Submitted 7 months ago by Tibert@jlai.lu to technology@lemmy.world
Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won’t work on another device.
Now I don’t know if that key can be stolen or not, or if it’s really more secure or not, as people have really unsecure pins.
While I would agree this sounds more secure, I’m always worried about people getting further locked in to Google’s products.
Hopefully this system won’t take accounts “hostage” by requiring you use Chrome to log in to them, but it’s Google, so…
We’re sorry, Firefox cannot access your IMEI to fingerprint your device. Please use a modern web browser like Chrome, Chrome, or maybe try Chrome.
Mozilla is in the process of implementing passkeys in Firefox. This page tracks the status of various implementations of passkeys.
Did you just make up something that could happen and then get mad about it?
Passkey is an open standard. It’s not Google specific.
That’s good to hear. I don’t know much about passkeys, and I should really spend some time learning about them. Didn’t mean to fear-monger, but I guess I’m getting more cynical these days.
Updated my root comment to reflect this.
it’s passkeys. they are getting integrated in a lot of stuff right now, including password managers like bitwarden
Use a yubikey, that doesn’t vendor-lock you to an OS ecosystem. They make one with nfc so it’s not a pain to use with your phone.
I’m not sure if this is universal or specific to the last site I tried to use my Yubikey with as a passkey, but it only would allow it to be used as 2FA, not actual passwordless authentication.
I assume this is because Yubikeys don’t create a secret for each individual website I suppose? Not exactly sure about that one.
Mot likely it won’t need to have chrome. However maybe Google services may be required.
However it is also very likely, if a device cannot support such feature, it will only require a password and 2fa.
Nope. Not going to have my entire digital everything depend on me not losing or breaking a single electronic device.
From Ricky Mondello, who works on passkeys at Apple: “If it’s device-bound, it’s not a passkey”:
That’s a terrible take … He’s confusing “what it does and how it works” with “how you manage it”.
It’s like saying “don’t call it a password if you write it down”. It’s confusing and unhelpful.
You won’t need to?
The key is for a single device. Logging in on another one is going to generate another key.
They key is secured with the pin of the device, so when you try to log in, you can use the pin to log in, and not the password.
Would you have to set up multiple devices when making your account then, if you wanted more than just your phone?
Thanks for posting this video. Very good explanation for those unfamiliar with the technology.
Do you not use MFA at all then?
I have the KeepassXC database with the TOTP thoroughly backed up, so nope.
Authy on the phone while also using their desktop app. If you lose the phone you still have options.
If your MFA is bound to a single device and you have no backup then you’re doing it wrong.
Fuck google.
passkeys sounds good on paper and for most users on day to day stuff should improve their security. But the failure path is horrible and it happens at the worst case most of the time. If I have the keychain on the phone and lose it or is out of battery and usually happens that I need to access some service like email, then if the email provider starts forcing people to use passkeys or you only have that method on, then I’m locked out of the account and can’t use email. This will happen for all other services that one may need to use on an emergency. Personally I don’t like it.
Ummm??? What keychain? Passkeys don’t have physical keys. I think you’d better learn more before cursing Google. BTW Apple supports them as well.
“Keychain” is often used colloquially to refer to a piece of software that holds passwords and other secrets, which can include passkeys depending on the implementation.
It’s definitely more secure, since stealing someone’s phone is much more difficult to scale up compared to stealing passwords.
I don’t think that access to your personal data/email/files being dependent on a battery-powered electronic device is a great idea, to be honest.
That’s why they invented chargers, eh.
But more seriously, there are recovery procedures if you lose a phone with or without a backup and if you are willing to share the keys with a cloud provider, you can also store them there and use them on any of your devices.
Or you can get something like a yubikey if the battery aspect is really that problematic for you.
My understanding of Apple Keychain is that every credential is useable from every device, and can be backed up and restored to a new device. Most importantly Apple doesn’t have access, although we have to trust them on that
It’s not quite unique to a specific device. You can store your private key in a password manager or something similar, and then access it from other devices
Depends on your personal choice. You can definitely limit them to a single, hardeneddevice if you want the highest level of security.
For most users and most situations, a synced solution will be preferable.
But it becomes much easier if you want to compromise a specific target individual
No, not really.
Even if you want to target a specific user, it doesn’t become necessarily easier.
Unless you happen to target an individual that combines good password OpSec with shitty phone OpSec.
But I would expect those to be a minority.
Me, at the bank:
Robbers, as they enter the bank: everybody freeze
Me: ah shit
Robbers: everyone give me your phones
Me: aw hell naw
mission impossible style shootout
I have a very long list of questions about PassKeys and none of this articles explains them well enough.
Yes, but that’s missing the important part.
Passkeys is not primarily about asymmetric keys. It’s about applying asymmetric keys to the Web as an open standard.
The W3C Web-Authn standard is what makes it important and revolutionary.
This is just as important as HTML, CSS and ActivityPub.
