I admit I haven't paid much attention to passkeys up to this point. This article provides a pretty good explanation of what they are and what the problems with current implementations are –...
I admit I haven't paid much attention to passkeys up to this point. This article provides a pretty good explanation of what they are and what the problems with current implementations are – usability related rather than issues with the soundness of the underlying technology.
My working summary is that a passkey is like a password manager that generates and stores client certificates per-identity instead of generating and storing passwords. It signs challenges with the stored certificates (keys) automatically after the user authenticates with the device. As with most tech advances, the ideal case is complicated by companies wanting to own the platform and vendor lock-in.
If I understand correctly, the main security improvement over a password manager is signing the auth request does not reveal the private key, where pasting the password into a form potentially leaks the private secret.
From a usability perspective, the main savings over a password manager would be not having to copy/paste the usernames and passwords. But the copy/paste (or keyboard implementation of KeepassDX) provides a nearly universal interface to use the password manager with any app or browser, while the passkey implementations are fragmented.
Nothing I read here or elsewhere makes me think I want to move away from a password manager right now. I'm wondering if there are any different views or thoughts from people who are using passkeys in practice.
The pass key standards people are scheming maniacs who threaten to blacklist consumer friendly software. I want to back up and secure my passkeys. They don't want me to, and are threatening...
The pass key standards people are scheming maniacs who threaten to blacklist consumer friendly software. I want to back up and secure my passkeys. They don't want me to, and are threatening software that lets me do that, with exclusion from their little club. e.g. https://github.com/keepassxreboot/keepassxc/issues/10407 , but there are a few issues where threats are made to exclude keepassxc because of its user friendly features.
As far as I'm concerned, credentials I can't secure outside of 'big tech' aren't worth shit. And I have a mixed environment of iOS, Android and Linux I need to use the things between. And I might want to change providers for some reason in the future.
That discussion doesn't preclude backing up or storing your keys. It's just promoting that such software shouldn't expose its private keys in plain text. That the keys need some type of protection...
That discussion doesn't preclude backing up or storing your keys. It's just promoting that such software shouldn't expose its private keys in plain text. That the keys need some type of protection or encryption. Which I think is a fair request. You can strip it of thag protection afterwards if you want it to be less secure. But promoting keys be kept safe isn't crazy or anti user like people are claiming.
I can see why they wouldn't want this. You know why sharing passwords is bad, right? If you reuse the same password on multiple websites, and one of them gets broken into, then your accounts on...
I can see why they wouldn't want this.
You know why sharing passwords is bad, right? If you reuse the same password on multiple websites, and one of them gets broken into, then your accounts on the other websites are compromised.
There a similar argument that passkeys shouldn't be copied between password managers. Instead, there should be a way to sync password managers that automatically generates new passkeys for the same accounts, achieving the same effect.
If you have two keys to the same lock, they serve as backups for each other, so you don't get locked out. That's true even if the keys aren't the same.
Unfortunately, there's no password manager syncing protocol yet, and some websites don't even support multiple passkeys per user. There's a lot that needs to be fixed.
I think it boils down to: more user security in the walled garden streamlines people's access to the things that make them money, but anything beyond that, or anything that runs counter to that,...
I think it boils down to: more user security in the walled garden streamlines people's access to the things that make them money, but anything beyond that, or anything that runs counter to that, they actively oppose.
That dialogue from Apple is just horrible. "A passkey for ${user} will be saved in iCloud Keychain and available on all your devices" (emphasis mine). Going to call shenanigans on that one. Darned...
That dialogue from Apple is just horrible.
"A passkey for ${user} will be saved in iCloud Keychain and available on all your devices" (emphasis mine).
Going to call shenanigans on that one. Darned well won't be available on all my devices.
But if you were a True Believer, you would excise all non-Apple devices from your life to make it true. Type on your Mac, take calls on your iPhone, then go downstairs and watch Apple TV while...
But if you were a True Believer, you would excise all non-Apple devices from your life to make it true. Type on your Mac, take calls on your iPhone, then go downstairs and watch Apple TV while your heart beats to your iPacemaker (additional BPM available on the premium plan, only $79.99/mo). In addition to sharing your passkeys on all devices, you can use Apple pay by chest bumping the pin pad.
I see passkeys as a security upgrade over passwords that requires a password manager. While most people have a password manager (the one built into their browser) they don't necessarily know how...
I see passkeys as a security upgrade over passwords that requires a password manager. While most people have a password manager (the one built into their browser) they don't necessarily know how to use it.
Also, many people have multiple password managers because they use devices from different vendors. Since passkeys are currently non-portable, to access a website from all your devices, you need to save a passkey in each password manager you use.
For me, I can save a passkey in Chrome (on Android) and on my iPad, and that covers everywhere I might want to log in from.
I read a while back that a standard that helps you securely sync passkeys between your password managers is in the works.
Someone correct me if I'm wrong but aren't Passkeys secured by biometrics and emphatically not a password? Seems much less secure than having a proper master password that exists only in your mind...
