- cross-posted to:
- technology@lemmy.ml
- technology@beehaw.org
- cross-posted to:
- technology@lemmy.ml
- technology@beehaw.org
I’m sorry but I seriously do not see any benefits to using passkeys.
I use 24 character passwords in Bitwarden with 2fa on all accounts, how is a passkey better than that?
The problem with PassKey is simply that they made it way more complicated.
Anyone who has worked with SSH keys knows how this should work, but instead companies like Google wanted to ensure they had control of the process so they proceeded to make it 50x more complicated and require a network connection. I mean, ok, but I’m not going to do that lmao.
Would love for you to describe exactly how it’s more complicated. From my perspective I click a single button and it’s set up. To log in I get a notification on my device, I click a button and I’m logged in.
Would love for you to describe exactly how it’s more complicated.
YOU JUST DID, below
From my perspective
neat.
I click a single button
… on your device tethered to a single app by a single vendor and their closed data store
and it’s set up.
… and tethered to prevent you from churning.
To log in I
… wait online to …
get a notification on my device,
… or send it again. Or again. Try again. Maybe mail it?
I click a button and I’m logged in.
Yeah. Just click (tap) a button (enter a code).
Using a big-brand MFA setup at one job that requires ‘one button’ and ‘get a notification’ and ‘click a button’, I know you’re glossing over the network issues HEAV-I-LY.
Now do it in airplane mode. Do it when the token organization is offline. Do it when there’s no power because the hurricane hit and there’s no cell, no data, no phones, and your DC is on its last hour of battery and you have to log in because the failover didn’t run.
Do it when your phone fell on its face in the rain into a puddle and it’s not nokia.
Do it when you either have cell service and 5% battery, or 100% battery from inside the DC and no cell service.
Do it when you’re tired, hungry, drunk, lost your glasses in the car accident.
The D in DR means DISASTER. Consider it.
For somebody complaining about making things complicated you certainly complicated the s*** out of a short post.
Storing your passkey in any of the shared password managers solves almost every problem you’ve listed.
With bitwarden and I have offline access to my passkey. I don’t know why the hell you’d need offline access to your pass key because they’re designed to protect online systems, But it could if I wanted it to.
With Bitwarden I can use my phone, or I can use my browser, or any one of four other browsers, or any other computer.
If I need to reset one of my pass keys I reset it in one place and it gets reset everywhere.
they must have meant technically complicated, which is also meaningful in consumer technology.
like if it’s true that it requires an internet connection, that’s quite bad, partly because of yet another avenue for possible tracking, and what if the service you want to access is not on the internet, but the passkey doesn’t work without it still
Private keys on an anonymous, untraceable smartcard. PIN or Matching-on-card fingerprint for the second factor Everything else can go directly into the garbage bin
I have never understood the goal of passkeys. Skipping 2FA seems like a security issue and storing passkeys in my password manager is like storing 2FA keys on it: the whole point is that I should check on 2 devices, and my phone is probably the most secure of them all.
It’s not skipping MFA cos some media can provide more than one factor.
E.g. YubiKey 5 (presence of the device) + PIN (knowledge of some credentials) = 2 factors
Or YubiKey Bio (presence of the device) + fingerprint (biological proof of ownership) = 2 factors
And actually unless you use one password manager database for passwords, another one for OTPs, and never unlock them together on the same machine, it’s not MFA but 1FA. Cos if you have them all at one place, you can only provide one factor (knowledge of the manager password, unless you program an FPGA to simulate a write only store or something).
That was my take too.
Security training was something you know, and something you have.
You know your password, and you have a device that can receive another way to authorize. So you can lose one and not be compromised.
Passkeys just skip that “something you have”. So you lose your password manager, and they have both?
I think you mean that passkeys potentially skip the something you know. The something you have is the private key for the passkey (however it’s stored, in hardware or in software, etc). Unlocking access to that private key is done on the local device such as through a PIN/password or biometrics and gives you the second factor of something you know or something you are. If you have your password manager vault set to automatically unlock on your device for example, then that skips the something you know part.
It feels like the goal is to get you married to one platform, and the big players are happy for that to be them. As someone who’s used Keepass for over a decade, the whole thing seems less flexible than my janky open source setup, and certainly worse than a paid/for profit solution like bitwarden.
