I feel like I don't understand passkeys enough to want to use them. Right now it sounds like I'm giving Google/Apple/Microsoft more information in exchange for not having to type in a username and...
I feel like I don't understand passkeys enough to want to use them. Right now it sounds like I'm giving Google/Apple/Microsoft more information in exchange for not having to type in a username and password or use Bitwarden or something.
I've read Google's page about them but I just don't really get it. Why is this better? Because it's faster?
https://www.nytimes.com/wirecutter/blog/what-are-passkeys-and-how-they-can-replace-passwords/ Passkeys are unique to each website (no reuse vulnerability like the same password reused on multiple...
also iirc police can force you to unlock your phone woth biometrics but can't make you give up your password. IANAL though, that's just something I heard somewhere
also iirc police can force you to unlock your phone woth biometrics but can't make you give up your password. IANAL though, that's just something I heard somewhere
I think the slightly more detailed but still IANAL answer is that it's not something that's ever been tested in court, while a standard password has. This is all US based of course, not sure what...
I think the slightly more detailed but still IANAL answer is that it's not something that's ever been tested in court, while a standard password has. This is all US based of course, not sure what the deal in other countries would be.
So until a senator/banker/CEO is forced to use their thumbprint against their wishes, it's very possible the cops might do the same to you and then say "screw you fight it in court".
Which is why iPhones for example always boot up asking for a password first. Security is not a zero-sum game: there are conscious design decisions that have huge impacts. I believe iPhone’s (not...
Which is why iPhones for example always boot up asking for a password first. Security is not a zero-sum game: there are conscious design decisions that have huge impacts. I believe iPhone’s (not sure if this should be attributed to them) use of biometrics greatly improves the security of your average citizen (my mother has a model with a non-working Face ID and I’m sure you could guess her password in like 2 takes… she could surely use a better one were she not having to input it all the time).
Also, you can always just long press the power and a volume button, or press the power button like 5 times (both actions can be done blindly in your pocket) to bring up the emergency call screen — which will at the same time mandate a password for the next unlock, making that threat model largely irrelevant.
(Note: in several legislatures you can be mandated to give up your password as well, e.g. not doing so being a crime, so you really have to be creative to come up with a situation where it would actually impact one’s security)
They make up one part. Something you know, something you have, and something you are. I agree they don't work if it's the only factor in authentication.
They make up one part. Something you know, something you have, and something you are. I agree they don't work if it's the only factor in authentication.
Definitely not every way. Your biometrics can't be phished, brute forced, stolen in transit, etc. It's only worse if you physically are being forced to use them to unlock one of your devices, but...
A hill I will die on. Biometrics are worse than a passwords in every way imaginable.
Definitely not every way. Your biometrics can't be phished, brute forced, stolen in transit, etc. It's only worse if you physically are being forced to use them to unlock one of your devices, but someone could likely just force you to give them your password as well in that case.
Going passwordless and using MFA is objectively the best security you can get for your accounts, the second best option is using a password manager with randomized passwords together with MFA.
I'm a little stuck on the "what happens if you lose your phone or laptop" section. So I lose my phone and the only thing I can do is... find it or get a new phone? I'm locked out of all my...
I'm a little stuck on the "what happens if you lose your phone or laptop" section.
So I lose my phone and the only thing I can do is... find it or get a new phone? I'm locked out of all my accounts until I do that and recover the passkey? My phone dies, and I'm locked out of signing into things until it's charged up and on again? What if I don't have a signal on my phone but need to sign into something that's, say, wired via ethernet?
I have an iPad, an Android phone, and a Windows desktop. Can they share the same passkey, or am I going to be picking one and scanning a ton of QR codes all over the place?
Can I have multiple accounts on the same website/app under the same passkey?
I know you're not like, the designer of passkeys or anything, but these are just things that pop into my head as I read the article. Thank you for linking it.
This is my security layman's understanding, so please correct me if I'm wrong, but I think a simple way to explain it would be like this. Currently to log into a website you need to submit your...
Exemplary
This is my security layman's understanding, so please correct me if I'm wrong, but I think a simple way to explain it would be like this.
Currently to log into a website you need to submit your login/email and password (the things you know). For more security you can set up multifactor authentication to also require proof of something you have (like receiving a timed code on your phone) or something that you are (using a face scan or fingerprint reader), because it decreases the chance that a malicious actor will have all of your authentication factors.
This comes with a few downsides. First, you need to actually submit your login and password to the host. If the host is sane, they will not store your password in plain text, but its hash — a key that's derived from your password. It's practically impossible to recover a password from its hash, but if an attacker has access to a leak of the hashes database, they can try hashing various password candidates with the same algorithm and see if one of them will produce the same hash. This becomes a problem because a password is typically something that's kept in your memory, so often people will choose very simple passwords like Qwerty1234 that are extremely vulnerable to dictionary-based attacks. Another problem is that no matter how strong your password is, it can be phished out of you via social engineering, especially with less tech-savvy people. This also makes code-based 2FA vulnerable.
Passkeys work based on public/private cryptography that works a little differently. Instead of a login and password that you know, when you sign up with a service, you generate a pair of keys: a public key and a private key. You can think of them as files on your computer (and indeed, for widely used applications like SSH they can be stored exactly like that). It uses some mathematical properties of prime number factorization to create a secure system: the public key can only encrypt messages but can't decrypt them, and you can't (with current technology limitations) reconstruct the private key from it. The public key is shared with the service you sign up with, and the private key is stored securely on your device.
In this setup, the single private key replaces both the login and the password, and the public key replaces the hash. However, sharing public keys is safe, so if the service suffers a data breach, you are safe from your credentials being compromised. The private key itself is never communicated to the service; it's used to solve a cryptographic challenge and send an encrypted message that proves your identity. You are also less vulnerable to phishing because you don't ever see your private key — it is all handled transparently by your OS/browser/password manager. Each key is associated directly with the service it's made for, so your system will simply not let you share it with a spoofed website, for example.
Because the main authentication factor switches from what you know to what you have, to prevent anyone with access to your device from logging in willy-nilly, the passkey is secured with additional factors like a PIN code or biometric scanning.
There are no technical limitations that preclude having multiple identities for the same service with a passkey for each. You also should be able to migrate your passkeys between devices, but I'm not clear on how it's planned to be implemented.
All in all, if all goes well, passkeys should offer better security AND more convenience over passwords.
This is the best explanation I've gotten yet. So, let me ask, if you know the answer - What if I just don't want Google/Apple/MS to have my login info for a website? To maintain some sort of, I...
This is the best explanation I've gotten yet.
So, let me ask, if you know the answer -
What if I just don't want Google/Apple/MS to have my login info for a website? To maintain some sort of, I don't know, plausible deniability about having used it, or having used it as that user?
That might seem weird, but one reason I come to places like Tildes and Lemmy and such is for some sense of anonymity. I don't necessarily want my name and face associated with every account I use online.
Passkeys are brand new so most websites will probably support other ways of logging in for quite a while. Also, other password managers will likely support passkeys soon, so maybe you could use...
Passkeys are brand new so most websites will probably support other ways of logging in for quite a while.
Also, other password managers will likely support passkeys soon, so maybe you could use one of them? Lots of people use alternative password managers.
Someone else mentioned Bitwarden bringing support at some point. I'd definitely feel better about it being there, especially for easy cross-device syncing and recovery, but I'm likely to stick to...
Someone else mentioned Bitwarden bringing support at some point. I'd definitely feel better about it being there, especially for easy cross-device syncing and recovery, but I'm likely to stick to passwords for the foreseeable future.
Slightly off topic, but be very careful in your assumptions about that anonymity. As soon as you are leaving a comment, you are prone to writing style-based attacks like this, where the crazy...
That might seem weird, but one reason I come to places like Tildes and Lemmy and such is for some sense of anonymity.
Slightly off topic, but be very careful in your assumptions about that anonymity. As soon as you are leaving a comment, you are prone to writing style-based attacks like this, where the crazy thing is that it is not even some crazy complex ML algorithm, but something as trivial as which words are frequent neighbors in your texts.
Hopefully no one is running from some three-letter agency, but I think it helps to be mindful of it.
You will have to store your passkey somewhere, but it doesn't need to be one of the tech giants. Bitwarden plans to implement support for passkeys soon, and I'm sure there will be solutions like...
You will have to store your passkey somewhere, but it doesn't need to be one of the tech giants. Bitwarden plans to implement support for passkeys soon, and I'm sure there will be solutions like KeepassXC that let you store your passkeys purely locally (but then you are responsible for backups and synchronization yourself).
Being able to store passkeys on Bitwarden would make a lot of my concerns go down some in regards to losing access to everything with a misplaced device.
Being able to store passkeys on Bitwarden would make a lot of my concerns go down some in regards to losing access to everything with a misplaced device.
But... once you set this up, you can only ever access the website from that one device. Hypothetically, if Tildes supported something like this, I would have to pick one and only one device to...
But... once you set this up, you can only ever access the website from that one device.
Hypothetically, if Tildes supported something like this, I would have to pick one and only one device to access Tildes from, forever more. I couldn't jump on to my phone, then my laptop, and then do a sneaky login from my work computer. I could only ever access Tildes using the single device that stores the private key.
