- Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security
- Passkeys were developed to replace passwords for better account security, but their rollout by Apple and Google has limited their potential
- Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
I noticed that recently every post on Proton’s blog has been an advertisement of their services.
They are hypocrites.
A few days ago they posted that corporations are bad because it collect fingerprints, profile users, etc., yet they are no better, as their mobile apps rely on Firebase Cloud Messaging (FCM) owned by Google to deliver notifications to their users.
In 2020 they wrote that they were working on an alternative method of delivering notifications, but apparently shitting on corporations is easier than making actual changes.
That’s a google services issue. That’s Google’s fault.
deleted by creator
Yes. It’s still the fact that Google monopolizes shit. Same thing with Apple by the way.
deleted by creator
If I can’t add your passkey to my Bitwarden vault, I’m not using your passkey.
deleted by creator
You can also host it yourself.
https://bitwarden.com/blog/host-your-own-open-source-password-manager/
Eh, easier to just use the same password for everything.
I use 12345, personally.
Huh… same as my luggage.
deleted by creator
I don’t mean to be pedantic but self hosted isn’t cloud.
deleted by creator
I don’t think I understand the question.
To be clear, the alternatives are valid choices.
Doesn’t it require cloud activation?
It requires a key and id they generate.
https://bitwarden.com/help/install-on-premise-linux/
Though from the instructions, I’m not sure if the install needs continuing communication outbound to function.
Why are us nerds like this? No one asked, please dont.
I mean, they were responding to someone who sounded like they were acting superior for self-hosting their password manager. This person chimed in with “well you can self-host Bitwarden too”. And now you’re upset because they offered a direct counterpoint, and furthered a conversation?
This is a guy who planted some Cheerios because he thought they were donut seeds.
Bitwarden proper wants $40/year to have two users sharing passwords. You might try Vaultwarden?
That doesn’t seem unreasonable at all for not having to host your own server.
That’s with hosting your own server. Unfortunately I only discovered this paywall after sending them $10 out of good will.
Of course it’s open source, so it’s certainly possible to break their DRM, and if it were something less sensitive I would.
I still might, but VaultWarden looks like a better alternative.
Nowhere on their pricing page does it say you need to host your own server.
I pay $10/year for my wife and I, total. The $40 is if you want 3-6 people. AFAIK, you still need to pay if you self-host and use the premium features, but you can self host on the free plan as well.
$10/year for my wife and I is completely reasonable, and I’d pay the $40/year if my kids needed their own accounts. It’s a fantastic service.
If you self host you need the $40 plan for two people. Seems kinda backwards, doesn’t it?
Yeah, they absolutely don’t make that clear or I wouldn’t have gone with Bitwarden.
Really? It says it’s supported for each account type. It looks like you don’t even need the $10/year account anymore for sharing with one other user.
You’d think that based on your link, wouldn’t you. I did.
My support ticket response:
Hi Serinus,
There actually isnt a mistake what you are reading is the pricing page for premium individuals, which you already have. But if you check our pricing page for orgs and you are in the free org, you will see that you cannot self-host the free org, as seen here.
You can find more information here; https://bitwarden.com/help/password-manager-plans/#compare-personal-plans
I hope you find this clear and helpful.
Kind regards,
A
Follow Bitwarden on social media:Your issue is creating an org. The free tier allows again one collection with one user. So don’t create an org, share a collection.
One user can’t share a collection with another user. An org is required to share.
Yeah or if they only offer 2FA via SMS. Like 1) it’s not even that much more secure and 2) it’s just more awkward.
But I also hate how Steam and Blizzard only allow you to verify logins in their mobile app. Fucking ridiculous.
deleted by creator
Not surprised,
Google too nowadays.
There’s a reason why they removed their company motto “Don’t be Evil”
Google has obviously been crap for a long time, but that was just a dumb motto to begin with. It’s not aspirational, it’s not useful for anything and it barely requires anything of anyone.
They changed it to: Do the right thing.
It’s not much better, they’re still an awful company, as most companies are, but this is just the worst reason to rag on them.
The right thing to whom? Shareholders? (=
“Don’t be evil” to whom? Shareholders? ;)
“Do the right thing (for the shareholders)”
don’t be google
I thought they just removed the first word.
I’m well versed in IT security, and even with (or because of) my knowledge, I still haven’t looked deep into setting up passkeys on my services. Just because it’s such a clusterfuck of weird implementations.
I can’t imagine being a normal consumer and wanting to set them up. The poor support teams having to support this…
And I’m managing at least one service at work that could totally benefit from passkey integration. The headache of looking into how to properly implement them is just way too much
I can’t imagine being a normal consumer and wanting to set them up.
