government ones. Waiting to be banned if their social credit is too low.
Oh I’m stoopit. I just looked up the documentation for keepassxc and it supports it too:
keepassxc.org/docs/KeePassXC_UserGuide#_passkeys
So I guess the next time I create an account that supports it I’ll try it and see how it goes.
KeePassXC supports passkeys directly through the Browser Integration service.
keepassxc.org/docs/KeePassXC_UserGuide#_browser_p…
There you go. Local, serverless passkeys in the software of your choice.
KeePass is great, it was my first password manager. Haven’t used it in a few years, but I’ll give it a go again after seeing this.
I am not dependent on any ecosystem for passkeys. I have a self-hosted vaultwarden instance that works with Bitwarden clients. I create and store my passkeys over there primarily and in my keepass db (which I primarily use for TOTPs) for redundancy. So if either one gets compromised, I can just delete the passkey for the accounts involved in that database.
No, thanks. I’ll keep using password+2FA and I hope that passkeys never become “mandatory”.
Thanks to our dystopian hellscape we live in it’ll become mandatory just like useless online ids. I hate having to explain passkeys to my family. Some fuckface suit who doesn’t use it properly pushed for a portfolio addition.
But what’s dystopian about passkeys. They are actually more secure than Password + TOTP. Phishing out a passkey is practically impossible.
What portfolio does passkeys push?
Why do you have the 4-digit PIN? Well, it’s just to unlock the part of your device where the private key is stored.
And there is the problem I have with passkeys. With a password it is me authenticating to the service I’m using. Pretty straight forward (if you ignore the operating system, web browser, network protocols, etc., but that’s part of using the tech).
With passkeys you’ve got this third party storing your keys that increases your attack surface. It could be your web browser, your OS, or some cloud provider that you’re now relying on to keep your data safe. I get that for people whose password is “password123” or who aren’t savvy enough to avoid phishing maybe this helps. But with decent opsec this overly complicates authentication, IMO.
To my point, later in the article:
Securing your cloud account with strong 2FA and activating biometrics is crucial.
What’s that now? The weak point is the user’s ability to implement MFA and biometrics? The same users who couldn’t be bothered to create different passwords for different sites? You see how we’ve just inserted another layer into the authentication process without solving for the major weakness?
With my tinfoil hat on I suspect this push toward passkeys is just another corporate data and/or money grab – snake oil for companies to get their tentacles tighter around your digital existence.
Happy to be proven wrong.
How do you currently store your passwords? I would also consider that a third party with an adittional atack surface if you are considering the passkey location one.
Also your argument
(if you ignore the operating system, web browser, network protocols, etc., but that’s part of using the tech). is faulty. That is because passkeys exist in part to mitigate those atack vectors. Mitm, a compromised browser or client, etc. is less of an issue with passkeys. The information transmitted during an authentication can not be reused on another authentication attempt.
I don’t agree on passkeys complicating things either. For me the authentication-flow is not more complicated then KeePasses autofill.
Assuming one can be ‘tech savy’ enough to not fall for fishing is bad. There are quite advanced attacks or you might even just be tired one day and do something stupid by accident.
What’s that now? The weak point is the user’s ability to implement MFA and biometrics? The same users who couldn’t be bothered to create different passwords for different sites?
You don’t expext the user to ‘implement’ mfa or biometrics. You expect them to use it. And most places where a novice would store passkeys don’t just expect but enforce it. It is also way simpler to set up biometrics on one device compared to keeping with a good password strategy.
Passkeys can’t be phished…
That’s the main point.
Today we use lots of accounts with unique passwords. Obviously these passwords have to be stored somewhere. So I disagree with you when you say it’s a unique passkey thing.
Passkey has an advantage when it comes to phishing because it doesn’t totally rely on human intelligence or state of mind.
From a personal experience my data was leaked online, not because of phishing or I was careless. but it was leaked from a well known third party site which I used. They were affected by a very serious breach. Many unlike me use the same passwords for their emails and stuffs. But in case of passkeys there isn’t a shared secret. A breach will be useless.
I think you’re making my point. First, you’re right that passkeys can’t be phished. But access to the passkey manager can be. And now you’ve doubled your exposure to leaky third parties, once with the service you’re accessing and another with the passkey manager.
You missed some disadvantages. For example the UX and complexity are terrible.
The passkey options I’ve come across so far are as close to push-button as I can imagine.
Do you mean from the developer perspective, like the complexity of the API/workflow?
Perhaps he means the process of setting it up. Or when it doesn’t work. Or when passkeys are lost. Or using another device. A lot of people’s complaints about passkeys aren’t really about when it works.
It’s valid I think, but also some people forget passwords can have similar experiences. For one, there seems to be this idea that if you lose your passkey you get locked out of your account forever. The recovery process should be no different than losing your password.
