- Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security
- Passkeys were developed to replace passwords for better account security, but their rollout by Apple and Google has limited their potential
- Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
I wonder if there could be any bias in Proton claiming their product is the best
Do you typically just take people’s word for their claims or do you do cursory research?
I’d trust them miles before Google or Apple. Hell, they dropped the prices on some of their products when they found ways to provide them cheaper. Proton is a good company.
That doesn’t mean they will be around forever. Economic realities care little about whether a company is good or not.
Iirc you can export everything. Most allow export of passwords of course but i think proton allows export of passkeys too.
So there’s portability if they ever do disintegrate.
In fact history has shown the good die out or become corrupt. Still using them for now though.
Well of course. It’s still right - the ecosystem lock-in is insane. There needs to be a standard for cloud to cloud transfer between providers.
Or you know, use Proton Pass or 1Password.
Any example of websites where I can try passkeys? I have both bitwarden and Proton pass to test out
I personally like the demo at https://www.passkeys.io/.
Test site: https://webauthn.io/
Known sites: https://passkeys.directory/
Github, Bitwarden itself, Cloudflare, Microsoft
It seems no matter what new advancements we make in technology the big tech companies seek nothing more to implement it in a way that benefits themselves. Regardless if it means fucking over the consumer.
I really hate what the internet has become over the last couple of years.
That’s capitalism for you. They’re not interested in making things better, they’re interested in making more profit.
Correct. But often that only happens if they make things better for you.
On the contrary, companies making a profit by making things better for you as a concept is pretty close to extinct. See corporations realized they don’t have to make better products if they just box out the competition so that you no longer have a choice. Theres even a term for it now, because practically every company across every industry is doing it, enshittification. Charging more for inferior projects is the new goal.
A company that grows itself by making a better product is an objective rarity in the modern world.
Lock downs are pretty much a hard pass for me. Anything I buy, I research, and if there’s even the slightest hint of BS incompatibility, it’s simply a no go.
Not commenting on the merits of the blogpost’s arguments, but Proton is selling their own product here too
As a fan of Proton services I don’t like “blog posts” from companies where the solution to a problem is just their product, regardless of who the company is
As someone who is not familiar with photon, I love to see a vendor presenting a feature with a technical discussion, even if they’re also selling it. As far as I can tell, no one was hiding intent, no one was directly selling, so “well done”. Or maybe I just agree with the premise, I dunno
And if you believe in our mission and want to help us build a better internet where privacy is the default, you can sign up for a paid plan to get access to even more premium features.
Translation: don’t give those other guys money, give us your money!
The horrors of giving money to a company that actually cares instead.
Well no, their call to action isn’t to not give anyone else money. They didn’t have anything negative to say about their competition like 1Password. They’re just warning you about the shady things Google and Apple are doing specifically. And as an alternative they’re offering their own solution instead, which also doesn’t cost any money.
Proton enabled passkeys in their free tier. So ultimately, yes by using their free tier and being safe in the thought that you can always leave if you want, that might drive you to pay for a paid plan.
But companies trying to earn your business by offering you a good honest product is not at all the same as a company using anti-consumer practices to keep you from leaving lol.
what are passkeys? like biometrics fngerprints or facisl recognition you mean?
Passkeys are a way of doing public/private key-pair crypto to prove that you are in possession of the private key that corresponds to the public key that was registered with a site or service when you added the passkey to the account. The use of the passkey is often protected by biometrics like the fingerprint or facial recognition systems on your device but it doesn’t necessarily need to use biometrics at all if you don’t want to and you can instead use a passcode to unlock your device or password/passkey manager.
Basically instead of the normal way with passwords:
- You —password—> website
- Website verifies password matches, either directly to an actual stored password (bad) or through a hash they have stored
With passkeys you have:
- You <—challenge— website
- You sign the challenge with a private key that only you have
- You —signed challenge —> website
- Website verifies that the signed challenge corresponds to the public key you provided when you set up the passkey
In the password scenario, the website could be following best practices and hashing the password or it could just be storing them directly and insecurely. You have no idea what really goes on inside their systems. This means that due to reused passwords, a security breach at one site can mean problems for other sites, even if they didn’t do anything wrong.
