“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

  • HubertManne@moist.catsweat.com
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    The real problem is not passwords so much as trusted sources. Governments should have an email account that citizens have a right to and will not go away and have local offices to verify access issues.

  • 2xsaiko@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    I’m not convinced this is a good idea. Resident keys as the primary mechanism were already a big mistake, syncing keys between devices was questionable at best (the original concept, which hardware keys still have, is the key can never be extracted), and now you’ve got this. One of the great parts about security keys (the original ones!) is that you authenticate devices instead of having a single secret shared between every device. This just seems like going further away from that in trying to engineer themselves out of the corner they got themselves into with bullshit decisions.

    Let me link this post again (written by the Kanidm developer). Passkeys: A Shattered Dream. I think it still holds up.

    • unskilled5117@feddit.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      2 months ago

      The author of your blog post comes to this conclusion:

      So do yourself a favour. Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your passwords and manage them. If you really want passkeys, put them in a password manager you control. But don’t use a platform controlled passkey store, and be very careful with security keys.

      The protocol (CXP) which the article is about, would allow you to export the passkeys from the “platform controlled passkey store” and import them into e.g. Bitwarden. So i would imagine the author being in favor of the protocol.

    • trevor@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      This is straight-up wrong. I use FIDO2 and Yubico OTP auth in Firefox on a weekly basis.

      Are you sure you’re not using a hardened fork or tinkered with your about:config?

      The main thing that Firefox frustratingly does not support is PRF, which is needed for encrypting data with FIDO-compatible devices, but they are working on that.

  • mlg@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    I remember when Microsoft made a big deal about this on Windows and then their “implementation” was making the local signon a number PIN.

    And not a proper separate auth operation lol. You either set up almost everything with the PIN or use a regular password, not both. Makes it useless on enterprise.

    Realistically we should all be using a key/pass vault since that would make using passkeys much easier, but that’s too complicated for the internet in 2004 2024.

    If it were me, I’d just issue everyone a yubikey.

      • msage@programming.dev
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        Does this require any 3rd party to work? I remember reading a blog, something about attesting the client, which was some big corpo like Google/Apple/Microsoft… that’s not for this, right?

        • Spotlight7573@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          2 months ago

          While the defaults are typically to use what the browser or OS has for storage and sync of the passkeys, you can use other things.

          Like KeePassXC:

          https://keepassxc.org/blog/2024-03-10-2.7.7-released/

          As for attestation to how the key is stored securely (like in a hardware key), Apple’s implementation doesn’t support it for iCloud ones, so any site that tries to require it wouldn’t work for millions of people. That pretty much kills it except for managed environments (such as when a company provides a hardware key and wants to make sure that’s the only thing that’s used).

    • SirEDCaLot@lemmy.today
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      No it’s actually pretty simple. No containers. Your passkeys can be managed in the browser (Google Passwords), by a plug-in like BitWarden, or in a third party hardware device like YubiKey.

  • Knock_Knock_Lemmy_In@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    What is the difference between a crypto wallet and a passkey?

    Is it just that a passkey has less functionality (and therfore better usability)?

  • Pyflixia@kbin.melroy.org
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Whenever I read stuff like this, my mind goes a bit hazy. Because I’m just finding myself asking ‘Why and when did the simple mechanic of passwords get this difficult?’

    Maybe if password requirements weren’t stingingly stupid, companies cared more about actual security and not an obstacle course they’ve gotta send people through to do one thing. We wouldn’t ever know or need to know systems like this.

    • 4am@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      With passkeys you never need to worry about the storage method used by the site. Some sites STILL store passwords in plaintext. When that database gets hacked, it’s game over.

      A public passkey, even stored in plaintext, is useless to an attacker.

      Maybe that doesn’t matter for you or me, with our 64-character randomly generated passwords unique to each service, but the bigger picture is that most people just use the same password everywhere. This is how identity theft happens.

    • Encrypt-Keeper@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      Passkeys are much simpler to use than passwords, password managers, 2FA etc. if simplicity is your goal, Passkeys are your personal wet dream.

      • MonkderVierte@lemmy.ml
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        2 months ago

        That one site - what was it, Mozilla’s/Gnome’s git? - that needed Aegis for login. Which is unlocked by pasword btw.

  • NateNate60@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    I still have no idea how to use passkeys. It doesn’t seem obvious to the average user.

    I tried adding a passkey to an account, and all it does is cause a Firefox notification that says “touch your security key to continue with [website URL]”. It is not clear what to do next.

    • JackbyDev@programming.dev
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      After my password manager auto filled a password and logged me in the website said “Tired of remembering passwords? Want to add a passkey?” I didn’t know what it meant so I said no lol.

    • thequickben@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      You don’t need a device btw. It works with your password manager and can also be used alongside a password too. Don’t have your password manager? Just use your regular password if you know it.

    • Echo Dot@feddit.uk
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      I think you actually have to buy a passkey device. Then configure it to work with a particular account.

      You plug the passkey into your computer and then whenever it asks for a password you literally touch it and it does its thing. I think there are options like biometrics that you can add on top but you don’t have to have that.

      • NateNate60@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        If that’s what’s needed, I can say with some certainty that adoption isn’t going to be picking up any time this decade.

          • EngineerGaming@feddit.nl
            link
            fedilink
            English
            arrow-up
            0
            ·
            2 months ago

            What are you talking about? KeepassXC, to my knowledge, is not dependent on any TPM, snd it does support passkeys.