The promise of passkeys when i first grad about them was that it would be quick and easy - that you wouldn’t need to enter a username or use 2fa. The reality appears to be that this is that it’s used ** as** 2fa
Personally, I found that It works well with Microsoft, Paypal, Google, Shopify and Proton. I was really surprised to find the option on German government sites, worked there as well. Tested in Ungoogled Chromium and Librewolf. The only thing I find dissappointing is adoption
Most of the sites I’ve seen use it as the single auth source. That said, using multiple forms of authentication in a layered model only improves security.
Just don’t take away passwords + TOTP 2FA for those of us who are actually using it correctly.
lets just hold the line of “the answer is always username/password + second factor”.
could be username/password + totp could be username/password + passkey
if someone figures out my password, i dont lose everything. if someone steals my passkey, i dont lose everything.
even if i do use the same password for everything, the second factor has it covered.
(nobody will ever guess my password of ******** anyway!)
Tried Passkey in the past. I had many problems, especially could not understand why they must use my google account. Now my google account is gone, don’t gonna go that rabbit hole again, i am happy with my Bitwarden and Aegis.
Somehow PieFed is she to make them work but simultaneously many companies are shifting to “magic links” sent to your email. 😡
I've been resisting using them and decided to set one on my rarely-used and unimportant Piefed account to try it out.
Saved to Bitwarden fine on my desktop browser. When I try to log in with a browser on my phone, it asks for my username and does nothing more after that dialog closes. While I'm not sure if this is a problem with Piefed, Bitwarden, or Firefox, I'm now disinclined to try it with anything important, especially if that thing might then discourage me from logging in with a password.
I recognize the theoretical advantages, but passkeys don't do much to solve problems I actually have. All my passwords look like @A#vVukh9c$3Kw4Cs8NP9xgazEuJ3JWE and are unique. Bitwarden won't autofill the wrong domain. I don't enter credentials in links from emails I didn't trigger myself immediately before. I haven't checked whether I can reliably backup and restore them in my Bitwarden vault.
They’re device-bound certificate based authentication with some shiny bits.
Or they’re portable-via-certain-services certificate based authentication with some shiny bits.
Either way they’re new and try explaining that the user needs a new one for every device (or needs a new app to carry them around in) and that if the device dies, or the app dies, they lose it all. I have quite a few people in my life who can’t wrap their heads around using a password manager.
Personally, I find them irritating. My chosen password manager on iPhone doesn’t support them, so I need to have the iOS password vault turned on (yes, this is a dark pattern Apple has created to try to increase adoption of their password vault) to use them. Adoption needs to be much higher, interoperability needs to be better, and they need to put back the hint for which vault to use (which was removed early on to keep Microsoft and google from forcing chrome/edge vaults, but has the actual effect that chrome/edge tend to win the race over other options and means that the passkey prompt might be for a different app than the one that you prefer, leading to further user confusion)
I don’t want to boot up a fucking android VM to run some login app every time I need to log into an unimportant account that realistically I would have used “el-passwordo” for the password if it let me.
It seems like the idea behind having the passkeys synced through cloud platforms is to mitigate the device failure risk as much as possible, as any device logged into the cloud account could be used to access the passkey protected accounts. It seems a little short-sighted as it means that the passkeys are limited to AAL2 (as AAL3 requires it to be non-exportable), and depends on the security of the cloud account. The cloud account can’t use anything as secure as a passkey, as it would reintroduce the device failure risk (meaning that your security has been downgraded from AAL3 to AAL2 for no reason).
It should also be noted that if the cloud account is not phishing-resistant (which it can’t be for reasons stated above), then the accounts protected by passkeys aren’t phishing resistant either, as the cloud account could be phished, which would lead to a compromise of the other accounts.
At AAL2 you could also just use a password and OTP, which doesn’t have the vendor lock-in problems with cloud synced passkeys and has a wider adoption already.
In my opinion there is no need for cloud syncing, as device failure risk is negligible if you have a backup security key (as the failure rate of a single security key is already extremely low).
Okay, so long as a passkey is something I can memorise. Otherwise, it’s significantly worse than a regular password (assuming you use good passwords and don’t reuse passwords etc).
It seems like they want to tie it to a physical computer (like the one in your pocket), which sucks big time. What happens if I don’t have access to that computer at all times, or it breaks, or is lost?
I’m planning on getting rid of my smartphone for something that just does calls and texts for example, because I’m sick of how unhealthily reliant I, and everyone, have become on this thing, and I want to be more connected to the real world. What then?
My brain is the best place to store passkeys, it can’t be hacked, stolen, lost, etc, unlike every other option. It’s the clear winner.
Passkeys are cool but you still need 2fa. Which may as well be a passkey itself.
One factor is not great even if it’s a passkey.