It’s quite simple on iOS. IIRC, when logging into the paypal website you get a prompt asking if you’d like to use passkeys. Accept that, then you get a keychain prompt asking if you’d like to make/use a passkey. Click continue and pass FaceID authentication, then you’re in with a passkey. For future logins you click the login with passkey and it faceIDs you in. It’s easy.
Then you are totally locked in with Apple devices and cannot switch to Android and take your passkeys with you
I’m not saying it’s good, I’m saying it’s easy. It is not hard for normal consumers to setup.
What does secrets management look like at work?
The way Apple or companies like Paypal implement two-factor authentication, let alone passkeys, drive me up the wall. This all could have been so much better.
I’m not even going to mention all the platforms that rolled out passkey creation support, but not passkey login support, for whichever damn reason
Yeah, Apple 2FA is infuriating, especially since you can do all factors from the same device. Kind of defeats the purpose of traditional 2FA/MFA. Also, companies that decide you 2FA experience has to use their app, instead of a standards-compliant TOTP app of your choosing…ugh.
The factors are:
- Something you have
- Something you are
- Something you know
Here the password is something you know and the device is something you have (typically also protected by something you are, like your fingerprint or face)
Someone with your phone but no password or fingerprint is SOL. Someone with your password but not your phone also SOL
If you think forcing everyone to carry an object other than their phone around so they can use 2factor on their phone is a good idea… Or if you said I need to go to my laptop when I’m logging in on my phone and vise versa… that’s nonsense too. Sure maybe some companies require this. But that’s different.
Authy on my phone is just as “dumb” as Keychain on my phone.
How else are you imagining this should work? Keep in mind normal people need to do it too.
I bring my yubikey with me, it’s in my keychain. This is not only more secure against phone theft/access, which probably is not very relevant for most people, but it spreads the risk of locking yourself out.
For example, I was in Iceland with my girlfriend and she “lost” her phone. We wanted to locate it, so I logged to Google for her, which asked 2FA. If she used her phone, she would have been toast. Instead I made her use yubikeys too, and she just logged in and found her phone.
Obviously you can lose your hardware tokens too, but it’s generally less likely (you take out your home keys way less than your phone, for example). You can also backup your TOTP on multiple devices etc., of course.
For Apple, it’s your iCloud account that everything depends on, and it’s the weakest point. Not by itself maybe, but in practice there needs to be a way to reset your iCloud password, even without your phone. Currently I believe that’s just an Apple representative asking life questions, but that information is mostly publicly available. There needs to be a better way.
A physical 2fa device may be just what we need to securely rest our iCloud passwords, keeping everything else more secure
If I’m on my laptop, and the 2fa code shows on that same laptop, it defeats the purpose of it. The point is sortation of security privileges, ask this just adds more work while providing no less security to the device. It does protect you from remote compromise, though.
It doesn’t defeat the purpose of it, as you indicate, it can protect from remote attacks.
Also most or all of these should require some for of local authentication.
For example I have 2fa apps on my phone, where I need to use them, so yes, that’s less than ideal. However
- it protects against remote attacks
- it protects against SIM attacks
- and even if someone stole my phone and unlocked it, they’d still need my face id for every use
Traditional 2FA (assuming you mean apps with codes) can be done from the same device (if you have the app with the codes installed on that device).
It doesn’t defeat the purpose of 2FA. The 2 factors are 1. The password and 2. You are in possession of a device with the 2FA codes. The website doesn’t know about the device until you enter the code.
Yeah my point is it does not protect the local device well. It does protect well from remote compromise though.
I’m very excited for the concept of passkeys, but indeed it is a bit of a mess right now. Android password managers can’t use passkey inside other apps, basically limited to just the browser. I hope it all gets sorted soon and everyone sticks to an open standard compatibility.
I want to be able to export my passkeys and take them with me to any other chosen passkey manager.
deleted by creator
The idea of a passkey is that it is a security certificate that permanently bound to the software/hardware and can’t be exfiltrated, in the same fashion you’d make one SSH private key per device connecting to a server, never leaving the computer it was generated from. Or how you’d keep your primary PGP keys in a safe location and deploy a unique subkey per device to use it. That way you can revoke an individual subkey if compromised, without revoking the entire chain.
You don’t backup your Passkeys, you associate multiple passkeys per account (ie: ProtonPass, Bitwarden, Yubikeys) as a contingency.
If you can back it up, it can be stolen.
Hmmm see this is how I thought it worked but then Google and Apple providers are syncing passkeys around devices without issue? There are definitely backups and cloud syncs happening. I’m aiming to use an OS agnostic provider like 1password which I’d expect to sync across hardware- but with everything in its infancy I’m not sure how that shakes out.