In the passkey scenario, you’re not sending anything particularly sensitive to each site so it’s more secure.
If I use a password manager with long random passwords, and use 2FAS to generate those 6-digit two factor authentication codes whenever possible (as opposed to SMS/email 2FA), is there any advantage?
Is it just that you don’t actually have to type anything, just press “I approve” on your phone after entering your username?
Or is it more just designed to improve security for people like my family members who use the same ~10 digit passwords for everything?
No, it’s like a security certificate to authenticate. It’s a secret that your key vault presents to the site to validate that you’re who you say you are.
like an encryption key? or cookies? I’ll try to look up how they work
Asymmetric cryptographic signing keypairs. An ECDSA variant is used to create and validate signatures. Your device creates a unique keypair per domain you register on. It only sends signatures, which doesn’t reveal what the secret key is, and each signature is based on a single use challenge value.
Exactly like an encryption key. Here’s a video from Security Now with Steve Gibson (a well known security researcher) who explained it in a fairly approachable fashion. That link should start at the beginning of that segment, about 1:31:00 in.
Here is an alternative Piped link(s):
Security Now with Steve Gibson
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
They’re the private half of a public/private key pair, much like how you make encrypted connections to websites.
The gist of passkeys are that the secret you’re using to login to your accounts is stored on your device (Or in your password manager) and is never sent to or stored on the server. So if a website you have an account on is breached, unlike with a password, your passkey can’t be stolen, because they don’t have it.
Similarly, your passkey can’t be phished. If a malicious actor directed you to a fake login page and you didn’t notice and entered your password into the fake login form, they now have stolen your password. But because your passkey is not sent to the server like a password, the fake login page wouldn’t get anything.
And because your passkey isn’t something you have to remember, you can’t create an insecure one like with a password, and you can’t reuse the same one for different accounts.
I can wrap my head around the secret being stored in your device, but what happens when you go to a different device?
Let’s say for example, I am at my friend’s house, and for one reason or another, I don’t have my phone. My Gmail account is passkey locked, but I need to check my email from my friend’s laptop. Would that require that I install passkey on their laptop, and log in to my passkey account? Does that also mean that if I forget to log out of passkey, they can access all of my accounts correlated with my passkey account? If that’s the case, what happens if my passkey account is compromised? All of my accounts are linked to a single point of failure?
A friend of mine had to break out some kind of USB dongle to log into his Google account on a new machine the other day. Is that a form of passkey? What happens if that dongle gets lost/stolen/broken? Or what if you just forgot it at home? Are you SOL?
I am all for more security and less password remembering, but I hop around a lot of computers.
Let’s say for example, I am at my friend’s house, and for one reason or another, I don’t have my phone.
If you need to log into your friend’s laptop to check your email, you would need your phone or some other passkey you had set up for your account, yes, as long as that was the only login method you have setup on your account. If you don’t have your phone, you might not be able to pass the two-factor steps or account login location checks many accounts. If Google finds the new login attempt suspicious for some reason, it will ask for additional checks like a code sent to your email or through a text and you may not be able to log in with just the password anyways. Just because you have the right username and password, it doesn’t mean that a service may let you log in without access to some kind of other trusted information accessible on an existing device.
Overall though, think of it like forgetting your physical keys.
Does that also mean that if I forget to log out of passkey, they can access all of my accounts correlated with my passkey account?
Yes, the same as if you had left your physical keys there and those keys provided access to all your accounts. There may be some technical protections like the timeout until it locks on a password manager but that’s up to the password/passkey manager app to implement and for the OS to guarantee the security of. It’s no different from loading up your password manager on the device. If you don’t trust the device or the owner of the device, you should not access your password/passkey manager on it.
what happens if my passkey account is compromised? All of my accounts are linked to a single point of failure?