Nope.
if it undermines my fifth amendment right not to testify against myself, then I’m not interested in ending the use of passwords.
Hardly anyone supports it: www.passkeys.io/who-supports-passkeys
So to use it I will have to log in with my google/microsoft account everywhere? Thanks but no thanks.
My company’s online product uses passkeys (I implemented it) more as a convenience method for login. 2FA is the base standard, and authenticated users can create a passkey for each device they want to use. Subsequent logins can then use the passkey or 2FA. Rather than having to dig out my phone, open the authenticator app, and put in the digits, I can simply use the fingerprint reader and I’m right in.
All I know is a few months back someone setup a passkey on a shared google account at my job and now nobody but knows what the password for our email is. I can use the passkey to sign in with my phone, but only I can do that.
seems like too much messing around to make it a widespread solution.
hot take: end users will be more likely to adopt security keys (or device attested passkey which = security key). Physical security, out-of-bounds cryptography to defeat AitM attacks (fake landing pages where six digit codes are stolen and silently used in perpetuity by the bad actor)
source: my job is to try to get end users to put strong MFA on all the things.
It’s the never ending battle between what’s secure and what’s practical. In order to have widespread adoption, it has to be easy. In order to be secure it requires layers of complication.
It’s a yin/yang battle.
A bank vault with walls 2 feet thick, 24/7 surveillance and requiring a two key unlock mechanism is secure compared to a house door lock on a regular suburban bungalow, but is it very practical?
The level of digital security generally attainable is limited by how likely someone is to use it.
2FA using keys is the closest I’ve seen to a happy medium, but it has to be implemented correctly. If the private keys are sitting on a cloud server somewhere and it gets hacked, is it more secure? Maybe not.
Just like real defence, the walls are only as good as the foundation or weakest point.
Yeah totally not going to be misused by corporations with proprietary cryptographic-algorithm
I’ve been mostly too lazy to look into how to use passkeys. If my normal flow is using 1password for 2fa (on mobile and on the computer), is there a way I can still use that with passkeys? It says they’re supported but I’m not sure how that’d work, because aren’t they device specific?
I just don’t want me losing access to my phone for whatever reason mean that I lose access to my accounts.
I like passkeys but ONLY as the second factor. Using them as the primary makes no sense in majority of cases.
What am I dependent on to access by stuff if I use a passkey? A smart phone?
Brokkr@lemmy.world 2 weeks ago
While the lock-in issue is annoying and a good reason not to adopt these, the device failure issue is a tech killer. Especially when I can use a password manager. This means I can remember two passwords (email and password manager), make them secure, and then always recover all my accounts.
Passkeys are a technology that were surpassed 10 years before their introduction and I believe the only reason they are being pushed is because security people think they are cool and tech companies would be delighted to lock you into their system.
hansolo@lemmy.today 2 weeks ago
This is the only accurate take in the whole thread.
Passkeys solve “well, can’t be fished” by introducing 2 new problems and never resolving super prevalent session hijacking. Even as a basic cost-benefit analysis, it’s a net loss to literally everyone.
anomnom@sh.itjust.works 2 weeks ago
That’s what I worried, and then especially to computers that age out of updates (2 older MacBooks).
We end up having to reauthenticate on some other device at some point anyway and that means there’s still going to be a weak point.
Like with 2 auth sim jacking.
l_b_i@pawb.social 2 weeks ago
I think they are being pushed because cool technology on paper. Whenever I read an article about them, I can’t help but think about the human factors. How are passkeys created, often by a password or email. okay… that looks a lot like a password. Oh you lost the passkey, here lets send you one again. It stinks of a second factor without a first. Sure, the passkey itself is hard to compromise, but how about its creation. If your email is compromised I see no difference from passwords or passkeys.
4am@lemmy.zip 2 weeks ago
They don’t email you a passkey, what are you even talking about?
LuigiMaoFrance@lemmy.ml 2 weeks ago
Cops also love them because they make getting access to your entire phone including all accounts simple as cake if you use fingerprint/faceID to unlock your device.
smiletolerantly@awful.systems 2 weeks ago
You can store Passkeys in open source password managers.
I don’t know most of my passwords, so the step to passkeys doesn’t feel like a big one. I also really like the flow of pressing Login; Bitwarden pops up a prompt without me initiating it; I press confirm. Done, logged in, and arguably more secure due to the surrounding phishing and shared secrets benefits.
Brokkr@lemmy.world 2 weeks ago
Sure, they probably work great when you have your password manager on the device, but that’s not when I need to have backup routes into my accounts. When using a new device, or someone else’s, having even a complicated password that can be typed or copied-pasted has way more functionality.
As far a I can tell, using passkeys would only risk locking me out of my accounts. Everyone else is already effectively locked out.