I love storing 2FA in the password manager, and I use a separate 2FA to unlock the password manager
I imagine you keep your password manager unlocked, or as not requiring 2FA on trusted devices then? Re entering 2FA each session is annoying
You still have the treat of viruses or similar. If someone gets access on your device while the password manager is unlocked (ex: some trojan on your computer), you’re completely cooked. If anything it makes it worse than not having 2FA at all.
If you can access your password manager without using 2FA on your phone and have the built in phone biometrics to open it like phone pin, finger or face, someone stealing your phone can do some damage. (Well, the same stands for a regular 2FA app, but meh, I just don’t see an improvement)
If your secrets enter your clipboard, they are no longer secrets
I went to see HR a month ago and they had a post-it of their password for their password manager. We use passkeys too.
And this was after security training.
I find phones the least secure devices simply because of how likely they are to be damaged or stolen
More than that. You probably use them in public, where there are tons of cameras. So if you forget you phone in say a restaurant, odds are they have video of you unlocking it.
And let’s not forget all the poorly secured wifi access points people commonly connect to…
If you’re using a hardware token to replace passwords, you’re doing 2FA wrong
Dunno, we rolled it out without issue. But of course they also had keepass. You want password AND (TOTP token or hardware token)
Fuck DHH
For me, I’d prefer that everyone just adds biometric authentication techniques. A couple websites do this already and it’s great. Many devices have biometrics built in already and if this was widespread I’d certainly have no problem buying a fingerprint reader for my desktop computer.
That’s literally a passkey.
Question - what do you do when the site is hacked and your biometrics are compromised? Issue new ones?
The password still works.
You don’t have interchangeable fingerprints? Keep up with the times /s
You do realize that your biometric authentication techniques don’t actually send your biometrics (e.g. fingerprint/face) to the website you’re using and that you are actually just registering your device and storing a private key? Your biometrics are used to authenticate with your local device and unlock a locally-stored private key.
That private key is essentially what passkeys are doing, storing a private key either in a password manager or locally on device backed by some security hardware (e.g. TPM, secure enclave, hardware-backed keystore).
Passkeys aren’t a full replacement in my opinion, which is what DHH gets wrong. It’s a secure, user-friendly alternative to password+MFA. If the device doesn’t have a passkey set up you revert to password+MFA.
And the fewer times that people are entering their password or email/SMS-based 2FA codes because they’re using passkeys, the less of an opportunity there is to be phished, even if the older authentication methods are still usable on the account.
Passkeys are also weirdly complex for the end user too, you can’t just share passkey between your devices like you can with a password, there’s very little to no documentation about what you do if you lose access to the passkeys too.
The only way I ever used passkeys is with bitwarden, and there you are sharing them between all bitwarden clients.
From my very limited experience, pass key allows to login faster and more reliable compared to letting bitwarden enter passwords and 2fa keys into the forms, but I still have the password and 2fa key stored in bitwarden as a backup in case passkey breaks.
To me, hardware tokens or passkeys are not there to replace passwords, but to offer a faster and more convenient login alternative. I do not want to rely on specific hardware (hardware token, mobile phone, etc.), because those can get stolen or lost.
Interesting, maybe I’ll give it a try. I didn’t know they could just be synced between devices on bitwarden.
I think that passkeys are simple, but no-one explains what they do and don’t do in specific terms.
Someone compared it to generating private/public key pairs on each device you set up, which helps me a bit, but I recently set up a passkey on a new laptop when offered and it seemed to replace the option to use my phone as a passkey for the same site (which had worked), and was asking me to scan a QR code with my phone to set it up again.
So I don’t know what went on behind the scenes there at all.
The passkey on your phone stopped working when you set one up on your laptop? I would expect the site to allow one per device instead of one per account.
Some sites only allow one public key per account…
It seemed that way, it asked me to scan a QR code on my phone to link it, which didn’t happen before.
Or maybe the option to use my phone was some older auth method, where I’d use the fingerprint reader on the phone to confirm a login on the laptop. I thought that was a passkey, but that doesn’t fit with what I’m reading about what it does now.
you can’t just share passkey between your devices like you can with a password
Either you enroll a sisten that shares them between devices without the need for special interaction (password manager, iCloud etc) or you enroll each device separately into your account.
You can have more than one passkey for a service. This is a good thing.
Gotcha, that makes more sense when explained that way!
you can’t just share passkey between your devices like you can with a password
You would just sign into your password manager or browser on both devices and have access to them?