The same thing that happens if your password manager is compromised: you secure it (rotate encryption, create a new database, however you want) and then you set about updating new passwords and passkeys for your accounts. That’s why it’s recommended to only have your actual password/passkey manager on something you trust (your phone, your computer, etc) and use that device as the passkey for whichever other device your logging into rather than loading up your password/passkey manager on each device you’re logging into.
A friend of mine had to break out some kind of USB dongle to log into his Google account on a new machine the other day. Is that a form of passkey?
It’s a form of WebAuthn credential most likely, yes. Passkeys aren’t actually entirely new in how they can be used with accounts, the standards have been there for a while now. It’s mainly just a unified marketing from the big players as well as developing an ecosystem around it the standard such as the protocols for using a phone via Bluetooth as a passkey on a desktop/laptop to log in and other things like syncing the passkeys between devices using their existing password manager services for user convenience (so that the average person can actually use them). Under the hood it’s still WebAuthn for the actual authentication. Hardware security keys that connect via USB, Bluetooth, or NFC have been around for a while but have usually operated in nonresident key mode where they’ve been used for second factor authentication. Nonresident key mode has the advantage of storing the private key in an encrypted format with the website or service your logging into, meaning that the actual hardware key doesn’t need to have any storage capacity and can work with an infinite number of sites. This has the disadvantage that you have to provide a username (and typically a first factor like a password) to lookup which keys should be used (ie the ones associated with a specific account). That is probably how your friend logged in with a USB dongle. WebAuthn credentials that operate in resident key mode like passkeys do on the other hand store both the information related to identity and authentication, meaning that all you have to do is select the account you want to log into. This requires that they are stored on a trusted device like a phone, a laptop, or a hardware security key dongle that has storage.
What happens if that dongle gets lost/stolen/broken? Or what if you just forgot it at home? Are you SOL?
Again, the same thing that happens when you forget your physical keys for your car or home. You can’t access the thing protected by them until you go get them. The alternative is to bypass the normal authentication workflow and work around it, such as with an account recovery process (similar to getting a locksmith to get back into your car or home).
I am all for more security and less password remembering, but I hop around a lot of computers.
Then you’d probably like being able to log in by just unlocking your phone and confirming things, rather than having to go through a password lookup and one time code entering process each time.
Cool, thanks for the info. This is something I have wanted to setup for a little while now, I just didn’t understand all of the nuances.
account is passkey locked, but I need to check my email from my friend’s laptop. Would that require that I install passkey on their laptop
Yes but you would not want to do that. I can’t imagine a scenario where you could make it to your friends house without your phone, and also need to check your email so bad that you borrow their laptop, but in that case you would not be able to log in. Unless your passkey for that service is stored in your password manager, in which case you’d have to log in to that first.
Does that also mean that if I forget to log out of passkey, they can access all of my accounts correlated with my passkey account?
There is no “Passkey account”, it’s not a service or an app. It’s a file stored either on your device or in your password manager.
what happens if my passkey account is compromised? All of my accounts are linked to a single point of failure?
I already brought up that you have no “passkey account” to compromise, but if your passkey was somehow stolen, the only thing compromised would be the service that passkey is for.
A friend of mine had to break out some kind of USB dongle to log into his Google account on a new machine the other day. Is that a form of passkey?
You can get hardware devices to store passkeys on, yes.
What happens if that dongle gets lost/stolen/broken? Or what if you just forgot it at home? Are you SOL?
If it’s lost or stolen you’d want to make new passkeys yes. If you forgot it at home, you wouldn’t be able to log in if the hardware device was the only thing you had a passkey stored on.
I wonder how often you truly forget important every day articles at home, despite you needing to get connected to things at a moments notice. I don’t think I’ve forgotten my phone anywhere once in the last 15 years.