            • xor@lemmy.blahaj.zone
              link
              fedilink
              English
              arrow-up
              0
              ·
              2 months ago

              devices themselves can act as passkeys

              I didn’t say a device needs a TPM to support passkeys - I said I believe it it needs one to be a passkey

              Thank you for your passive aggressive response caused by poor reading comprehension, though

              • EngineerGaming@feddit.nl
                link
                fedilink
                English
                arrow-up
                0
                ·
                2 months ago

                From what I understand, “passkey” refers to software, so no such thing as “device being a passkey”. Unlike a hardware key.

                • xor@lemmy.blahaj.zone
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  2 months ago

                  You understand incorrectly. “passkey” refers to a token used for the public key authentication that is used for sign in, which needs to be stored somewhere - this can be stored in a hardware key like a YubiKey, or in your device’s credentials manager. In principle, this could be anywhere, but it needs to be somewhere secure to not be trivial to compromise (eg taking out your HDD and just copying your passkey off it)

                  In Windows’ case, this secure credentials store is the TPM chip, which is why you are not able to use passkeys on Windows devices that have no TPM chip (unless you use another hardware implementation).

                  Tldr: passkeys are data, not software, and to store the data, you need some form of hardware, which needs to be secure to not be a really bad idea.

                  If you’d like to do some reading before confidently correcting me further, I’d suggest reading about how passkeys work.

  • Encrypt-Keeper@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    2 months ago

    ITT: Incredibly non-technical people who don’t have the first clue how Passkeys work but are convinced they’re bad due to imaginary problems that were addressed in this very article.

    • priapus@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      This is a weird thread. Lots of complaints about lock in and companies managing your keys, both of which are easily avoidable, the exact same way you’d do so with your passwords.

      • Sl00k@programming.dev
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        Also the people talking about added complexity? I’m convinced all the complaints are from people who haven’t set one up or used one and are immediately writing it off. Adding one is a single click of a button.

        Then to sign in I literally just get a thumbprint request on my phone after entering my username. It’s far far simpler than passwords and MFA.

  • dantheclamman@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    They are really satisfying when they work. I have been impressed by how well they work cross platform in the new bitwarden. It even worked from Android one time with a key made on windows! However, I dread when my mom tells me she needs help with an account and I can’t do anything because the key is on her iOS Keychain I don’t have access to

  • lemmeBe@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    It’s enough to read the title. The rest of the article doesn’t provide much else other than being one step closer. 😄

  • rickdg@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    If you tell corporations there’s a way to increase lock-in and decrease account sharing, they’re gonna make it work.

    • umami_wasabi@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      One is a new technical specification called Credential Exchange Protocol (CXP) that will make passkeys portable between digital ecosystems, a feature that users have increasingly demanded.

      I.e. I can copy my key to my friends’ device.

      • _bcron_@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        2 months ago

        I’m not in software but from what I read the importer sends a request and that request is used by the exporter and importer to encrypt and decrypt, so I think there’s a way to tweak the whole process a little and instead have both the exporter and importer ask Netflix or whoever to provide a key as opposed to using the request. Could be wrong tho

        • umami_wasabi@lemmy.ml
          link
          fedilink
          English
          arrow-up
          0
          ·
          edit-2
          2 months ago

          That’s not how Passkey, and the underlying WebAuthn works.

          (Highly simplifies but still a bit technical) During regiateration, your key and the service provider website interacts. Your key generated a private key locally that don’t get sent out, and it is the password you hold. The service provider instead get a puclic key which can be used to verifiy you hold the private key. When you login in, instead of senting the private key like passwords, the website sent something to your key, which needs to be signed with the private key, and they can verify the signature with the public key.

          The CXP allows you export the private key from a keystore to another securely. Service providers (Netflix) can’t do anything to stop that as it doesn’t hold anything meaningful, let alone a key (what key?), to stop the exchange.

        • 4am@lemm.ee
          link
          fedilink
          English
          arrow-up
          0
          ·
          2 months ago

          Read the article, it’s literally about replacing Import/Export CSV plaintext unencrypted files with something more secure.

          I.e. moving your passwords/passkeys between password managers. This is not about replacing stuff like OAuth where one service securely authorizes a user for another.

  • Dasnap@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    I always feel like an old granny when I read about passkeys because I’ve never used one, and I’m worried I’ll just lock myself out of an account. I know I probably wouldn’t, but new things are scary.

    Are they normally used as a login option or do they completely replace MFA codes? I know how those work; I’m covered with that.

    • narc0tic_bird@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      Usually just an option in addition to a password + MFA. Or they just replace the MFA option and still require a password. I even saw some variants where it replaced the password but still required a MFA code. It’s all over the place. Some providers artificially limit passkeys to certain (usually mobile) platforms.

      • Semperverus@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        All of those options are to NIST-spec. MFA means multi-factor. It doesnt matter what they are as long as they are in different categories (something you know, something you have, something you are, etc: password, passkey, auth token, auth app, physical location, the network you are connected to). Two or more of these and you are set (though, location might be a weak factor).

    • Sl00k@programming.dev
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      I have passkeys setup for almost everything and on most sites I just enter my username then I get a request on my phone to sign in. Scan my thumbprint and it’s good to go. It’s actually so much simpler than passwords / MFA, but admittedly I haven’t had to migrate devices or platforms.

      I have everything setup through protonpass right now

    • PresidentCamacho@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      Hey good for you, unlike everyone else in this thread making up reasons why the tech is bad, you are mature enough to recognize the fear is from ignorance. I am in the same boat. I’m currently using a manager with MFA on everything which works well for me. Might look into this tech once it’s baked longer. I don’t like the idea of early adoption to a tech when it’s security related.