But tbh that does bring up another concern of mine: I have some 200+ accounts, assuming a passkey world where everything is using them, if a user wanted to change ecosystems it seems they will need to visit every service, edit the account and reconfigure their keys instead of transferring the private keys into the new ecosystem? Sounds like a nightmare!
syncing passkeys around devices without issue?
they are syncing, but under no circumstances it let you see the passkey’s private key in a format that you can import elsewhere, which reduce the amount of damage that can be done, but still if an attacker gain access to your Google account and its “password manager” (or any other password managers tbh) it’s mostly game over at that point.
Personally I don’t have all my passkeys on a physical device, they’re mostly stored in my Bitwarden vault for the convenience of multi-device sync, and the important accounts that offers SSO into other services (Google, Facebook, Amazon, Apple, plus Bitwarden) are protected by multiple hardware tokens with a Passkey for redundancies.
Security is as strong as its weakest link.
Same; I hope the EU does something before it’s a total mess
Better yet: use a hardware 2FA token that supports passkeys
The issue is that most of them are limited in the amount of passkeys they can manage.
In the case of the Yubikey 5
Currently, YubiKeys can store a maximum of 25 passkeys.
How is 25 bad? Do you need a passkey for each service /app/website? Can’t you use the same key for many services? (trying to understand how they work)
Yes, you need a passkey per service, so you would quickly end up with your 25 slots full.
You only need one per website if you want it to autofill the username, because resident keys held on the security token can be recognized and suggested automatically but otherwise you must first enter your username on the website and let the website send its challenge value for the corresponding domain and account pair so that your security token can respond correctly.
Ideally yes, they’re supposed to eventually replace all passwords. Of which I have hundreds. And yes not 100% of them will do that on the near future but a lot more than 25 will.
/aparté: being downvoted for trying to understand gives me reddit vibes well done
Being down-voted for asking questions is bullshit. Your questions are valid and those people suck.
I have 150 passwords in my password manager. I’m not buying 7 YubiKeys (and to be fair that’s not what they’re designated for)
Having a key shared across sites wouldn’t be great. If it was great it would be an article talking about “passkey” not “passkeys” because you would just have one. Like some sort of Skeleton Passkey that unlocks all your shit when compromised.
That’s impossible. Passkeys were designed specifically to be impossible to share across different websites.
Well, that’s basically my point. It’s not a good idea.
No, sharing passkeys across services is way too risky. One service gets compromised, someone gets your passkey, and then they have access to all of your services. It’s the same principle with regular passwords.
Uh, each service only has access to your public key, not the private one that stays with you. It’s less risky than a regular password.
Even with U2F hardware keys where the server-side stores the encrypted key (to allow for infinite sites to be used with a single hardware key), it’s only decryptable on your key and thus isn’t that useful for someone who has compromised a service.
Thanks. I’m still learning about this “new” technology (which already has, what eight years?)
It depends on the passkey type (resident vs non-resident keys)
Passkey = Resident Key
Nonresident keys are not passkeys, they are solely a second form of authentication meaning the service you are logging into still requires a password.
Couldn’t a site theoretically use a nonresident key with just a username, in place of a password?
This seems to imply it might be possible:
https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Resident_Keys.html
Discoverable Credential means that the private key and associated metadata is stored in persistent memory on the authenticator, instead of encrypted and stored on the relying party server. If the credentials were stored on the server, then the server would need to return that to the authenticator before the authenticator could decrypt and use it. This would mean that the user would need to provide a username to identify which credential to provide, and usually also a password to verify their identity.
Right, now I remember reading about that, I forgot.
Eh… That’s not exactly a silver bullet or necessarily “way better”; it’s got a lot of usability issues.
You really only want to do that for your most important sites and then you want to use multiple passkeys to make sure you retain access.
Could someone ELI5 (if possible) what passkeys actually are?
Not ELI5 level but…
If you understand SSH keys, it’s basically the same thing made more general.
Whatever website (e.g. lemmy.world) has a copy of the public key, they encrypt something with the public key, you decrypt it, reencrypt it with your private key and send it back (where they can then decrypt it and verify what they got back is what they expected). By performing that round trip, you’ve verified you have the correct key, and the “door opens.”
The net effect is you can prove who you are, without actually giving someone the ability to impersonate you. It’s authentication via “secret steps only you would know” instead of authentication by a fixed “password” (that anyone who hears it can store and potentially use for their own purposes).
That’s all wrapped up in an open protocol anyone can implement and use to provide a variety of (hopefully) user friendly implementations (like the one Proton made) 🙂
Basically hardware keys (like YubiKey) without hardware
So…. Software keys…
a.k.a password-protected certificates
From my understanding it’s the concept of trust. Basic passwords are complete trust that both ends are who they say they are, on a device that is trusted, and passing the password over the wire is sufficient and nobody else tries to violate that trust. Different types of techniques over time have been designed to reduce that level of trust and at a fundamental level, passkeys are zero trust. This means you don’t even trust your own device (except during the initial setup) and the passkey you use can only be used on that particular device, by a particular user, with a particular provider, for a particular service, on their particular hardware…etc. If at any point trust is broken, authentication fails.