The thing is, all these scenarios you’re coming up with are no different for passkeys than they are for complex, unique, secure passwords. It sounds like your usual MO is being able to recall your password (In the case you’ve forgotten your phone and are in a borrowed device), which means your passwords likely aren’t secure, and you’re probably reusing them, which is more of a “single point of failure” than passkeys ever could be.
Honestly, my advice to you is before you even start considering passwords vs passkeys, you need to fix yourself up man. You need to get your shit together a lil bit.
I am not using passkeys until it’s possible to easily migrate them between providers (not just devices / browsers). If I used Proton Pass, and then later decided to use another password manager, could I export my passkey data?
Proton Pass allow you to export your passwords in various formats (both plain and encrypted). That you are able to import somewhere else is not something Proton Pass can guarantee but you have your data.
We’ve also given passkeys and passwords equal priority so that you can use them interchangeably in our apps. This means you can store, share, and export passkeys just like you can with passwords.
That’s excellent. Thanks for pointing that out!
The next question is does anyone actually let you import passkeys? I don’t think there is ☹️
I have a few keys in Bitwarden but before I go adding more I am going to play with Proton Pass. A lot of users were understandably annoyed when Bitwarden released passkey support but in such a limited manner.
told ya so, i got downvoted for being skeptical of this shit.
if google or similar is pushing it, is should NOT be trusted!
You still deserve those downvotes. There’s nothing to not trust about passkeys.
nah, give me an alternative not exclusively controlled by oligarchs and i will consider it.
Not sure what Google has to do with passkeys besides the fact that they’ve implemented them. Google implemented passwords too but I’m guessing you’re fine with those?
Passkeys are not exclusively controlled by oligarchs so I guess by your own admission you should consider them.
i will, when i see these claims of openness estabilished and working in practice.
Well you’re in luck, they’re currently established and working in practice.
Youre get downvoted by the same MS defender chuds.
Fuck the billionaires.
The billionaire owner class are defacto untrustworthy.
No one is suggesting that you secure your online accounts with the billionaire owner class. They’re suggesting you secure them with passkeys.
That is not the takeaway here.
The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.
This isn’t some “owned by the billionaire class”. It’s an open standard that’s why Bitwarden and Proton both have implementations. Big tech of course provided implementations that are not as portable as possible, that’s all that’s going on here.
There’s really not some big conspiracy to kill kittens or whatever. Passkeys are far more secure (and for most people far more usable) than passwords.
The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.
then get them implemented by someone else useably. that open authentication login garbage they pushed years ago was also supposed to be an open standard, but you can only use it if you lock yourself in to facebook/google to this day. i still have to use a different password for each damn website still.
id like to see its opennes at work in the real world, in practice, first.
Proton, Bitwarden, 1Password, Yubico (via the Yubikey), and others (including big tech) already have their own independent implementations(?)
Even Keypass has at least a partial implementation https://github.com/keepassxreboot/keepassxc/pull/8825
i’m sure they do, but can i login to most websites using them?
99/100 i get the option to use facebook, google or just bite the bullet and make an account. i’m talking about this by the way:
Yes. Any website that has implemented passkey authentication can be logged into by any Passkey provider. There are no websites that “Only accept Apple passkeys”
I think you better understood their question; thanks for jumping in.
Passkeys sound great. Where’s the support for Firefox, Proton Pass? Bitwarden has it.
Yup, the only missing thing for Bitwarden is the mobile app, but so far none of my apps support it, so whatever.
I use BitWarden’s mobile app just fine on Android.
For passkeys? My understanding is that’s not implemented yet.
Oh, I totally didn’t register you were talking about passkeys. lol sorry. I don’t use them, so I was just talking about the BW app in general .I haven’t run into any compatibility issues with it.
Yeah I’ve avoided passkeys. Anything that Google is pushing to me is always in their interests.