Additionally, whatever app or service you’re storing them in can provide sharing features, like how Apple allows you to share them with groups or via AirDrop.
there’s very little to no documentation about what you do if you lose access to the passkeys too.
If you lose your password, there are recovery options available on almost all accounts. Nothing about passkeys means the normal account recovery processes no longer apply.
You would just sign into your password manager or browser on both devices and have access to them?
Does it work like that? Everything I see says they’re tied to that device.
If you lose your password, there are recovery options available on almost all accounts.
Fair, I guess I’ve never lost a password because it’s just a text string in my PW manager, not some auth process that can fail if things don’t work just right.
Does it work like that? Everything I see says they’re tied to that device.
It depends on what kind you want to use. If you want the most security, you can store them on something like a Yubikey, with it only being on that device and not exportable. If you get a new device, you’ll need to add that new device to your accounts. For less security but more convenience, you can have them stored in a password manager that can be synced to some service (self-hosted or in the cloud) or has a database file that can be copied.
Fair, I guess I’ve never lost a password because it’s just a text string in my PW manager, not some auth process that can fail if things don’t work just right.
That’s fair. It can be a bit of a mess with different browser, OS, and password manager support and their interactions but it has continued to get better as there is more adoption and development.
I always thought of passkeys as a convenient way to authenticate.
I am password-less on multiple services.
I have an authentication app on my phone that authenticate me when I am away of my computers. I have passkeys on my personal computer and another set of passkeys on my work laptop.
If I have to authenticate from your computer I simply use my auth app, click on “it’s a public computer” and I am good to go.
The dude discovered a butter knife and he tries to replace his spoon with it just to realize it doesn’t work well for eating a soup.
Do you add separate keys on every device?
If you do, how long does it take you to add a new device?For example, when you login on Github, go in your settings, authentication & security on the left.
Click “add passkey”, enter your Windows Hello PIN, click save.
It will ask you to enter a name, so I go with ComputerName-GitHub
Click ok.
Done with this device.
How long does it take? Well, how fast can you do these steps?
This does not scale. I have 400 logins in my Bitwarden account right now.
Why not just passkeys with a “magic link” fallback though?
This is the same as forgotten password so ytf not
I wish all sites using 2FA would just support hardware keys instead of authenticator apps. It’s so much easier to login to a site by just plugging in my hardware key and tapping its button, than going to my authenticator app and typing over some code within a certain time.
It’s even sinpler than email 2fa or sms 2fa or vendor app 2fa.
For authenticator app you also can’t easily add more devices unless you share the database which is bad for security. For hardware security key you can just add the key as an additional 2fa, if the site allows it.
Agreed, my main issues with hardware keys are that so few sites support them, and the OS support is kinda bad like in Windows the window pops up underneath everything and sometimes requires a pin entered.
I also hate that when I last looked nobody made a key that supports USB-C, USB-A, and NFC. So now I’ve got an awkward adapter I need to carry on my keychain.
Yeah it’s truly a shame almost no site other than google and github support hardware security keys.
For your case you would probably want a yubikey 5c and then a usb c to usb a adapter yeah. I wish for a usb a and c and nfc as well.
I disagree with most of those arguments in the article… Additionally, there is nearly no passkey using service that does require you to still have PW and 2FA login active even if you use passkeys
We are right now in the learning/testing phase. It is not a flip and suddenly only passkey work. Transition to passkey only will be a very long time, like it was for 2FA, like, my girlfriend has it on, only at about 2 services, lol.
The main problem I have is, that people without knowledge get grabbed into walled gardens using passkeys. People with knowledge know that you can use alternative apps for passkeys, like proton or strongbox (keepass).
Passkeys are only good if they aren’t in a online password manager. They are better than TOTP 2FA in terms of security and phishing resistance. I see 2FA as a last resort when someone even gets into my password manager. Storing passkeys completely make this useless, as I’m sure anyone that can log into my accounts would’ve done so by getting a hold of my unencrypted password manager database. Unless android provides a real offline way of storing passkeys in the device, I am not interested alot.
Actual zero knowledge encrypted password managers with 2FA?
Keepass?
Or Bitwarden (supposedly)
Bitwarden is an online password manager and no I don’t consider self hosting it offline.
A sufficiently strong password and additional TOTP should protect you well enough.