If you're using a password manager (and you should be), once you save your tildes passkey in it in one place, they will make the same passkey available on all your other devices, so it will be...
If you're using a password manager (and you should be), once you save your tildes passkey in it in one place, they will make the same passkey available on all your other devices, so it will be simpler than Nadya described.
Pretty much every big player in the passkey game is doing passkey sync, just like they sync passwords. If you use Chrome's sync, Apple Keychain, 1Password, whatever, when you create a passkey on...
There are no technical limitations that preclude having multiple identities for the same service with a passkey for each. You also should be able to migrate your passkeys between devices, but I'm not clear on how it's planned to be implemented.
Pretty much every big player in the passkey game is doing passkey sync, just like they sync passwords. If you use Chrome's sync, Apple Keychain, 1Password, whatever, when you create a passkey on one device it will automatically be synced to your others.
Always always always have a backup when it comes to passkeys. They make hardware for it to even lock in a safe if you’re very cautious (yubico.com). Yes they can be shared across devices. Apple...
Always always always have a backup when it comes to passkeys. They make hardware for it to even lock in a safe if you’re very cautious (yubico.com).
Yes they can be shared across devices. Apple uploads them to iCloud, same as Google and MSFT will do to GCP and Azure. They’ll sync which isn’t the best thing from a security standpoint but they are much better for consumers than standard passwords today.
This is much like using a password manager. Each password manager vendor has its own system. The password manager backs up the passkeys in whatever way it backs up your saved passwords. It might...
This is much like using a password manager. Each password manager vendor has its own system. The password manager backs up the passkeys in whatever way it backs up your saved passwords.
It might help to try it out. Here's a demo website that will let you create an account and attach multiple passkeys to it, so you can sign in with any of them. You can practice logging out and logging back again. You need to give it an email address, but it can be fake. The downside of a fake email is that you would only be able to log in with one of the passkeys. (Not that it matters for a demo.)
When I visited it using Chrome on my Mac, I was able to create a passkey on "this device", my Android phone, or "a different phone or device."
After choosing Android, I got a notification on my phone. I followed the prompts to create a passkey, and then logged out of the website, and used the passkey to log in again. This resulted in another Android notification.
After choosing "a different device" it put up a QR code, and I was able to create a passkey using my iPad, with Apple's system.
I was also able to create a passkey on "this device" (my Mac) and then it saved the passkey somewhere local, with a warning that it's not synced anywhere. To log in using a local passkey on a Mac, there's a dialog that prompts you for your machine's login password.
If other websites work as well as the demo (not guaranteed) you could make passkeys on any of your devices and log in to the website using any of them.
It seems pretty usable, but not quite as convenient as using a saved password in Chrome.
I also tried it using Safari and you can either use the local device or a QR code.
Okay, so I tried the website out and here was what happened. I used my real email and made a passkey on my computer on firefox. Then I went to try it on my phone. It asked me to use a hardware key...
Okay, so I tried the website out and here was what happened.
I used my real email and made a passkey on my computer on firefox.
Then I went to try it on my phone. It asked me to use a hardware key of some kind. When I backed out of that screen... it just sent a normal 2FA 6 digit code to my email to let me sign in. I kind of thought this was supposed to be more secure than that? Like aren't those really insecure and prone to the phishing attacks that passkeys are supposed to avoid?
That's pretty standard login by clicking on an emailed link. A more secure website wouldn't have that, but it's just a demo, and each website can do what it wants. If you want to do this using...
That's pretty standard login by clicking on an emailed link. A more secure website wouldn't have that, but it's just a demo, and each website can do what it wants.
If you want to do this using passkeys alone, I think you need to go back to your computer, log in using the passkey from Firefox, and then create another passkey that's stored on your phone. I don't know if Firefox can do that yet?
So it doesn’t require a biometric. You can buy security keys that can hold the private certificate needed for the authentication instead of placing it on the phone (which does require some form of...
So it doesn’t require a biometric. You can buy security keys that can hold the private certificate needed for the authentication instead of placing it on the phone (which does require some form of biometric to unlock the key) it can be placed on an external key. Check out yubico.com.
The bit about requiring a biometric is wrong. The security for passkeys is based on which devices you own. Whether you use a biometric to protect your phone is up to you. You can protect your...
The bit about requiring a biometric is wrong. The security for passkeys is based on which devices you own. Whether you use a biometric to protect your phone is up to you. You can protect your phone with a password if you like.
I just created a passkey on my Mac, and when I try to use it, it prompts for my login password. No biometrics involved.
Passkey aka CTAP2 doesn't really share much information with the site. It's basically a unique key for each site that's all they get. So I'd say privacy wise almost onpar with passwords
Passkey aka CTAP2 doesn't really share much information with the site. It's basically a unique key for each site that's all they get. So I'd say privacy wise almost onpar with passwords
since it's using a physical device to verify identity, it's tying your physical phone registered under the identity joe schmo to an account, giving confirmation that this is joe schmo's account....
since it's using a physical device to verify identity, it's tying your physical phone registered under the identity joe schmo to an account, giving confirmation that this is joe schmo's account. With the seeming wave of tyrannical fascist rule that seems to be headed our way worldwide, I don't want my online accounts tied to my identity, where they don't need to be.
No it's more like: calculate a unique key for this website with this device. On the same website you may be traceable but passkey is there the least significant point and on different websites its...
No it's more like: calculate a unique key for this website with this device.
On the same website you may be traceable but passkey is there the least significant point and on different websites its a totally different key so no correlation possible
There are of course some physical towns that offers biometric capabilities, but it's not a necessity. Passkeys still work as a 2FA, in the sense that the access to the resident credentials is...
Requires some sort of biometric, so your physical presence is required
There are of course some physical towns that offers biometric capabilities, but it's not a necessity.
Passkeys still work as a 2FA, in the sense that the access to the resident credentials is protected by something you have (ie the physical token, including proving your physical presence by having a capacitive button on it) as well as something you know, in this case a mandatory PIN to protect those resident credentials for unwanted access due to theft, etc.
The biometric (ie: fingerprint scanner) can be seen more like 2 something you have, which could be used against your will.
Bitwarden is much better than this walled garden. It has simple design and platform independence - you can switch between browsers and devices without having to worry about each one's...
Bitwarden is much better than this walled garden. It has simple design and platform independence - you can switch between browsers and devices without having to worry about each one's eccentricities.
With this passkey approach, you'll be locked into Apple browsers and devices forever. But then, maybe that's what most Apple users already want.
So - I work in Identity and Access Management for a Fortune 500 and passkeys really are a cool thing and will be cool to use in the next few years once major players formally add it to their...
So - I work in Identity and Access Management for a Fortune 500 and passkeys really are a cool thing and will be cool to use in the next few years once major players formally add it to their authentication models.
Authentication is 3 things. What you have (key), what you know (birthday), and what you are (blood type).
Multi factor authentication takes 2 of those (password + text, password + email, etc). That’s all EXTREMELY phishable these days and with the strength of password cracking and lack of strong password enforcement on standard users makes a lot of data unsafe.
So - passkeys are all users will need. Instead of a long password (or pass phrase as they’re called now) what happens is a public/private certificate based trust authentication. As long as you don’t lose your phone (what you have) and you don’t lose your face (who you are) you don’t need a password for MFA.
Also, what if I want to log in to some website on, say, a library computer? I have to go through the process of adding a new key for that device, just to delete it after? And as far as I can see...
Also, what if I want to log in to some website on, say, a library computer? I have to go through the process of adding a new key for that device, just to delete it after?
And as far as I can see this would introduce a lot of hassle for those of us with many devices (phone, personal laptop, work laptop, desktop, tablet, plus misc. other devices).
I believe the theory here is "no they still need something else". In this case a biometric? Although personally I'd still like to use a passphrase or generated key or something as I hate biometrics.
I believe the theory here is "no they still need something else". In this case a biometric? Although personally I'd still like to use a passphrase or generated key or something as I hate biometrics.
Okay, so the YubiKeys people are linking to also require a fingerprint. I guess that answers the concern I had about it. But it's still another thing I need to buy, which is just.. annoying. I guess.
Okay, so the YubiKeys people are linking to also require a fingerprint. I guess that answers the concern I had about it. But it's still another thing I need to buy, which is just.. annoying. I guess.
In the digital realm presided over by Apple, Google, and Meta, a new development is emerging known as passkeys. It's a simple concept, almost innocuous, like a neighbor handing you the spare key....
In the digital realm presided over by Apple, Google, and Meta, a new development is emerging known as passkeys. It's a simple concept, almost innocuous, like a neighbor handing you the spare key. Yet it carries with it implications that could stir unease in even the most stalwart of us.
Imagine, if you will, being locked out of your account. It's a frustrating situation, akin to being left out in the cold, the warm glow of the digital hearth just beyond your reach. The mere thought can send a shiver down your spine as you confront the unsettling void of digital isolation.
Consider too the loss of your device. Once an major annoyance, it could now turn into a genuine crisis. That small, indispensable piece of technology holds the keys to your online existence. Lose it, and you're suddenly cast adrift in the vast ocean of the internet, lost and disconnected.