A lot of my hesitation is that not only are passkeys being pushed by the big vendors AND they seem to have a less than portable implementation BUT ALSO they don’t seem to give enough details. Everything is dumbed down for the less technical until it means nothing
I like that this thread already has more actual information than all the outreach of the big vendors over months
The spec behind it is solid, it creates per-domain cryptographic keyspairs which allows your device to prove you’re you in a standardized and secure way while avoiding adding a new way to track you across sites, and by using the device’s TPM chip to hold the key it’s also resistant to most types of manipulation.
People not getting phished is in their interests. That doesn’t mean it’s not in yours.
People getting their accounts compromised leads to spam email, spam comments, fake crypto livestreams, etc that impact others. Google definitely has an interest in preventing people from getting their accounts compromised and not just for the benefit of the individuals with the accounts but their platforms as a whole.
Google pushed email accounts to you, do you not have an email address either?
Email was already ubiquitous and generally standardized by the time Gmail released in 2004.
Asymmetric cryptography has been ubiquitous and generally standardized by the time Google began letting you store Passkeys, so what’s your point?
Is Google supporting a particular service or system a dealbreaker for you or not? Because Google has far more fingers in the public operation of email than it does passkeys. So if you’re still ok with having an email account, then you should be just as ok with using passkeys.
I’m not locked into Gmail: I know it implements standards and I choose it as long as it is most convenient.
A lot of what comes into my gmail account is actually addressed to various aliases from various providers, and I can point those aliases anywhere
In particular, all my recent online accounts use unique generated email addresses that I can disable at will, and that forward to my actual email
Well that’s great news, then you’ll like passkeys because you can use them without being locked into anything.
That is not the takeaway here.
The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.
Are we talking in circles here? “I avoid passkeys because of Google” “Passkeys implemented by Google have problems”
Are we talking in circles here?
No. “I avoid passkeys because of Google” is avoiding an entire technology because of a bad implementation. “Passkeys implemented by Google have problems” is only avoiding passkeys implemented by Google, leaving using passkeys still on the table.
The way out of the circle that you’ve put yourself in is realizing Google isn’t the only company implementing passkeys.
And that most people are in multiple ecosystems…e.g. Android/iOS + Windows. So they can’t use a solution that’s not interoperable.
Fortunately there are several interoperable solutions now. There weren’t as recently as last year though.
If I can’t add your passkey to my Bitwarden vault, I’m not using your passkey.
If I can’t add your passkey to my local KeepassXC database, I am not using your passkey.
You can also host it yourself.
https://bitwarden.com/blog/host-your-own-open-source-password-manager/
Why are us nerds like this? No one asked, please dont.
I mean, they were responding to someone who sounded like they were acting superior for self-hosting their password manager. This person chimed in with “well you can self-host Bitwarden too”. And now you’re upset because they offered a direct counterpoint, and furthered a conversation?
This is a guy who planted some Cheerios because he thought they were donut seeds.
Eh, easier to just use the same password for everything.
I use 12345, personally.
Huh… same as my luggage.
Yea, I know. But my preference is for my password manager to not be cloud at all.
I don’t mean to be pedantic but self hosted isn’t cloud.
Yea, I understand, and it’s a perfectly valid choice. But does that disregard people’s preference to not bother with this at all?
I don’t think I understand the question.
To be clear, the alternatives are valid choices.
Doesn’t it require cloud activation?
It requires a key and id they generate.
https://bitwarden.com/help/install-on-premise-linux/
Though from the instructions, I’m not sure if the install needs continuing communication outbound to function.
Bitwarden proper wants $40/year to have two users sharing passwords. You might try Vaultwarden?
That doesn’t seem unreasonable at all for not having to host your own server.
That’s with hosting your own server. Unfortunately I only discovered this paywall after sending them $10 out of good will.
Of course it’s open source, so it’s certainly possible to break their DRM, and if it were something less sensitive I would.
I still might, but VaultWarden looks like a better alternative.
Nowhere on their pricing page does it say you need to host your own server.
I pay $10/year for my wife and I, total. The $40 is if you want 3-6 people. AFAIK, you still need to pay if you self-host and use the premium features, but you can self host on the free plan as well.
