[deleted]
Yea, I’d rather have a 32 character password created by my password manager. Instead of adding individual keys to each device, having all decives access the same database is much simpler.
[deleted]
Submitted 3 weeks ago by AcesFullOfKings@feddit.uk to technology@lemmy.world
Comments
CaptainBasculin@lemmy.bascul.in 3 weeks ago
MentalEdge@sopuli.xyz 3 weeks ago
I think the only passkey I have is stored in my VaultWarden. Though it only works in browsers atm.
InnerScientist@lemmy.world 3 weeks ago
Works on android too.
Appoxo@lemmy.dbzer0.com 3 weeks ago
Windows recently introduced support for Passkeys.
But it can only be used with Bitwarden, if you have Windows Hello enabled ¯\_(ツ)_/¯
And I don’t want to use anything else than a regular password.
KairuByte@lemmy.dbzer0.com 2 weeks ago
I’m legitimately confused by this. Why would you want an inherently less entropic piece of data that is inherently handled less securely to secure your data?
CaptainBasculin@lemmy.bascul.in 2 weeks ago
Convinience is a key part. Let’s say I have bought a new device and have 50 accounts on different platforms. The way I’d do with only passkeys is that you would create 50 different keys individually for your new device, using a device that has logged in.
Password manager? I download a keepass compatible app, have it connect to my FTP for its database, enter my unnecessarily long key word or a random file i store seperately; and now I can access to all of my accounts.
As long as I do not somehow get both my database and its key word/file leaked at the same time, my accounts are as safe as whatever passkeys can provide.
Engywuck@lemmy.zip 3 weeks ago
Something I’m personally going to avoid as long as I can.
paraphrand@lemmy.world 3 weeks ago
Not feeling great about the opening saying keys are necessarily locked to a single device. If that was true, they wouldn’t be in active use.
ada@piefed.blahaj.zone 3 weeks ago
Yep. I use them because my password manager handles cross device passkeys. If I had to set passkeys up on every single device I use, per device per web service, I don’t think I’d bother with them…
0x0@infosec.pub 3 weeks ago
Obligatory github.com/keepassxreboot/keepassxc/issues/10407
It’s just bullshit that the ‘industry’ is trying to push because ‘security’, catch me dead before I give up access to my private keys to some faceless multibillion corpo
LPThinker@lemmy.world 3 weeks ago
The number of times I’ve seen people link to this thread while completely misunderstanding the context of it drives me nuts. The issue isn’t being able to export keys, it’s that KeepassXC was making it trivial to export keys in plaintext with no user warning/verification, which fundamentally undermines the biggest security advantage of passkeys - phishing resistance. In other words, if users can be easily talked through exporting their keys via a simple in-app flow that gives them no warning about the danger of what they’re doing, then they will do that and be scammed horribly by it.
The person who raised the issue was asking KeepasXC to come up with a better solution for exporting keys - originally he asked them to wait for the now standardized process that every passkey provider uses, but then they settled on showing the user an explicit warning about the danger of plaintext exports in the meantime.
If you choose to read the most hostile and uncharitable subtext into every word a person writes in public, you can misunderstand what he’s saying. Otherwise, this is a pretty cut-and-dry example of a person genuinely trying to support the interests of end users.
SpiffyPotato@feddit.uk 3 weeks ago
He does caveat that statement around 10 minutes into the video. But I still think it can be a useful technology even if it’s not portable since it can ease a typical sign in flow. I don’t think as this stage it’ll fully replace passwords.
ndupont@lemmy.blahaj.zone 3 weeks ago
After watching that, I was like OK, let’s give it a chance. So I did create a passkey that I stored in Bitwarden on my laptop. There was no f’in way to use it with my Android phone. I gave it a try, passkeys won’t happen I think.
nostrauxendar@lemmy.world 2 weeks ago
Gotta be honest, the fact that it feels like every website now asks me if I want to set up a passkey makes me thoroughly, deeply, wholly skeptical of this thing.
ThomasWilliams@lemmy.world 3 weeks ago
What is the point of having a passkey on OneDrive ?
isn’t the whole point of OneDrive that you can access your files anywhere ?
Am I missing something here ?
eager_eagle@lemmy.world 3 weeks ago
“Anywhere you have your password manager” is useful
aesviation@lemmings.world 3 weeks ago
I’m good.
This seems like one of those tech industry powerplays where they keep telling us what we want instead of giving us what we want.
DSN9@lemmy.ml 2 weeks ago
Passkeys are good if stores locally on the device. However, if used with a password manager the security benefit is lost, and thus actually weaker.
2fa, like Aegis for most people, or better yet Fido key for advanced users?
KairuByte@lemmy.dbzer0.com 2 weeks ago
How do you figure that a passkey in a password manager is weaker? Especially when compared to username/password/2fa all stored in that same password manager?
majster@lemmy.zip 3 weeks ago
Client side TLS certs are basically the same stuff and it works nicely. Too bad they didn’t improve on that. My guess is that the big boys want to handle it at application layer.
Appoxo@lemmy.dbzer0.com 3 weeks ago
To me they seem
A More user friendly
B Abstract away the burden of keeping the mTLS synchronized across devices
C Can be used in hardware and software.Feel free to correct me if my assumptions are wrong.
majster@lemmy.zip 3 weeks ago
Is your B point properly addressed by Passkeys? With all this talk about export I presume not. Client certs seem abandoned, you can’t use it on mobile.
raynethackery@lemmy.world 3 weeks ago
Oh Dr. Mike, a little more gray at the temples. Why must time pass?
chunes@lemmy.world 3 weeks ago
I would rather have technology that reduces the number of accounts necessary for stuff
JohnEdwa@sopuli.xyz 2 weeks ago
hperrin@lemmy.ca 3 weeks ago
A passkey is a key pair where you keep the private key and give the public one to the service. Then you can log in by proving you have the private key. Fairly simple in theory. Horribly complex in practice.
MentalEdge@sopuli.xyz 3 weeks ago
Doesn’t a normal modern password, hashed, essentielly do the same thing?
No sabe service has your actual password.
kn33@lemmy.world 3 weeks ago
There’s a few differences. One is the length. Another is the randomness. The biggest, though, is that in a passkey, the server is verified as well. That means phishing is nearly impossible.
hperrin@lemmy.ca 3 weeks ago
Yes, kind of. You’re still giving them your password every time you log in. And it’s on them whether they store it hashed or in plain text. With a passkey, you know that even if they’re hacked, they’ll never get your actual private key.
EncryptKeeper@lemmy.world 3 weeks ago
No. When you log into a website your password is sent to the server. A passkey is not.
scarabic@lemmy.world 3 weeks ago
Granted this was 1999 but I wish I could unsee the shit I saw one day when I did a SELECT password FROM user
EncryptKeeper@lemmy.world 3 weeks ago
Complex how exactly?
hperrin@lemmy.ca 3 weeks ago
Here, these specs are what they’re based on:
passkeys.dev/docs/reference/specs/
scarabic@lemmy.world 3 weeks ago
And what is a private key? How exactly do you “keep” it across multiple devices? It’s all still black magic to me.
hperrin@lemmy.ca 2 weeks ago
Basically, in public key cryptography, you can generate two sets of numbers that are mathematically related, one called the private key and one called the public key, collectively called a key pair.
Through a lot of fancy math, you, with your private key, can take a number I give you and give me back another number called a signature. I, with your public key, can do even more fancy math to prove that you do, in fact, have the corresponding private key to the public key I have based on this signature.
If you give me the wrong signature, I can’t trust that you have the private key, and you don’t get authenticated, but if you give me the right signature, I can trust that you’re you, and you get authenticated.