And lurking in the background of this narrative is the overwhelming power of these tech giants. The thought of Google, for instance, taking issue with your actions and locking you out of your account is an unnerving prospect. Your options in such a situation would be limited and challenging, like staring up at a towering giant, unsure of how to proceed.
While the technology promises convenience and security, I won't proceed until I can manage my own passkeys - or a third, disinterested, party.
@glyph, there's a world where not everyone has a surplus of devices. Some individuals don't use commercial password managers, for their own reasons. The limitations of current hardware (such as...
@glyph, there's a world where not everyone has a surplus of devices. Some individuals don't use commercial password managers, for their own reasons. The limitations of current hardware (such as Yubikey limits the number of passkeys to 25) solutions create issues with passkey storage.
Lastly, logging into a Google account using a backup passkey can be a puzzle using a dissociated browser /IP address. I've tried and couldn't solve it. If you've figured it out, glyph, your wisdom would be appreciated. We're all navigating the same digital wilderness, after all.
Finally, let me be clear - passwords aren't my favorite thing either. Take, for instance, the task of managing my child's Minecraft account. There's the PS4 login for both me and my child, the Microsoft login for each of us - the list goes on. In a world dominated by passkeys, I envision how managing such scenarios could make things even more complicated.
Your previous post hinges that central assumption which you claim now is insignificant: And suddenly, this doesn't carry weight anymore? I can't decipher if we're engaging in a genuine dialogue or...
Your previous post hinges that central assumption which you claim now is insignificant:
Not only can you have multiple devices authenticated to the same services, you will soon be able to use password managers to sync the keys also. (Most of them are beta testing the feature as we speak.)
And suddenly, this doesn't carry weight anymore? I can't decipher if we're engaging in a genuine dialogue or if your principal contention is that I lack knowledge on this topic. Illuminate the dark corners of my understanding, will you? Exhibit how my argument doesn't resonate with the average consumer. I'd truly appreciate if you debunk my points as I've laid them out.
For the individual versed in the intricate dance of technology – this specification doesn’t explicitly require the transfer of passkey backups from one device to another. And there isn't a provider, not a single one, that allows you to transport your digital "vault". Say for example from the fortress of Mac's keychain to the citadel of Google's solution. You're obliged to relocate them manually - a tedious game of one-by-one. In essence, you're shackled to a particular tech-holder's domain. And we're all too familiar with how difficult these digital landholders make it to shift allegiance to a rival service. Utilizing Linux with passkeys is a barren landscape - no support exists save for the solitary beacon of Yubikey on Linux. There's no common tongue, no interchange format to facilitate an effortless transition between platforms.
This raises a looming specter of a problem, particularly when we delve into the thorny issue of provider lock-in - a situation you dismiss as minor. A password, in its uniqueness, boasts portability, a feature where currently passkeys fall short. This isn't to champion passwords as the holy grail - relying solely on them makes you an inviting target. However, the practical application of two-factor authentication as it currently stands - mitigates this risk. I harbor fondness for the concept of passkeys, but the current blueprint and execution leave too much of my digital keys in the hands of the tech behemoths.
You can manage your own passkeys, AFAIK. For instance, in the beta versions of 1Password, you can use it to store and log in with passkeys. I assume there's nothing stopping some self-hosted...
You can manage your own passkeys, AFAIK. For instance, in the beta versions of 1Password, you can use it to store and log in with passkeys. I assume there's nothing stopping some self-hosted password manager from implementing passkey support either.
Can anyone give me an ELI5 for what a passkey is? All the top results I'm finding in searches are just claims that it's "more secure" and "more convenient", but not description for how it works....
Can anyone give me an ELI5 for what a passkey is?
All the top results I'm finding in searches are just claims that it's "more secure" and "more convenient", but not description for how it works.
Is this some form of cryptography packaged for non-technical folks?
short answer: it's a form of multi-factor authentication that (unlike 6-digit HOTP/TOTP codes sent by text message, for example) is able to prevent most forms of phishing attacks long answer:...
short answer: it's a form of multi-factor authentication that (unlike 6-digit HOTP/TOTP codes sent by text message, for example) is able to prevent most forms of phishing attacks
long answer:
here's a 45-minute presentation about FIDO and Webauthn, given by a Google Cloud Security Advocate to an audience of software developers, about why they should care about adopting it
there's a bit of acronym soup involved - the industry group behind it is the FIDO Alliance. there is a FIDO 1.0 standard (with U2F and UAF), and there's a FIDO 2.0 standard (with CTAP and Webauthn). Passkeys seem to be the more user-friendly branding they've adopted for FIDO2.
the important part to know is that Webauthn standardizes the interaction between your browser and the site you're logging in to, and CTAP does the same but for the interaction between your browser and a security key or other authentication device (the example the article gives is signing in to apple.com on a Macbook by authenticating with your iPhone)
that pair of standards allows a many-to-many relationship - you can have multiple authentication devices, and you can use them to authenticate to multiple websites. I have 2 FIDO keys, for example (from different manufacturers) and have both of them set up as authenticators for my Fastmail, Google, Bitwarden, Github, etc - every site I use that supports Webauthn. either key works to log in to any site, and a data breach at one site doesn't affect my security at the other sites.
the "killer feature" is that the hostname of the website you're authenticating to is included as part of the cryptographic exchange. that means I can set up appIe.com (uppercase i instead of lowercase L) as a phishing page, but even if I succeed in getting people to push the "login with iPhone" button on my phishing page, I don't get anything that allows me to impersonate those users on the actual apple.com.
Please correct me if I am wrong, but I don't think the statement that passkeys are a form of multi-factor authentication is correct - or at least it is a little misleading to the layperson. A...
Please correct me if I am wrong, but I don't think the statement that passkeys are a form of multi-factor authentication is correct - or at least it is a little misleading to the layperson. A passkey is a single factor, in the same way that a password is a single factor, and a HOTP/TOTP code is a single factor. The use of more than one factor is (hopefully obviously) what constitutes multi-factor authentication.
Lots of the promise of passkeys is the fact that they can replace a password as a primary authentication factor, leaving it up to the user (or service being authenticated) to add additional factors like TOTP.
Lots of password managers will support it. Looks like Yubikey already does?. Other password managers do password syncing. Edit: tried it with my Yubikey. To use a passkey, it requires you to set a...
Lots of password managers will support it. Looks like Yubikey already does?.
A YubiKey serves as a repository for up to 25 unique passkeys. These are hardware-bound passkeys, meaning they live only on a particular YubiKey, and so the only way to gain unauthorized access would be to steal the YubiKey itself and then complete the authentication ceremony with either the correct PIN or biometric.
Other password managers do password syncing.
Edit: tried it with my Yubikey. To use a passkey, it requires you to set a PIN, so I didn't bother.
Ah thank you This gave me a search term that helped me stumble on Yubico's FAQ on passkeys which I found pretty helpful: https://www.yubico.com/blog/a-yubico-faq-about-passkeys/
Keep in mind that it's kind of loose what passkey means. Because not everything is really needed to comply with the spec. Eg.: it's not really necessary to make it passwordless but that's what...
Keep in mind that it's kind of loose what passkey means. Because not everything is really needed to comply with the spec. Eg.: it's not really necessary to make it passwordless but that's what marketing and the sites implementing decided it should be
that shifted over time so old articles might have not the current notion of it
He's correct. It's just github doesn't use it that way currently. They use it as a second factor and this doesn't need a resident key (passwordless/passkey) atm. You could for example use the...
He's correct. It's just github doesn't use it that way currently. They use it as a second factor and this doesn't need a resident key (passwordless/passkey) atm.
You could for example use the yubikey as a passkey with google (must not be already registered) to see how it works.
The whole point about passkeys is fundementally that they're tied to the device. I''m 100% behind replacing passwords with proper public/private keys, but I dislike vendor lockin, and we're very...
The whole point about passkeys is fundementally that they're tied to the device.
I''m 100% behind replacing passwords with proper public/private keys, but I dislike vendor lockin, and we're very much in a phase where converting in could lock you there for a long time.
Bitwarden says they plan to launch passkey support this summer, so it seems like the keys will be portable? I initially assumed there will be heavy vendor lock-in as well, but by the looks of it I...
Bitwarden says they plan to launch passkey support this summer, so it seems like the keys will be portable? I initially assumed there will be heavy vendor lock-in as well, but by the looks of it I assume it's just private keys that can be shared via designated channels instead of copying plain files, so it shouldn't be a complete nightmare. Although whether Apple/Google will provide those channels to export the keys is an open question.
So switching vendors entails resetting every password you've ever used? That not really selling "lack of lock-in." Every barrier of inconvenience is one more additional lock.
So switching vendors entails resetting every password you've ever used?
That not really selling "lack of lock-in." Every barrier of inconvenience is one more additional lock.
Yes thats what I'm saying though. Its functionally the same. If I have an Apple phone, and am using its passkeys exclusively. And they won't provide an export function, and I want to switch to...
Yes thats what I'm saying though. Its functionally the same.