Someone correct me if I'm wrong but aren't Passkeys secured by biometrics and emphatically not a password? Seems much less secure than having a proper master password that exists only in your mind...
The passkey protocol itself is basically an API between a password manager and a website. It doesn’t say anything about how a password manager might use biometrics. For example, my Mac Mini...
The passkey protocol itself is basically an API between a password manager and a website. It doesn’t say anything about how a password manager might use biometrics. For example, my Mac Mini doesn’t have a fingerprint sensor, so Chrome prompts me to type the password for my Mac user account before autofilling passwords or using passkeys. When I’m using my laptop, I can press the fingerprint sensor instead.
Smartphones often do let you unlock them with a fingerprint or using the camera, but this is no different from autofilling passwords or doing anything else using your phone. If you prefer, you can configure your phone to require a password to unlock.
I admit I haven't paid much attention to passkeys up to this point. This article provides a pretty good explanation of what they are and what the problems with current implementations are – usability related rather than issues with the soundness of the underlying technology.
My working summary is that a passkey is like a password manager that generates and stores client certificates per-identity instead of generating and storing passwords. It signs challenges with the stored
certificates(keys) automatically after the user authenticates with the device. As with most tech advances, the ideal case is complicated by companies wanting to own the platform and vendor lock-in.If I understand correctly, the main security improvement over a password manager is signing the auth request does not reveal the private key, where pasting the password into a form potentially leaks the private secret.
From a usability perspective, the main savings over a password manager would be not having to copy/paste the usernames and passwords. But the copy/paste (or keyboard implementation of KeepassDX) provides a nearly universal interface to use the password manager with any app or browser, while the passkey implementations are fragmented.
Nothing I read here or elsewhere makes me think I want to move away from a password manager right now. I'm wondering if there are any different views or thoughts from people who are using passkeys in practice.
The pass key standards people are scheming maniacs who threaten to blacklist consumer friendly software. I want to back up and secure my passkeys. They don't want me to, and are threatening software that lets me do that, with exclusion from their little club. e.g. https://github.com/keepassxreboot/keepassxc/issues/10407 , but there are a few issues where threats are made to exclude keepassxc because of its user friendly features.
As far as I'm concerned, credentials I can't secure outside of 'big tech' aren't worth shit. And I have a mixed environment of iOS, Android and Linux I need to use the things between. And I might want to change providers for some reason in the future.
That discussion doesn't preclude backing up or storing your keys. It's just promoting that such software shouldn't expose its private keys in plain text. That the keys need some type of protection or encryption. Which I think is a fair request. You can strip it of thag protection afterwards if you want it to be less secure. But promoting keys be kept safe isn't crazy or anti user like people are claiming.
I can see why they wouldn't want this.
You know why sharing passwords is bad, right? If you reuse the same password on multiple websites, and one of them gets broken into, then your accounts on the other websites are compromised.
There a similar argument that passkeys shouldn't be copied between password managers. Instead, there should be a way to sync password managers that automatically generates new passkeys for the same accounts, achieving the same effect.
If you have two keys to the same lock, they serve as backups for each other, so you don't get locked out. That's true even if the keys aren't the same.
Unfortunately, there's no password manager syncing protocol yet, and some websites don't even support multiple passkeys per user. There's a lot that needs to be fixed.
I think it boils down to: more user security in the walled garden streamlines people's access to the things that make them money, but anything beyond that, or anything that runs counter to that, they actively oppose.
That dialogue from Apple is just horrible.
"A passkey for ${user} will be saved in iCloud Keychain and available on all your devices" (emphasis mine).
Going to call shenanigans on that one. Darned well won't be available on all my devices.
But if you were a True Believer, you would excise all non-Apple devices from your life to make it true. Type on your Mac, take calls on your iPhone, then go downstairs and watch Apple TV while your heart beats to your iPacemaker (additional BPM available on the premium plan, only $79.99/mo). In addition to sharing your passkeys on all devices, you can use Apple pay by chest bumping the pin pad.
I see passkeys as a security upgrade over passwords that requires a password manager. While most people have a password manager (the one built into their browser) they don't necessarily know how to use it.
Also, many people have multiple password managers because they use devices from different vendors. Since passkeys are currently non-portable, to access a website from all your devices, you need to save a passkey in each password manager you use.
For me, I can save a passkey in Chrome (on Android) and on my iPad, and that covers everywhere I might want to log in from.
I read a while back that a standard that helps you securely sync passkeys between your password managers is in the works.
Someone correct me if I'm wrong but aren't Passkeys secured by biometrics and emphatically not a password? Seems much less secure than having a proper master password that exists only in your mind...
The passkey protocol itself is basically an API between a password manager and a website. It doesn’t say anything about how a password manager might use biometrics. For example, my Mac Mini doesn’t have a fingerprint sensor, so Chrome prompts me to type the password for my Mac user account before autofilling passwords or using passkeys. When I’m using my laptop, I can press the fingerprint sensor instead.
Smartphones often do let you unlock them with a fingerprint or using the camera, but this is no different from autofilling passwords or doing anything else using your phone. If you prefer, you can configure your phone to require a password to unlock.