$10/year for my wife and I is completely reasonable, and I’d pay the $40/year if my kids needed their own accounts. It’s a fantastic service.
If you self host you need the $40 plan for two people. Seems kinda backwards, doesn’t it?
Yeah, they absolutely don’t make that clear or I wouldn’t have gone with Bitwarden.
Really? It says it’s supported for each account type. It looks like you don’t even need the $10/year account anymore for sharing with one other user.
You’d think that based on your link, wouldn’t you. I did.
My support ticket response:
Hi Serinus,
There actually isnt a mistake what you are reading is the pricing page for premium individuals, which you already have. But if you check our pricing page for orgs and you are in the free org, you will see that you cannot self-host the free org, as seen here.
You can find more information here; https://bitwarden.com/help/password-manager-plans/#compare-personal-plans
I hope you find this clear and helpful.
Kind regards,
A
Follow Bitwarden on social media:Your issue is creating an org. The free tier allows again one collection with one user. So don’t create an org, share a collection.
One user can’t share a collection with another user. An org is required to share.
Yeah or if they only offer 2FA via SMS. Like 1) it’s not even that much more secure and 2) it’s just more awkward.
But I also hate how Steam and Blizzard only allow you to verify logins in their mobile app. Fucking ridiculous.
It is stupid that they not only require the app to be present, but to verify each and every trade. Even those for items that drop to everyone for free. Good thing it does work in an Android VM but still - very annoying.
Jokes on them: If they allowed passkeys on iOS 16 or have let the iPhone X update to iOS 17, I most likely fell for it, now I have only some 2FA keys that I need to pull from keychain (have no macOS)
I noticed that recently every post on Proton’s blog has been an advertisement of their services.
They are hypocrites.
A few days ago they posted that corporations are bad because it collect fingerprints, profile users, etc., yet they are no better, as their mobile apps rely on Firebase Cloud Messaging (FCM) owned by Google to deliver notifications to their users.
In 2020 they wrote that they were working on an alternative method of delivering notifications, but apparently shitting on corporations is easier than making actual changes.
That’s a google services issue. That’s Google’s fault.
It was their choice to not exclude this knowingly-evil service from their applications though.
Yes. It’s still the fact that Google monopolizes shit. Same thing with Apple by the way.
But there are apps that have been built with Google-independent notifications. Proton could have supported UnifiedPush, for example, yet they decided not to.
Not surprised,
Google too nowadays.
There’s a reason why they removed their company motto “Don’t be Evil”
I thought they just removed the first word.
Google has obviously been crap for a long time, but that was just a dumb motto to begin with. It’s not aspirational, it’s not useful for anything and it barely requires anything of anyone.
They changed it to: Do the right thing.
It’s not much better, they’re still an awful company, as most companies are, but this is just the worst reason to rag on them.
“Do the right thing (for the shareholders)”
The right thing to whom? Shareholders? (=
“Don’t be evil” to whom? Shareholders? ;)
don’t be google
I’m well versed in IT security, and even with (or because of) my knowledge, I still haven’t looked deep into setting up passkeys on my services. Just because it’s such a clusterfuck of weird implementations.
I can’t imagine being a normal consumer and wanting to set them up. The poor support teams having to support this…
And I’m managing at least one service at work that could totally benefit from passkey integration. The headache of looking into how to properly implement them is just way too much
I can’t imagine being a normal consumer and wanting to set them up.
It’s quite simple on iOS. IIRC, when logging into the paypal website you get a prompt asking if you’d like to use passkeys. Accept that, then you get a keychain prompt asking if you’d like to make/use a passkey. Click continue and pass FaceID authentication, then you’re in with a passkey. For future logins you click the login with passkey and it faceIDs you in. It’s easy.
Then you are totally locked in with Apple devices and cannot switch to Android and take your passkeys with you
I’m not saying it’s good, I’m saying it’s easy. It is not hard for normal consumers to setup.
What does secrets management look like at work?