If I have an Apple phone, and am using its passkeys exclusively. And they won't provide an export function, and I want to switch to Android. Or migrate off phone-based passkeys for a Yubikey.
I now have to go through the process of going to every single site in my passkey, adding the Android key. While still having the Apple phone fully ready to use. If I miss something, and stop carrying the Apple phone...it's gonna be a terrible experience. It's already a pain if I dare switch phones without porting my number and informing every company I've ever interacted with first.
That's functionally the same as resetting every password I've ever used. Especially since any site with developers who have more than 2 brain cells will also MFA adding additional tokens via registered email or something.
Opposed to password managers, where I can export from one manager then import in another.
Ah, now I get what you’re saying. I’m using on a few sites (a few, coincidentally is the same amount of websites that support passkeys!) both my computer and my phone as a passkey, so I feel...
Ah, now I get what you’re saying.
I’m using on a few sites (a few, coincidentally is the same amount of websites that support passkeys!) both my computer and my phone as a passkey, so I feel migration should be fairly straightforward for me since I don’t anticipate changing both devices at the same time.
I also use 2FA on most of my important sites anyway, so I’m fairly used to the new-device hassle at this point.
But yeah, I do wonder how that would look in practice.
I mean, I have almost 500 unique sites/apps in my Bitwarden vault. If it takes 30 seconds to update each site, that's a grueling 4 hour process to not miss anything. New-device hassle is only...
I mean, I have almost 500 unique sites/apps in my Bitwarden vault.
If it takes 30 seconds to update each site, that's a grueling 4 hour process to not miss anything.
New-device hassle is only going to get worse if we replace passwords with device without some level of protections to insure smooth vendor-agnostic migrations.
I think you're right that switching entirely from one password manager to another will be a pain if you really need to do it in a day and stop using the old one. But it's not like you signed up...
I think you're right that switching entirely from one password manager to another will be a pain if you really need to do it in a day and stop using the old one. But it's not like you signed up with 500 websites in a day. If I got a new device and wanted to use a new password manager, I'd add accounts to the new password manager gradually while keeping the old one for a while. You can use both password managers.
I'm using the Apple ecosystem more these days, but I expect to have both Google and Apple devices indefinitely and use both password managers.
Chrome seems like a better bet for me than Safari since I can run it on Android and an iPad and Mac desktop. But there is also "cross-device" authentication, so I could use either password manager with either browser using a QR code.
Seems like if you're already using Bitwarden then you should stick with it.
Yeah except it's probably easier because no typing and it's definitely more secure. I get where you are coming from but we can't have it all for now. Let it evolve Ps.: chrome and apple sync so...
Yeah except it's probably easier because no typing and it's definitely more secure.
I get where you are coming from but we can't have it all for now. Let it evolve
Ps.: chrome and apple sync so this should be easier then your scenario
Isn't the whole point the sync which would make it not tied to a device. Everything else was already present. Could be wrong but Chrome/Google and apple/icloud syncs the keys and i don't see a...
Isn't the whole point the sync which would make it not tied to a device. Everything else was already present.
Could be wrong but Chrome/Google and apple/icloud syncs the keys and i don't see a reason for doing this except for decouple it from the devices.
Passkeys sound pretty interesting but, like others have said, I don't really have any NEED to switch to them asap. It's encouraging to see password managers like Bitwarden say they'll add support...
Passkeys sound pretty interesting but, like others have said, I don't really have any NEED to switch to them asap. It's encouraging to see password managers like Bitwarden say they'll add support for them soon. As someone who isn't locked into a single ecosystem, it's nice to see that this shouldn't (hopefully) make vendor lock-in worse.
This is the Achilles heel of passkeys. Everyone knows you should have backups, only a relatively small percentage of people actually make them, fewer still keep them up to date. We're talking...
This is the Achilles heel of passkeys.
Everyone knows you should have backups, only a relatively small percentage of people actually make them, fewer still keep them up to date.
We're talking about the masses here, not security conscious tech people. There are going to be a whole lot of phones that are the users only passkey repository, and those phones are gonna get lost.
Give them a "lost your passkey?" email recovery link and you're re-introducing an attack vector passkeys are meant to remove. So from a security perspective the answer to "I lost my phone with all my passkeys on it" needs to be "sorry about your luck".
Seems too high friction for mass adoption, at least medium term. I could be missing something about the tech though, I'm basing this mostly on my understanding of key authentication in general.
The Google and Apple password managers store an encrypted backup in the cloud. For Google, you need to be able to log into your account (somehow) and remember the code for unlocking your phone. I...
The Google and Apple password managers store an encrypted backup in the cloud.
For Google, you need to be able to log into your account (somehow) and remember the code for unlocking your phone. I wrote about it before. For Apple it's described here.
Also, I think it's pretty common to have more than one device.
Wouldn't the provider (say Google) need to also store the key used to encrypt the data in order for the user to be able to restore or download the backup? It couldn't live on the user's device,...
Wouldn't the provider (say Google) need to also store the key used to encrypt the data in order for the user to be able to restore or download the backup? It couldn't live on the user's device, that would make the backups pointless.
So that then makes the passkeys accessible to anyone with access to that G account.
It seems like you'd end up with two possible scenarios...
The G account is only accessed using a passkey, which the user has lost, leaving them without access to the backup. Good luck getting a human to help you at Google, or anywhere really, hard to imagine Apple investing in the extra support people to field lost passkey complaints. Passkeys aren't going to be bringing in new revenue.
The G account has an alternative login, either a password or a backup email. In either case the user's passkeys (all of them) are now accessible using an authentication method that passkeys are meant to replace. One that can be phished, keylogged, socially engineered, etc.. In that case it's essentially a less user friendly bitwarden.
The solution of course is for everyone to always have backups (multiple devices with the keys would qualify) but unless the providers strictly enforce that somehow, millions of users won't bother.
Yeah, it's tricky to make work, but the way the solved it seems to be by deriving the encryption key from something in your Google account and whatever lock code you were using to lock your phone....
Yeah, it's tricky to make work, but the way the solved it seems to be by deriving the encryption key from something in your Google account and whatever lock code you were using to lock your phone. As encryption keys go, that doesn't seem great (your lock code may be guessable), but there's a bit more needed than accessing the Google account. Maybe there are rate limits on guessing?
This doesn't prevent you from being owned by Google if they turn entirely evil. They control all the code that's being run. But it seems like a decent speedbump so they can plausibly claim they they don't have your lock code and can't decrypt it, maybe? (Such as to authorities.) You could use a good lock code on your phone if you're concerned.
Having an alternate Google login is needed, but it could be another device if you have multiple devices, or it could be something like printed backup codes. I'd strongly recommend printing backup codes and storing them in safe if you don't have any other devices.
People do sometimes get locked out of their Google account if they lose every possible way of accessing it. That doesn't change. I couldn't say whether such people would be helped by Bitwarden but it seems like they wouldn't use it either? Isn't it a fairly geeky product? Don't you need to back that up too?
Ah I see, that does neatly solve the issue of warrants and subpoenas . But still kind of ends up in the same place otherwise: password protecting the thing that's supposed to replace passwords....
Ah I see, that does neatly solve the issue of warrants and subpoenas .
But still kind of ends up in the same place otherwise: password protecting the thing that's supposed to replace passwords.
It'll be interesting to see how it plays out in terms of adoption.
Yeah it was an excellent service. Encrypted git was also a favorite of mine. The zoom buy and the crypto stuff pushed me away fast. They should have just made a second company and leave the infra...
Yeah it was an excellent service. Encrypted git was also a favorite of mine.
The zoom buy and the crypto stuff pushed me away fast.
They should have just made a second company and leave the infra stuff alone
Dude... I have never given Apple a dime in my life... But i did a free trial of AppleTV+ over a year ago. New season comes out and i actually considered paying the $5 to watch season 2...
Dude... I have never given Apple a dime in my life... But i did a free trial of AppleTV+ over a year ago.
New season comes out and i actually considered paying the $5 to watch season 2 Annnnnddd... they wanted me to verify my account w/ my apple device (Which i own none), so the backup option to restore my account was to give them the CCV code on the credit card i used to sign up...
a CC i don't have anymore, and a CCV i never wrote down... and i thought they weren't supposed to keep?
I tried to contact support and explain i couldn't reset this (basically empty) account, and they couldn't help.
..so i signed up for another free trial w/ an alt email.
I read the comments here, and read some articles about it. I guess I don't understand the advantages of this vs bitwarden with a strong enough master password. Yeah, you can technically lose that...
I read the comments here, and read some articles about it. I guess I don't understand the advantages of this vs bitwarden with a strong enough master password. Yeah, you can technically lose that too, but then you enable MFA, and put your recovery codes in a safe or something. It's not impossible to still get hacked, but at that point you're being targeted anyway.
What do passkeys do that a well managed password manager account doesn't?
Could someone please explain to me how typing in a PIN is not the same as typing in a password? As far as I can see, the only difference is in the combinations of permissible characters: PINs use...