Septimaeus@infosec.pub 2 weeks ago
Yeah the moods in this thread, like
“[I don’t understand this]!”
“[I don’t trust this]!”
“[It doesn’t fix everything]!”
“[This doesn’t benefit me]!”
“[What’s wrong with old way]!?”
And like, all valid feelings… just the reactions are a bit… intense? Especially considering it’s a beta stage auth option that amounts to a fancy version of the old sec key industry standard, not the mark of the beast.
JackbyDev@programming.dev 2 weeks ago
I was never prompted to do such a thing. It always just told me to plug in my phone (and even that didn’t work).
4am@lemmy.zip 2 weeks ago
Password managers store passkeys. They’re portable and not device-locked. Been using them on Bitwarden for like 2 years now.
Brokkr@lemmy.world 2 weeks ago
It is not portable in the sense that you need bitwarden installed on the device you are trying to connect from.
Passwords can be plain text, which means I can copy, paste, and dictate them to a device that does not have additional software installed.
umbrella@lemmy.ml 2 weeks ago
its being pushed because corporations want to control your passwords with lock-in.
no way i’m using that garbage over my own manager with recallable plaintext passwords.
Sl00k@programming.dev 2 weeks ago
You can transfer passkeys between platforms? This is a non-issue
HubertManne@piefed.social 2 weeks ago
I came to sorta say this. Regardless of the system if it can fail and if people have to recover an account then phishing will always be a thing. In person options to deal with an account like with bank branches or government offices are the only true way of making things more secure. I sometimes think it would make sense for this. One rare thing I have seen that gives me a bit of hope is the use of in person at the post office for us government accounts. Thats exactly how it should be done. Secretary of state for state and usps for federal. They are the only agencies with enough physical locations.
jj4211@lemmy.world 2 weeks ago
Question is by what? I could see an argument that it is an overcomplication of some ill-defined application of x509 certificates or ssh user keys, but roughly they all are comparable fundamental technologies.
The biggest gripe to me is that they are too fussy about when they are allowed and how they are stored rather than leaving it up to the user. You want to use a passkey to a site that you manually trusted? Tough, not allowed. You want to use against an IP address, even if that IP address has a valid certificate? Tough, not allowed.
Brokkr@lemmy.world 2 weeks ago
They were surpassed by password managers and 2fa.
cmhe@lemmy.world 2 weeks ago
I use them with bitwarden and a self hosted vaultwarden. If my phone breaks, no issue. If my server breaks, I got local backups… Keys are stored encrypted in a postgres database for which I have access, if I need to restore it. No lock-in issue or risk of loosing access when one or two devices break.
Brokkr@lemmy.world 2 weeks ago
That sounds great, but also isn’t a solution for most people.
Fmstrat@lemmy.world 2 weeks ago
Not to mention Apple decided to make passkeys Airdropable. Fun.
I worked on a cool projected called FedID: fedid.me that creates a distributed identifier (DID) out in the world, federated with AvtivityPub, and gives you a key you can sign in with via OpenID Connect. It allows the DID to have multiple keys for multiple devices, and delegate authority, so losing a device/failure is no big deal.
That being said, Web passkeys can be stored in password managers, just like passwords.
sentientRant@lemmy.world 2 weeks ago
Even if you are really careful, your details can always be leaked from a company server during a breach. If the companies adopt passkeys, that issue isn’t there. Because there isn’t a password anyone can randomly use. That’s why I feel big tech companies are moving towards it.
xthexder@l.sw0.com 2 weeks ago
Companies should already be storing password hashes, so the risk of leaking a hash vs a public key is roughly the same. It’s just that private keys are generally longer than passwords and therefore harder to bruitforce.
Any company storing passwords in a recoverable format deserves to be hacked.
Brokkr@lemmy.world 2 weeks ago
Yes, you have to trust the company storing the passwords.
A good company can store passwords in ways that are secure to most hacking attempts. It isn’t impossible to break the encryption typically used, but it is difficult enough that most thieves will not have the resources or time to make use of the data. They want the low effort password databases, not the difficult and expensive ones.
cenzorrll@piefed.ca 2 weeks ago
I’ve found a pretty good use for a passkey. Docusign. About every 3 months I need to docusign something at work. The process involves logging in, changing your password, logging in again, opening the document, logging in to sign, logging in to finish. The only steps you get to skip if there’s more than one document is the initial log on, and changing password. So with a passkey I just touch it a bunch of times and there’s no password change.
Brokkr@lemmy.world 2 weeks ago
Sounds like a password manager would make that way easier. Changing your password would involve a few extra clicks. Also, you might want to check with your IT folks. Asking people to constantly change their password is a good way to weaken password strength. I don’t use docusign, but there is probably a setting that they can change.
pr06lefs@lemmy.ml 2 weeks ago
sounds like a better solution is don’t use docusign