Finally we have an open standard that integrates in the web and offers a high level of security.
Just an example of protocol different than HTTP.
Nothing of that?
You don’t need to export or know what is the key.
The key is different for each device.
You don’t need to export or know what is the key.
But is it possible in the implementation of Android/iOS?
Backups are a thing. With SSH keys I have different key for every device too, but as they are stored in an accessable file (as all computer data should be) they are backed up with the rest of the system.
Here is an alternative Piped link(s):
https://piped.video/6lBixL_qpro?si=wFFQwrfjQBKDHs5B
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
people have really unsecure pins.
Ok but what’s unsecure with ‘1111’ as long as I’m telling the order of the digits to anybody?
It can be cracked in less than a second?
If someone never loses their phones, laptop… Maybe it’s secure.
But if someone steals it, how secure can it be? Is the key protected by the pin encryption? If so the encryption is now useless.
Here is a French video about Micode interviewing the French DGSE : youtu.be/g_jEz6aF2b4?si=-sUAIvDf4F7-7kGc
They crack the phone security in 4 seconds with the pin beeing : Mic0rp2022. The software used is hashcat, an open source tool.
Pretty sure he was being sarcastic
Here is an alternative Piped link(s):
https://piped.video/g_jEz6aF2b4?si=-sUAIvDf4F7-7kGc
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
Someone else correct me if I’m wrong but it works similar to PGP.
Background info:\
Usage:\
As you point out, the single point of failure is access to the passkey repository. Of course, this will usually be 2FA, so much more secure than simple passwords which people usually employ.
One major issue, IMHO, is vendor lock-in. I’ve no doubt Apple is going to make migration away from iCloud a huge pain in the ass. It’s just another way they’re going to make it difficult to leave their ecosystem.
I’m also worried about backups. People lose access to their Google and Apple accounts routinely for any and no reason at all. Will these keys be stored in the cloud? If so, access to EVERYTHING is just a capricious random algorithm away from being lost.
I wouldn’t touch any passkey system which doesn’t provide a seamless way to migrate away especially if I’ve lost access to my Apple/Google account.
Having a seamless way to migrate away is itself a security risk, since that method could be used by attackers to compromise the key store. The migration path for any of the major players (Apple, Google, Microsoft, Yubikey) involves logging into each site you used a passkey with, adding a new one from your new passkey store, then revoking the old passkey.
Password managers that store Passkeys may handle this differently, though, and are your best bet if you want migration flexibility.
How does this work with checking my emails on a public computer in a library, for example? Somehow my private key needs to be shared with the library pc?
Not necessarily. I can’t imagine they’d want you to login to your iCloud or Google account on a public computer. It will probably work how Microsoft “Authenticator” works or how when you try logging in to iCloud or your Google account when you have 2FA turned on:
No sharing of keys necessary
Am not buying the idea. It sounds great on paper but in reality it doesn’t feel better. So idea is you have private and public keys, like many other forms of encryption out there. Private is stored on your device, and public is stored on account holder, like Google. Since keys are mathematically linked anything signed with private key can be verified by public key and vice-versa.
This is great technology and has been proven for decades now. It essentially means your device and account holder can exchange data without anyone ever finding out your private key since it never leaves your device.
However, issues. Keys are backed up somewhere and still depend on password, be it pin or regular old password. Recovering lost key means using password still. That means attack vector has just shifted and they won’t try to steal your key but social engineer their way into phishing your original password, making the whole thing a bit pointless.
Another things that worries me is the possibility each device will have its own key, although they claim transferable. Depending on what data is used to authenticate and prove device is owned properly this can be used to fingerprint users. For example IMEI or some other unique id, etc. Something that’s not easily done with passwords.
Biggest one is the fact it will negate two factor authentication. Verifying code on your phone and knowing password is difficult to exploit since it requires a lot of effort… possession of the device and knowledge of password. But with passkeys, there’s no password to remember and everything boils down to owning a device. They are then relying on the OS and device itself not to leak sensitive information. Not something I’d rely on.
Also, private key being backed up on Google means should they ever leak data someone can get everything they need to access your account. Private keys being protected by simple pin or password means nothing and would probably be easily broken due to simple nature of the protection.
Am not convinced this will see such high adoption as so many are claiming it will have.
Most hardware today has what’s called a TPM. It’s a physical hardware chip that can store certificates in a way that can’t be extracted.
It’s way more secure than someone stealing a cer file.
It doesn’t feel better? Good thing security doesn’t care about feelings. The fact is it is more secure no matter what it feels like. Privacy is maintained since you use a new key with each site. There is no IMEI or anything like that in the passkey spec. Social engineering ranges from more difficult to impossible depending on if you use a synced, local software based, or hardware based passkey system.
You have a lot of incorrect assumptions. Read support.apple.com/en-us/102195 and fidoalliance.org/passkeys/#faq.