Instead, they can simply scan their fingerprint, face or type in a PIN code to unlock access
Could someone please explain to me how typing in a PIN is not the same as typing in a password? As far as I can see, the only difference is in the combinations of permissible characters: PINs use only numbers, while passwords can use numbers, letters, and other characters. But, functionally, it's the same thing: the user types in a series of characters to gain entry to a website/software.
Passkeys work by creating a unique, private key that’s bound to your devices, whether it be a laptop or iPhone.
What happens when you want to access the site/software from a different device? Are you blocked? Is this another way that Apple ensures you always use their device as a portal to the internet?
To add to this my hardware key locks after X amount wrong tries. After Y wrong Recovery PINs(PUK) it deletes the key. Don't know if software keys do the same, I'd guess so. So the attack vector is...
To add to this my hardware key locks after X amount wrong tries. After Y wrong Recovery PINs(PUK) it deletes the key.
Don't know if software keys do the same, I'd guess so.
So the attack vector is incredibly small in general.
You can use a passkey on one device to log in on a different device by using cross-device authentication. The portable, vendor-independent way to do it uses a QR code, so that's a bit inconvenient...
You can use a passkey on one device to log in on a different device by using cross-device authentication. The portable, vendor-independent way to do it uses a QR code, so that's a bit inconvenient but doable.
Sometimes there are easier ways, like if I use Chrome on desktop then it will show a notification on my Android phone, no QR code required.
You could also get a device just for authentication like a Yubikey. The downside is that you need a USB port and an adapter if it's the wrong kind. Newer ones also have NFC, but I don't have one of those. So, a cell phone is better in some ways and is probably what most people will do.
One way or another, a device is involved. The idea with passkeys is that passwords aren't used remotely anymore, just on the same device where the passkeys are stored. You still log into machines using passwords (if you prefer that to biometrics) but not websites.
The result of widespread passkey adoption will be that everyone uses a password manager, because you can't use passkeys without a password manager of some sort. the mainstream approach will likely be the one built into the browser. In practice, password managers are going to be storing passwords for a long time, but maybe we'll stop creating new ones as often?
Yes. Only a few apps are using them now as Apple just launched them in 2022 and google formally did it a week ago. So big identity providers (Facebook, google, etc) will all start implementing...
Yes. Only a few apps are using them now as Apple just launched them in 2022 and google formally did it a week ago. So big identity providers (Facebook, google, etc) will all start implementing them into their own systems. Then apps that allow those IDPs for their platforms (e.g. log in with google) you’ll be able to use that passkey.
Sounds like it turns your ipad or phone into a trusted device as part of multi-factor authentication. Something you have - your device Something you know - your pin Or, something you are - your...
Sounds like it turns your ipad or phone into a trusted device as part of multi-factor authentication.
Something you have - your device
Something you know - your pin
Or, something you are - your fingerprint
Basically they'll trust your phone (as long as it's secure under this scheme) with your PIN or biometric together. Fingerprint or face scanning to login to a website is an interesting thing.
One thing I did not see mentioned is that the passkey is bound to the device, but what device? On Google support account for passkeys the supported ones are all the mainstream os with a required...
One thing I did not see mentioned is that the passkey is bound to the device, but what device?
On Google support account for passkeys the supported ones are all the mainstream os with a required browser of Chrome/Edge/Safari. You can at least use a hardware security key but it is still concerning, especially if you could only get the security key from an approved vendor.
I refuse to use this as long as it's tied exclusively to one vendor and linux support is not guaranteed. I would very much like to know the nitty gritty details. I suspect this is using curve...
I refuse to use this as long as it's tied exclusively to one vendor and linux support is not guaranteed.
I would very much like to know the nitty gritty details. I suspect this is using curve 25519 under the hood, since that algorithm is very popular lately. I hope (and assume) the symmetric side using strong ciphers like aes. If this technology was FLOSS and I could keep my keys backed up elsewhere, I would consider it.
As has been mentioned in this thread, it is a standard: https://tildes.net/~tech/16px/phasing_out_passwords_apple_to_automatically_assign_each_user_a_passkey#comment-8p24 So I'm almost sure it...
So I'm almost sure it will be freely implementable by anyone (e.g. it mentions Firefox, but Chrome also has an open-source base, so I wouldn't fear it being proprietary)
I feel like I don't understand passkeys enough to want to use them. Right now it sounds like I'm giving Google/Apple/Microsoft more information in exchange for not having to type in a username and password or use Bitwarden or something.
I've read Google's page about them but I just don't really get it. Why is this better? Because it's faster?
https://www.nytimes.com/wirecutter/blog/what-are-passkeys-and-how-they-can-replace-passwords/
A hill I will die on. Biometrics are worse than a passwords in every way imaginable. You Cannot change your biometrics. You can change your password.
also iirc police can force you to unlock your phone woth biometrics but can't make you give up your password. IANAL though, that's just something I heard somewhere
I think the slightly more detailed but still IANAL answer is that it's not something that's ever been tested in court, while a standard password has. This is all US based of course, not sure what the deal in other countries would be.
So until a senator/banker/CEO is forced to use their thumbprint against their wishes, it's very possible the cops might do the same to you and then say "screw you fight it in court".
Which is why iPhones for example always boot up asking for a password first. Security is not a zero-sum game: there are conscious design decisions that have huge impacts. I believe iPhone’s (not sure if this should be attributed to them) use of biometrics greatly improves the security of your average citizen (my mother has a model with a non-working Face ID and I’m sure you could guess her password in like 2 takes… she could surely use a better one were she not having to input it all the time).
Also, you can always just long press the power and a volume button, or press the power button like 5 times (both actions can be done blindly in your pocket) to bring up the emergency call screen — which will at the same time mandate a password for the next unlock, making that threat model largely irrelevant.
(Note: in several legislatures you can be mandated to give up your password as well, e.g. not doing so being a crime, so you really have to be creative to come up with a situation where it would actually impact one’s security)
The biometric isn't transmitted to the site. It's just used to unlock your device that contains the key data. The key data can be revoked.
They make up one part. Something you know, something you have, and something you are. I agree they don't work if it's the only factor in authentication.
Agree. They are at best an OK supplemental MFA or for recovery purposes.
Definitely not every way. Your biometrics can't be phished, brute forced, stolen in transit, etc. It's only worse if you physically are being forced to use them to unlock one of your devices, but someone could likely just force you to give them your password as well in that case.
Going passwordless and using MFA is objectively the best security you can get for your accounts, the second best option is using a password manager with randomized passwords together with MFA.
I'm a little stuck on the "what happens if you lose your phone or laptop" section.
So I lose my phone and the only thing I can do is... find it or get a new phone? I'm locked out of all my accounts until I do that and recover the passkey? My phone dies, and I'm locked out of signing into things until it's charged up and on again? What if I don't have a signal on my phone but need to sign into something that's, say, wired via ethernet?
I have an iPad, an Android phone, and a Windows desktop. Can they share the same passkey, or am I going to be picking one and scanning a ton of QR codes all over the place?
Can I have multiple accounts on the same website/app under the same passkey?
I know you're not like, the designer of passkeys or anything, but these are just things that pop into my head as I read the article. Thank you for linking it.
This is my security layman's understanding, so please correct me if I'm wrong, but I think a simple way to explain it would be like this.
Currently to log into a website you need to submit your login/email and password (the things you know). For more security you can set up multifactor authentication to also require proof of something you have (like receiving a timed code on your phone) or something that you are (using a face scan or fingerprint reader), because it decreases the chance that a malicious actor will have all of your authentication factors.
This comes with a few downsides. First, you need to actually submit your login and password to the host. If the host is sane, they will not store your password in plain text, but its hash — a key that's derived from your password. It's practically impossible to recover a password from its hash, but if an attacker has access to a leak of the hashes database, they can try hashing various password candidates with the same algorithm and see if one of them will produce the same hash. This becomes a problem because a password is typically something that's kept in your memory, so often people will choose very simple passwords like
Qwerty1234that are extremely vulnerable to dictionary-based attacks. Another problem is that no matter how strong your password is, it can be phished out of you via social engineering, especially with less tech-savvy people. This also makes code-based 2FA vulnerable.Passkeys work based on public/private cryptography that works a little differently. Instead of a login and password that you know, when you sign up with a service, you generate a pair of keys: a public key and a private key. You can think of them as files on your computer (and indeed, for widely used applications like SSH they can be stored exactly like that). It uses some mathematical properties of prime number factorization to create a secure system: the public key can only encrypt messages but can't decrypt them, and you can't (with current technology limitations) reconstruct the private key from it. The public key is shared with the service you sign up with, and the private key is stored securely on your device.
In this setup, the single private key replaces both the login and the password, and the public key replaces the hash. However, sharing public keys is safe, so if the service suffers a data breach, you are safe from your credentials being compromised. The private key itself is never communicated to the service; it's used to solve a cryptographic challenge and send an encrypted message that proves your identity. You are also less vulnerable to phishing because you don't ever see your private key — it is all handled transparently by your OS/browser/password manager. Each key is associated directly with the service it's made for, so your system will simply not let you share it with a spoofed website, for example.
Because the main authentication factor switches from what you know to what you have, to prevent anyone with access to your device from logging in willy-nilly, the passkey is secured with additional factors like a PIN code or biometric scanning.
