Submitted 4 months ago by sentientRant@lemmy.world to technology@lemmy.world
https://sentientrant.com/cybersecurity/passkeys-explained/
Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
It’s the never ending battle between what’s secure and what’s practical. In order to have widespread adoption, it has to be easy. In order to be secure it requires layers of complication.
It’s a yin/yang battle.
A bank vault with walls 2 feet thick, 24/7 surveillance and requiring a two key unlock mechanism is secure compared to a house door lock on a regular suburban bungalow, but is it very practical?
The level of digital security generally attainable is limited by how likely someone is to use it.
2FA using keys is the closest I’ve seen to a happy medium, but it has to be implemented correctly. If the private keys are sitting on a cloud server somewhere and it gets hacked, is it more secure? Maybe not.
Just like real defence, the walls are only as good as the foundation or weakest point.
You missed some disadvantages. For example the UX and complexity are terrible.
The passkey options I’ve come across so far are as close to push-button as I can imagine.
Do you mean from the developer perspective, like the complexity of the API/workflow?
Perhaps he means the process of setting it up. Or when it doesn’t work. Or when passkeys are lost. Or using another device. A lot of people’s complaints about passkeys aren’t really about when it works.
It’s valid I think, but also some people forget passwords can have similar experiences. For one, there seems to be this idea that if you lose your passkey you get locked out of your account forever. The recovery process should be no different than losing your password.
Passkeys are cool but you still need 2fa. Which may as well be a passkey itself.
One factor is not great even if it’s a passkey.
Need is a strong word.
2FA is a pretty good idea for some applications and needless hassle for others. I don't need most of my accounts to have 2FA; I use a password manager with strong unique passwords, and for many accounts, having to make a new one would be an inconvenience rather than a tragedy.
Service providers might be motivated to force it on me if stolen accounts could cost them money, but most of them don't need to; it's just the most expedient move for them.
You still need 2fa I think most passkey implementations incorporate multiple factors already. The session factor is considered distinct from the device factor, even if it’s all on the same device.
Which isn’t super different from the traditional USB key procedure, where a user would activate a FIDO biometric after clearing an SSO portal, or what have you.
Passkeys are cool but you still need 2fa.
How do you use it then if you need to share access in the whole team?
You don’t share your personal password across the whole team now, do you? At least for your teams sake I hope you don’t.
- Built-In Two-Factor Security – Passkey logins use your private key stored on your device and your face or your fingerprint or your PIN. Unlike password, these cannot be easily replicated by a scammer.
This only applies though if it's a per-device passkey that uses a private key stored securely that cannot be exported.
If the private key can be exported, it can be stolen and the factors becomes invalid.
But people also store their private key in cloud solutions (some here mentioned doing that) which just makes the factor invalid anyway, since then it's not device-bound anymore, and it's the device that verifies your identity with those methods.
Like, what if someone hacks the cloud service storing the passkeys and steals them? Not really any different from storing passwords in a cloud, and that one isn't called 2FA either.
Isn’t this optional? I use passkeys and have yet to be asked for anything else in addition to it.
Somehow PieFed is she to make them work but simultaneously many companies are shifting to “magic links” sent to your email. 😡
Yep… It’s as secure as your email. Or they are just leveraging the passkeys on the emails.
I’m not really concerned about the security of it. Moreso the inconvenience of having to open my email client, specifically on the same device, and then sit there and click the refresh button over and over, waiting for it to come through, and then having to go back and delete it after so there’s not even more clutter in my inbox…
kjetil@lemmy.world 4 months ago
The biggest disadvantage:
More eggs in the American megacorp basket for more people, yay
lmmarsano@lemmynsfw.com 4 months ago
That hasn’t been true since password managers stored passkeys, which I’ve been doing for years. Into the trash. 🗑️
Jason2357@lemmy.ca 4 months ago
That’s not the biggest disadvantage “if used properly.” Any account you have should get a passkey on every device you own. Each device has it’s own passkey system. If you have an iPhone, yeah, you get an apple passkey, but then if you have a windows laptop, you have a microsoft passkey, a FLOSS system will have it’s own, and so on. You are already on whatever system would contain the passkey and can easily add different ones each time you get a new device.
The biggest issue is that most people use a small number of devices (including many who use 1). Passkeys work best if you have many devices, so if you lose one, you just use another to access your services. If you have 1, you need to use recovery codes (and people don’t save them).
kjetil@lemmy.world 4 months ago
A key for each service for each device is too impractical in real life.
Getting a new device would mean logging in to hundreds of services to link up the new device. Or somehow keep track of which services have keys with which devices. And signing up to a new service would mean having to remember to generate keys for a a handfull of devices, some of which might not be available at the time (like a desktop computer at home when you are out). Or you risk getting logged out if you loose the one device that had a key for that particular service.
I agree passkeys can make sense with something like BitWarden or KeyPassX. Something that is FOSS, and is OS and device agnostic, and let’s you sync keys across devices. And should have independent backups too. Sync is not backup.
Septimaeus@infosec.pub 4 months ago
This is a big one. Lock-in and the threat of provider blacklisting means it will remain a shortcut like SSO (“sign in with ____”), albeit higher security, until we’ve established federated providers with open standards.
Vittelius@feddit.org 4 months ago
And they can be hardware based as well. I have a cheap Yubikey USB dongle, which works as a passkey vault as well. Completely OS independent.
3abas@lemmy.world 4 months ago
Your password hashes (assuming they even hash them) already live on their servers…
Shayeta@feddit.org 4 months ago
Cool, they know the hash to that one service I signed up with them. Not every account ever.
Doccool@lemmy.world 4 months ago
Currently I use a FOSS (I think?) password manager, BitWarden, that supports passkeys. I use it across Mac, Windows and Android so I’m while my passkeys are locked yo the password manager, I am not locked to any of the aforementioned megacorps.
kjetil@lemmy.world 4 months ago
I use BitWarden too. OS , device and browser agnostic is a win
But I imagine the vast amount of people will use whatever their platform is pushing, so Apple Google or Microsoft. And in 5 years time “3rd party passkeys” are not “secure enough” and blocked by the OS. (Ok that’s a bit tinfoil hat, but Google’s recent Android app developer verification scheme is fresh in mind)
Septimaeus@infosec.pub 4 months ago
KeePassXC has begun rollout of their own implementation, and I’m pretty sure they’re considered FOSS.
From a quick scan of the white paper, it appears they’re currently using on-device passkey discovery and otherwise “intercepting” passkey registration workflows, which I take to mean they aren’t originating the request as a passkey registrar. This may be the easiest method to satisfy FIDO’s dID requirements.
SkaveRat@discuss.tchncs.de 4 months ago
While I use and love bitwarden, it’s not exactly foss. Although there is a foss implementation of their server backend