The problem with Google's passcodes:
In fact, I have not bothered even with 2FA for google accounts. At this point these are just "garbage collection accounts" for spam and youtube subscriptions/playlists, anyway.
i don't own a 'device' to use for this. i don't even want one.
How long do you think this will last until the kill it?
Until Google “kills” passkeys as a default for personal accounts? They probably won’t. Google can’t kill passkeys in general btw, it’s an open standard not a Google thing.
a year maybe
This video about passkeys is fascinating. They are very secure even if your pin is 1234. The only way for someone to hack your account is if they have your device.
Here is an alternative Piped link(s):
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
This is the best summary I could come up with:
Google is taking a big step toward making passkeys the default login option for its users.
Starting today, users logging in to personal Google accounts will be prompted to create and use passkeys instead of passwords when possible.
They’re both easier to use and more secure than passwords, so users no longer need to rely on the names of pets, birthdays or the infamous “password123.” Instead, passkeys let users sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan or a screen lock PIN.
And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.
Google has been experimenting with passkeys across numerous products, including Chrome, over the past year.
Users who want to forgo passkeys can uncheck the “skip password when possible” option in their accounts.
The original article contains 289 words, the summary contains 146 words. Saved 49%. I’m a bot and I’m open source!
lucid@programming.dev 7 months ago
Man, the amount of fearmongering and anti-Google rhetoric in this thread makes me sad. Passkeys are almost entirely a good thing and are supported by many big and small companies.
No, it won’t lock you into Google, it’s an open web standard. Google will have an Authenticator, Apple will, and third parties will spring up to support it as well. And there’s no lock in, you can get a new passkey when you want to switch devices or providers.
No, someone who gets access to your device can’t get access to everything if you have basic security hygeine. Secure your passkeys with a secondary password or use biometric authentication.
Yes, it’s almost a straight upgrade to text passwords. They are immune to phishing attacks and other social engineering tricks, and you don’t need to remember long strings of numbers and letters anymore.
Do your research people, sheesh.
HidingCat@kbin.social 7 months ago
This is starting to really get on my nerves, and I feel like discourse on the fediverse is worse; basically the attitude is that if it's not FOSS and self-hosted, it's shite. That attitude is fucking grating for the rest of us.
alvvayson@lemmy.world 7 months ago
The irony is that it’s an open standard. There are FOSS implementations you can self-host. Server side, client side, soft token, hard token. Everything.
github.com/herrjemand/awesome-webauthn
People on this thread are just really ignorant, even self-proclaimed security experts.
scorpious@lemmy.world 7 months ago
This and if any business anywhere manages to reache a significant level of success — and has the nerve to charge money for their service — it’s a sign that capitalism doesn’t work and corporations are inherently evil.
I just assume it’s an age thing.
lloram239@feddit.de 7 months ago
An online authentication system is quite literally the one central thing your whole digital life depends up on. If it’s broken, it can completely f’up your life and remove you from existence in the digital space. So there is extremely good reason to be skeptical when big-company tries to force you into a new thing. Especially when said big-companies have a history of f’n things up on purpose (remember G+ forcing real names on everybody and bundling previously unrelated accounts into one monolithic one?). Or take HTTPS, which was sold us with “bringing more security”, when what it actually did was kill large chunks of the open and self-hosted Web.
AWittyUsername@lemmy.world 7 months ago
Big tech have done this to themselves
CosmicTurtle@lemmy.world 7 months ago
The problem with passkeys is that surrender of a physical key is not protected by the 4th amendment and subject to seizure. From a security perspective, I agree that passkeys are good. But I only use a physical key as a secondary factor. Never a primary.
The courts have ruled that you can’t be forced to give up a password or passcode. (We’ll have to see if the current court will keep this precedent.)
Until we get better privacy protections, I’m not trusting passkeys whole cloth.
alvvayson@lemmy.world 7 months ago
You can protect your passkeys with a knowledge element.
But I don’t see your use case. Passkeys are about logging in to webservices, not about protecting devices.
Web service providers can always be ordered to surrender your data by a court. Very few of them even try to encrypt your data. And for those that do, a court order could still force them to intercept your password and decrypt the data.
mystik@lemmy.world 7 months ago
There is no implementation right now that enables you to own and manage your own passkey backups without Google it icloud.
Additionally, the attestation feature is one step away from banks and other sites mandating specific implementations, preventing people from using software tokens or OSS managers.
Passkeys is great, and I am eager to recommend it to everyone, but without those items addressed, it’s a trap door, and one bitflip away from very strong lock in.
Rehwyn@lemmy.world 7 months ago
My understanding is that, currently, a PIN or password is protected so if you secure your phone with that, access to it is under 4th amendment protection. Given this, I’m curious how passkey legality would work out since it’s a physical key, but access to use it would still require “something you know”.
sebinspace@lemmy.world 7 months ago
Google is a lot of things for a lot of reasons. This isn’t one of them. There’s plenty of reasons to bash them without needing to pull shit out of one’s ass