There are no technical limitations that preclude having multiple identities for the same service with a passkey for each. You also should be able to migrate your passkeys between devices, but I'm not clear on how it's planned to be implemented.
All in all, if all goes well, passkeys should offer better security AND more convenience over passwords.
This is the best explanation I've gotten yet.
So, let me ask, if you know the answer -
What if I just don't want Google/Apple/MS to have my login info for a website? To maintain some sort of, I don't know, plausible deniability about having used it, or having used it as that user?
That might seem weird, but one reason I come to places like Tildes and Lemmy and such is for some sense of anonymity. I don't necessarily want my name and face associated with every account I use online.
Passkeys are brand new so most websites will probably support other ways of logging in for quite a while.
Also, other password managers will likely support passkeys soon, so maybe you could use one of them? Lots of people use alternative password managers.
Someone else mentioned Bitwarden bringing support at some point. I'd definitely feel better about it being there, especially for easy cross-device syncing and recovery, but I'm likely to stick to passwords for the foreseeable future.
Slightly off topic, but be very careful in your assumptions about that anonymity. As soon as you are leaving a comment, you are prone to writing style-based attacks like this, where the crazy thing is that it is not even some crazy complex ML algorithm, but something as trivial as which words are frequent neighbors in your texts.
Hopefully no one is running from some three-letter agency, but I think it helps to be mindful of it.
Let's write everything with llms and generate one big user.
/r/SubredditSimulator was awesome. Who needs humans?
Deimos was aperently involved in creating that sub
He's Deimorz??
tbf, this is fundamentally what current LLMs are trained on too when you boil things down. Just with a LOT more texts from a lot more people.
You will have to store your passkey somewhere, but it doesn't need to be one of the tech giants. Bitwarden plans to implement support for passkeys soon, and I'm sure there will be solutions like KeepassXC that let you store your passkeys purely locally (but then you are responsible for backups and synchronization yourself).
Being able to store passkeys on Bitwarden would make a lot of my concerns go down some in regards to losing access to everything with a misplaced device.
Definitely. I wouldn't even dream of using a system like that unless I could back it up and sync it ten times over.
But... once you set this up, you can only ever access the website from that one device.
Hypothetically, if Tildes supported something like this, I would have to pick one and only one device to access Tildes from, forever more. I couldn't jump on to my phone, then my laptop, and then do a sneaky login from my work computer. I could only ever access Tildes using the single device that stores the private key.
That sounds very annoying, to say the least.
Thanks for the explanation.
That all sounds complicated. I'm glad I'm a Luddite!
If you're using a password manager (and you should be), once you save your tildes passkey in it in one place, they will make the same passkey available on all your other devices, so it will be simpler than Nadya described.
Pretty much every big player in the passkey game is doing passkey sync, just like they sync passwords. If you use Chrome's sync, Apple Keychain, 1Password, whatever, when you create a passkey on one device it will automatically be synced to your others.
Always always always have a backup when it comes to passkeys. They make hardware for it to even lock in a safe if you’re very cautious (yubico.com).
Yes they can be shared across devices. Apple uploads them to iCloud, same as Google and MSFT will do to GCP and Azure. They’ll sync which isn’t the best thing from a security standpoint but they are much better for consumers than standard passwords today.
This is much like using a password manager. Each password manager vendor has its own system. The password manager backs up the passkeys in whatever way it backs up your saved passwords.
It might help to try it out. Here's a demo website that will let you create an account and attach multiple passkeys to it, so you can sign in with any of them. You can practice logging out and logging back again. You need to give it an email address, but it can be fake. The downside of a fake email is that you would only be able to log in with one of the passkeys. (Not that it matters for a demo.)
When I visited it using Chrome on my Mac, I was able to create a passkey on "this device", my Android phone, or "a different phone or device."
After choosing Android, I got a notification on my phone. I followed the prompts to create a passkey, and then logged out of the website, and used the passkey to log in again. This resulted in another Android notification.
After choosing "a different device" it put up a QR code, and I was able to create a passkey using my iPad, with Apple's system.
I was also able to create a passkey on "this device" (my Mac) and then it saved the passkey somewhere local, with a warning that it's not synced anywhere. To log in using a local passkey on a Mac, there's a dialog that prompts you for your machine's login password.
If other websites work as well as the demo (not guaranteed) you could make passkeys on any of your devices and log in to the website using any of them.
It seems pretty usable, but not quite as convenient as using a saved password in Chrome.
I also tried it using Safari and you can either use the local device or a QR code.
Okay, so I tried the website out and here was what happened.
I used my real email and made a passkey on my computer on firefox.
Then I went to try it on my phone. It asked me to use a hardware key of some kind. When I backed out of that screen... it just sent a normal 2FA 6 digit code to my email to let me sign in. I kind of thought this was supposed to be more secure than that? Like aren't those really insecure and prone to the phishing attacks that passkeys are supposed to avoid?
That's pretty standard login by clicking on an emailed link. A more secure website wouldn't have that, but it's just a demo, and each website can do what it wants.
If you want to do this using passkeys alone, I think you need to go back to your computer, log in using the passkey from Firefox, and then create another passkey that's stored on your phone. I don't know if Firefox can do that yet?
Same as the way we do it with passwords: you click a button and they send a reset link to your email.
So it doesn’t require a biometric. You can buy security keys that can hold the private certificate needed for the authentication instead of placing it on the phone (which does require some form of biometric to unlock the key) it can be placed on an external key. Check out yubico.com.
The bit about requiring a biometric is wrong. The security for passkeys is based on which devices you own. Whether you use a biometric to protect your phone is up to you. You can protect your phone with a password if you like.
I just created a passkey on my Mac, and when I try to use it, it prompts for my login password. No biometrics involved.
Good to know! I suppose this would be safer than using a biometric (because they can't compel a password)
but my password manager already does all that, but I don't have to give websites more information than i'm comfortable with?
Passkey aka CTAP2 doesn't really share much information with the site. It's basically a unique key for each site that's all they get. So I'd say privacy wise almost onpar with passwords
since it's using a physical device to verify identity, it's tying your physical phone registered under the identity joe schmo to an account, giving confirmation that this is joe schmo's account. With the seeming wave of tyrannical fascist rule that seems to be headed our way worldwide, I don't want my online accounts tied to my identity, where they don't need to be.
No it's more like: calculate a unique key for this website with this device.
On the same website you may be traceable but passkey is there the least significant point and on different websites its a totally different key so no correlation possible
There are of course some physical towns that offers biometric capabilities, but it's not a necessity.
Passkeys still work as a 2FA, in the sense that the access to the resident credentials is protected by something you have (ie the physical token, including proving your physical presence by having a capacitive button on it) as well as something you know, in this case a mandatory PIN to protect those resident credentials for unwanted access due to theft, etc.
The biometric (ie: fingerprint scanner) can be seen more like 2 something you have, which could be used against your will.
Bitwarden is much better than this walled garden. It has simple design and platform independence - you can switch between browsers and devices without having to worry about each one's eccentricities.
With this passkey approach, you'll be locked into Apple browsers and devices forever. But then, maybe that's what most Apple users already want.
So - I work in Identity and Access Management for a Fortune 500 and passkeys really are a cool thing and will be cool to use in the next few years once major players formally add it to their authentication models.
Authentication is 3 things. What you have (key), what you know (birthday), and what you are (blood type).
Multi factor authentication takes 2 of those (password + text, password + email, etc). That’s all EXTREMELY phishable these days and with the strength of password cracking and lack of strong password enforcement on standard users makes a lot of data unsafe.
So - passkeys are all users will need. Instead of a long password (or pass phrase as they’re called now) what happens is a public/private certificate based trust authentication. As long as you don’t lose your phone (what you have) and you don’t lose your face (who you are) you don’t need a password for MFA.
That "as long as you don't lose your phone" bit is a little concerning.
Also, what if I want to log in to some website on, say, a library computer? I have to go through the process of adding a new key for that device, just to delete it after?
And as far as I can see this would introduce a lot of hassle for those of us with many devices (phone, personal laptop, work laptop, desktop, tablet, plus misc. other devices).
Good call out. Always have some form of a backup. Always. You can get security keys to do just that.
So now I've got another physical device (that I have to purchase) which, if stolen or lost, gives access to all of my accounts?
I believe the theory here is "no they still need something else". In this case a biometric? Although personally I'd still like to use a passphrase or generated key or something as I hate biometrics.
Okay, so the YubiKeys people are linking to also require a fingerprint. I guess that answers the concern I had about it. But it's still another thing I need to buy, which is just.. annoying. I guess.
To be clear I’m going off memory. They don’t all require a fingerprint and I’m not sure how those that don’t handle the 2fa part
Your backup can be the "What you know" factor such as a secure backup password somewhere.
What scares me here is if a person loses everything - rare but happens every single day nonetheless - how do they recover?
In the digital realm presided over by Apple, Google, and Meta, a new development is emerging known as passkeys. It's a simple concept, almost innocuous, like a neighbor handing you the spare key. Yet it carries with it implications that could stir unease in even the most stalwart of us.
Imagine, if you will, being locked out of your account. It's a frustrating situation, akin to being left out in the cold, the warm glow of the digital hearth just beyond your reach. The mere thought can send a shiver down your spine as you confront the unsettling void of digital isolation.
Consider too the loss of your device. Once an major annoyance, it could now turn into a genuine crisis. That small, indispensable piece of technology holds the keys to your online existence. Lose it, and you're suddenly cast adrift in the vast ocean of the internet, lost and disconnected.
And lurking in the background of this narrative is the overwhelming power of these tech giants. The thought of Google, for instance, taking issue with your actions and locking you out of your account is an unnerving prospect. Your options in such a situation would be limited and challenging, like staring up at a towering giant, unsure of how to proceed.
While the technology promises convenience and security, I won't proceed until I can manage my own passkeys - or a third, disinterested, party.
@glyph, there's a world where not everyone has a surplus of devices. Some individuals don't use commercial password managers, for their own reasons. The limitations of current hardware (such as Yubikey limits the number of passkeys to 25) solutions create issues with passkey storage.
Also, subscribing to a third-party service isn't always feasible. These services aren't free and may pose a financial burden to some. Being locked out of an account isn't a tall tale; real-life examples abound on Hacker News (https://www.google.com/search?q=locked+out+of+google+account+site:news.ycombinator.com)
Lastly, logging into a Google account using a backup passkey can be a puzzle using a dissociated browser /IP address. I've tried and couldn't solve it. If you've figured it out, glyph, your wisdom would be appreciated. We're all navigating the same digital wilderness, after all.
Finally, let me be clear - passwords aren't my favorite thing either. Take, for instance, the task of managing my child's Minecraft account. There's the PS4 login for both me and my child, the Microsoft login for each of us - the list goes on. In a world dominated by passkeys, I envision how managing such scenarios could make things even more complicated.
Your previous post hinges that central assumption which you claim now is insignificant:
And suddenly, this doesn't carry weight anymore? I can't decipher if we're engaging in a genuine dialogue or if your principal contention is that I lack knowledge on this topic. Illuminate the dark corners of my understanding, will you? Exhibit how my argument doesn't resonate with the average consumer. I'd truly appreciate if you debunk my points as I've laid them out.
For the individual versed in the intricate dance of technology – this specification doesn’t explicitly require the transfer of passkey backups from one device to another. And there isn't a provider, not a single one, that allows you to transport your digital "vault". Say for example from the fortress of Mac's keychain to the citadel of Google's solution. You're obliged to relocate them manually - a tedious game of one-by-one. In essence, you're shackled to a particular tech-holder's domain. And we're all too familiar with how difficult these digital landholders make it to shift allegiance to a rival service. Utilizing Linux with passkeys is a barren landscape - no support exists save for the solitary beacon of Yubikey on Linux. There's no common tongue, no interchange format to facilitate an effortless transition between platforms.
This raises a looming specter of a problem, particularly when we delve into the thorny issue of provider lock-in - a situation you dismiss as minor. A password, in its uniqueness, boasts portability, a feature where currently passkeys fall short. This isn't to champion passwords as the holy grail - relying solely on them makes you an inviting target. However, the practical application of two-factor authentication as it currently stands - mitigates this risk. I harbor fondness for the concept of passkeys, but the current blueprint and execution leave too much of my digital keys in the hands of the tech behemoths.
To add to this there are hardware keys that are secure and provider independent
Even better, consider being banned by whatever corporation that controls your passkeys. Like this guy: https://www.reddit.com/r/GooglePixel/comments/dtggk1/google_will_not_allow_me_to_try_to_return_my/ .
You can manage your own passkeys, AFAIK. For instance, in the beta versions of 1Password, you can use it to store and log in with passkeys. I assume there's nothing stopping some self-hosted password manager from implementing passkey support either.
My immediate first thought as well, I despise the system used by steam and having everything rely on it is outright moronic.
You should write a book!
Can anyone give me an ELI5 for what a passkey is?
All the top results I'm finding in searches are just claims that it's "more secure" and "more convenient", but not description for how it works.
Is this some form of cryptography packaged for non-technical folks?
short answer: it's a form of multi-factor authentication that (unlike 6-digit HOTP/TOTP codes sent by text message, for example) is able to prevent most forms of phishing attacks
long answer:
here's a 45-minute presentation about FIDO and Webauthn, given by a Google Cloud Security Advocate to an audience of software developers, about why they should care about adopting it
there's a bit of acronym soup involved - the industry group behind it is the FIDO Alliance. there is a FIDO 1.0 standard (with U2F and UAF), and there's a FIDO 2.0 standard (with CTAP and Webauthn). Passkeys seem to be the more user-friendly branding they've adopted for FIDO2.
the important part to know is that Webauthn standardizes the interaction between your browser and the site you're logging in to, and CTAP does the same but for the interaction between your browser and a security key or other authentication device (the example the article gives is signing in to
apple.comon a Macbook by authenticating with your iPhone)that pair of standards allows a many-to-many relationship - you can have multiple authentication devices, and you can use them to authenticate to multiple websites. I have 2 FIDO keys, for example (from different manufacturers) and have both of them set up as authenticators for my Fastmail, Google, Bitwarden, Github, etc - every site I use that supports Webauthn. either key works to log in to any site, and a data breach at one site doesn't affect my security at the other sites.
the "killer feature" is that the hostname of the website you're authenticating to is included as part of the cryptographic exchange. that means I can set up
appIe.com(uppercase i instead of lowercase L) as a phishing page, but even if I succeed in getting people to push the "login with iPhone" button on my phishing page, I don't get anything that allows me to impersonate those users on the actualapple.com.Please correct me if I am wrong, but I don't think the statement that passkeys are a form of multi-factor authentication is correct - or at least it is a little misleading to the layperson. A passkey is a single factor, in the same way that a password is a single factor, and a HOTP/TOTP code is a single factor. The use of more than one factor is (hopefully obviously) what constitutes multi-factor authentication.
Lots of the promise of passkeys is the fact that they can replace a password as a primary authentication factor, leaving it up to the user (or service being authenticated) to add additional factors like TOTP.
IIRC its an implemnation of FIDO2
So it's a Yubikey basically?
Lots of password managers will support it. Looks like Yubikey already does?.
Other password managers do password syncing.
Edit: tried it with my Yubikey. To use a passkey, it requires you to set a PIN, so I didn't bother.
It's basically a synced resident key in technical/yubikey terms.
Not as secure as a hardware key but more accessible to people.
Ah thank you
This gave me a search term that helped me stumble on Yubico's FAQ on passkeys which I found pretty helpful: https://www.yubico.com/blog/a-yubico-faq-about-passkeys/
Keep in mind that it's kind of loose what passkey means. Because not everything is really needed to comply with the spec. Eg.: it's not really necessary to make it passwordless but that's what marketing and the sites implementing decided it should be
that shifted over time so old articles might have not the current notion of it
This doesn't seem to be true. When I use my Yubikey with Github it's different than logging into a website with a passkey.
He's correct. It's just github doesn't use it that way currently. They use it as a second factor and this doesn't need a resident key (passwordless/passkey) atm.
You could for example use the yubikey as a passkey with google (must not be already registered) to see how it works.
Signing into Apple is a huge pain-in-the-ass w/o an iPhone. If they allow passkeys from non-Apple devices this would be a huge improvement.
The whole point about passkeys is fundementally that they're tied to the device.
I''m 100% behind replacing passwords with proper public/private keys, but I dislike vendor lockin, and we're very much in a phase where converting in could lock you there for a long time.
Bitwarden says they plan to launch passkey support this summer, so it seems like the keys will be portable? I initially assumed there will be heavy vendor lock-in as well, but by the looks of it I assume it's just private keys that can be shared via designated channels instead of copying plain files, so it shouldn't be a complete nightmare. Although whether Apple/Google will provide those channels to export the keys is an open question.
This was kinda what I was thinking. Further ecosystem lockin incentive, one that all major tech companies salivate over.
You shouldn’t need to export the keys, you just add a new one.
So switching vendors entails resetting every password you've ever used?
That not really selling "lack of lock-in." Every barrier of inconvenience is one more additional lock.
No? You can add multiple passkeys.
Yes thats what I'm saying though. Its functionally the same.
If I have an Apple phone, and am using its passkeys exclusively. And they won't provide an export function, and I want to switch to Android. Or migrate off phone-based passkeys for a Yubikey.
I now have to go through the process of going to every single site in my passkey, adding the Android key. While still having the Apple phone fully ready to use. If I miss something, and stop carrying the Apple phone...it's gonna be a terrible experience. It's already a pain if I dare switch phones without porting my number and informing every company I've ever interacted with first.
That's functionally the same as resetting every password I've ever used. Especially since any site with developers who have more than 2 brain cells will also MFA adding additional tokens via registered email or something.
Opposed to password managers, where I can export from one manager then import in another.
Ah, now I get what you’re saying.
I’m using on a few sites (a few, coincidentally is the same amount of websites that support passkeys!) both my computer and my phone as a passkey, so I feel migration should be fairly straightforward for me since I don’t anticipate changing both devices at the same time.
I also use 2FA on most of my important sites anyway, so I’m fairly used to the new-device hassle at this point.
But yeah, I do wonder how that would look in practice.
I mean, I have almost 500 unique sites/apps in my Bitwarden vault.
If it takes 30 seconds to update each site, that's a grueling 4 hour process to not miss anything.
New-device hassle is only going to get worse if we replace passwords with device without some level of protections to insure smooth vendor-agnostic migrations.
IIRC they are already working in something like this. Maybe take a while but seems to be coming
I think you're right that switching entirely from one password manager to another will be a pain if you really need to do it in a day and stop using the old one. But it's not like you signed up with 500 websites in a day. If I got a new device and wanted to use a new password manager, I'd add accounts to the new password manager gradually while keeping the old one for a while. You can use both password managers.
I'm using the Apple ecosystem more these days, but I expect to have both Google and Apple devices indefinitely and use both password managers.
Chrome seems like a better bet for me than Safari since I can run it on Android and an iPad and Mac desktop. But there is also "cross-device" authentication, so I could use either password manager with either browser using a QR code.
Seems like if you're already using Bitwarden then you should stick with it.
Yeah except it's probably easier because no typing and it's definitely more secure.
I get where you are coming from but we can't have it all for now. Let it evolve
Ps.: chrome and apple sync so this should be easier then your scenario
Isn't the whole point the sync which would make it not tied to a device. Everything else was already present.
Could be wrong but Chrome/Google and apple/icloud syncs the keys and i don't see a reason for doing this except for decouple it from the devices.
Passkeys sound pretty interesting but, like others have said, I don't really have any NEED to switch to them asap. It's encouraging to see password managers like Bitwarden say they'll add support for them soon. As someone who isn't locked into a single ecosystem, it's nice to see that this shouldn't (hopefully) make vendor lock-in worse.
I still haven't seen a major personal concern about Passkeys addressed - what happens if you lose your device?
This is the Achilles heel of passkeys.
Everyone knows you should have backups, only a relatively small percentage of people actually make them, fewer still keep them up to date.
We're talking about the masses here, not security conscious tech people. There are going to be a whole lot of phones that are the users only passkey repository, and those phones are gonna get lost.
Give them a "lost your passkey?" email recovery link and you're re-introducing an attack vector passkeys are meant to remove. So from a security perspective the answer to "I lost my phone with all my passkeys on it" needs to be "sorry about your luck".
Seems too high friction for mass adoption, at least medium term. I could be missing something about the tech though, I'm basing this mostly on my understanding of key authentication in general.
The Google and Apple password managers store an encrypted backup in the cloud.
For Google, you need to be able to log into your account (somehow) and remember the code for unlocking your phone. I wrote about it before. For Apple it's described here.
Also, I think it's pretty common to have more than one device.
Wouldn't the provider (say Google) need to also store the key used to encrypt the data in order for the user to be able to restore or download the backup? It couldn't live on the user's device, that would make the backups pointless.
So that then makes the passkeys accessible to anyone with access to that G account.
It seems like you'd end up with two possible scenarios...
The G account is only accessed using a passkey, which the user has lost, leaving them without access to the backup. Good luck getting a human to help you at Google, or anywhere really, hard to imagine Apple investing in the extra support people to field lost passkey complaints. Passkeys aren't going to be bringing in new revenue.
The G account has an alternative login, either a password or a backup email. In either case the user's passkeys (all of them) are now accessible using an authentication method that passkeys are meant to replace. One that can be phished, keylogged, socially engineered, etc.. In that case it's essentially a less user friendly bitwarden.
The solution of course is for everyone to always have backups (multiple devices with the keys would qualify) but unless the providers strictly enforce that somehow, millions of users won't bother.
Yeah, it's tricky to make work, but the way the solved it seems to be by deriving the encryption key from something in your Google account and whatever lock code you were using to lock your phone. As encryption keys go, that doesn't seem great (your lock code may be guessable), but there's a bit more needed than accessing the Google account. Maybe there are rate limits on guessing?
This doesn't prevent you from being owned by Google if they turn entirely evil. They control all the code that's being run. But it seems like a decent speedbump so they can plausibly claim they they don't have your lock code and can't decrypt it, maybe? (Such as to authorities.) You could use a good lock code on your phone if you're concerned.
Having an alternate Google login is needed, but it could be another device if you have multiple devices, or it could be something like printed backup codes. I'd strongly recommend printing backup codes and storing them in safe if you don't have any other devices.
People do sometimes get locked out of their Google account if they lose every possible way of accessing it. That doesn't change. I couldn't say whether such people would be helped by Bitwarden but it seems like they wouldn't use it either? Isn't it a fairly geeky product? Don't you need to back that up too?
Ah I see, that does neatly solve the issue of warrants and subpoenas .
But still kind of ends up in the same place otherwise: password protecting the thing that's supposed to replace passwords.
It'll be interesting to see how it plays out in terms of adoption.
Yeah it was an excellent service. Encrypted git was also a favorite of mine.
The zoom buy and the crypto stuff pushed me away fast.
They should have just made a second company and leave the infra stuff alone
Dude... I have never given Apple a dime in my life... But i did a free trial of AppleTV+ over a year ago.
New season comes out and i actually considered paying the $5 to watch season 2 Annnnnddd... they wanted me to verify my account w/ my apple device (Which i own none), so the backup option to restore my account was to give them the CCV code on the credit card i used to sign up...
a CC i don't have anymore, and a CCV i never wrote down... and i thought they weren't supposed to keep?
I tried to contact support and explain i couldn't reset this (basically empty) account, and they couldn't help.
..so i signed up for another free trial w/ an alt email.
I read the comments here, and read some articles about it. I guess I don't understand the advantages of this vs bitwarden with a strong enough master password. Yeah, you can technically lose that too, but then you enable MFA, and put your recovery codes in a safe or something. It's not impossible to still get hacked, but at that point you're being targeted anyway.
What do passkeys do that a well managed password manager account doesn't?
Could someone please explain to me how typing in a PIN is not the same as typing in a password? As far as I can see, the only difference is in the combinations of permissible characters: PINs use only numbers, while passwords can use numbers, letters, and other characters. But, functionally, it's the same thing: the user types in a series of characters to gain entry to a website/software.
What happens when you want to access the site/software from a different device? Are you blocked? Is this another way that Apple ensures you always use their device as a portal to the internet?
To add to this my hardware key locks after X amount wrong tries. After Y wrong Recovery PINs(PUK) it deletes the key.
Don't know if software keys do the same, I'd guess so.
So the attack vector is incredibly small in general.
You can use a passkey on one device to log in on a different device by using cross-device authentication. The portable, vendor-independent way to do it uses a QR code, so that's a bit inconvenient but doable.
Sometimes there are easier ways, like if I use Chrome on desktop then it will show a notification on my Android phone, no QR code required.
You could also get a device just for authentication like a Yubikey. The downside is that you need a USB port and an adapter if it's the wrong kind. Newer ones also have NFC, but I don't have one of those. So, a cell phone is better in some ways and is probably what most people will do.
One way or another, a device is involved. The idea with passkeys is that passwords aren't used remotely anymore, just on the same device where the passkeys are stored. You still log into machines using passwords (if you prefer that to biometrics) but not websites.
The result of widespread passkey adoption will be that everyone uses a password manager, because you can't use passkeys without a password manager of some sort. the mainstream approach will likely be the one built into the browser. In practice, password managers are going to be storing passwords for a long time, but maybe we'll stop creating new ones as often?
This sounds kind of neat but will it actually help increase adoption of passkeys over passwords for sites besides Apple.com?
Yes. Only a few apps are using them now as Apple just launched them in 2022 and google formally did it a week ago. So big identity providers (Facebook, google, etc) will all start implementing them into their own systems. Then apps that allow those IDPs for their platforms (e.g. log in with google) you’ll be able to use that passkey.
Sounds like it turns your ipad or phone into a trusted device as part of multi-factor authentication.
Something you have - your device
Something you know - your pin
Or, something you are - your fingerprint
Basically they'll trust your phone (as long as it's secure under this scheme) with your PIN or biometric together. Fingerprint or face scanning to login to a website is an interesting thing.
One thing I did not see mentioned is that the passkey is bound to the device, but what device?
On Google support account for passkeys the supported ones are all the mainstream os with a required browser of Chrome/Edge/Safari. You can at least use a hardware security key but it is still concerning, especially if you could only get the security key from an approved vendor.
I refuse to use this as long as it's tied exclusively to one vendor and linux support is not guaranteed.
I would very much like to know the nitty gritty details. I suspect this is using curve 25519 under the hood, since that algorithm is very popular lately. I hope (and assume) the symmetric side using strong ciphers like aes. If this technology was FLOSS and I could keep my keys backed up elsewhere, I would consider it.
As has been mentioned in this thread, it is a standard: https://tildes.net/~tech/16px/phasing_out_passwords_apple_to_automatically_assign_each_user_a_passkey#comment-8p24
So I'm almost sure it will be freely implementable by anyone (e.g. it mentions Firefox, but Chrome also has an open-source base, so I wouldn't fear it being proprietary)
That's reassuring; thanks