Remember, this is ELI5, the whole thing is more complex. It’s all about trust. HOW this is done and what to do when it fails is way beyond EIL5. Again, this is from my own understanding, and the analogy of hardware passwords isn’t too far off.
so it’s basically what a SSH key is? can I not log in to an account from my laptop if I set it up on my phone then? that seems like a massive hassle if it’s the case
You setup passkeys for all your devices with biometric features. I know I have a Yubikey for my desktop, facial recognition on my phone, and a fingerprint reader on my laptop. So, I setup 3 passkeys using biometric (fingerprint or face). I also kept my password and 2FA for now because it’s all new. I wouldn’t recommend jumping in face first.
I only am using it on a few key sites and partly because I’m a web developer testing it all out. I wouldn’t advise it for the average user at the moment but it’ll mature and many password managers can store passkeys now. As it matures, I’m hopeful it becomes seamless like FaceID and fingerprint readers.
It basically performs the same function as an SSH key (providing public key authentication), yes.
Your issue with logging in on your phone vs laptop can be solved by either syncing them (like the OS/Browser platforms of Google/Apple/Microsoft or a password manager like Proton Pass/Bitwarden do) or by setting up each device separately (like most people should do with SSH keys). Each method comes with trade-offs: syncing means they aren’t device bound and can potentially be stolen, setting it up on each device can be a pain, etc.
The important thing to remember is that passkeys don’t need to be the only authentication methods attached to an account. You can use the convenience of a passkey most of the time when it’s possible and then fall back to another method (like a password/TOTP pair) when that’s not available (such as when setting up a new device). There’s also always the standard account recovery options if all else fails, those don’t necessarily go away.
The other thing to remember is that it’s not trying to be a perfectly secure solution to all authentication everywhere but to replace passwords with something better. Not having to generate and store random passwords with arbitrary complexity requirements, being able to log in with just a tap or a click, and not having anything that needs to be kept secret on the website’s side can be enough of an improvement over passwords to make the change worthwhile.
If a passkey isn’t device bound, what makes different/better than a complex password? Is it just the standardisation that you mention? Enforcing using passkeys becomes exactly the same as enforcing using complex passwords
One key benefit regarding hacking: the data that’s passed back and forth between the user’s browser/app and the website/service is a challenge and a response and is no longer sensitive like a password is and the authentication related data (the public key) that the website stores for a user’s account isn’t useful to an attacker.
One key benefit regarding phishing: passkeys/WebAuthn credentials incorporate the domain name into part of the authentication and it’s enforced by the browser. This means that using a passkey/security key on the wrong site won’t give an attacker anything useful unless they also somehow control the DNS and have a valid TLS certificate to impersonate the site with. This is unlike the situation with a phishing website where a user can be tricked by a fake but convincing looking website into giving over not just a password but a one time code provided through SMS or a TOTP.
One key benefit regarding usability: The user just has to choose which account to log into from their password manager instead of having it need to autofill correctly on the website (I still run into sites that don’t autofill right). They also don’t need to worry about any specific password complexity requirements or changing passwords in response to breaches or password expiration times.
I guess it’s a bit like a bank card with a PIN. You go to pay for something and your card stores your credentials on it. To allow those credentials to be read you need to unlock them using the PIN.
Passkeys sound great. Where’s the support for Firefox, Proton Pass? Bitwarden has it.
Yup, the only missing thing for Bitwarden is the mobile app, but so far none of my apps support it, so whatever.
I use BitWarden’s mobile app just fine on Android.
For passkeys? My understanding is that’s not implemented yet.
Oh, I totally didn’t register you were talking about passkeys. lol sorry. I don’t use them, so I was just talking about the BW app in general .I haven’t run into any compatibility issues with it.
Lock downs are pretty much a hard pass for me. Anything I buy, I research, and if there’s even the slightest hint of BS incompatibility, it’s simply a no go.
Not commenting on the merits of the blogpost’s arguments, but Proton is selling their own product here too
As a fan of Proton services I don’t like “blog posts” from companies where the solution to a problem is just their product, regardless of who the company is
And if you believe in our mission and want to help us build a better internet where privacy is the default, you can sign up for a paid plan to get access to even more premium features.
Translation: don’t give those other guys money, give us your money!
Well no, their call to action isn’t to not give anyone else money. They didn’t have anything negative to say about their competition like 1Password. They’re just warning you about the shady things Google and Apple are doing specifically. And as an alternative they’re offering their own solution instead, which also doesn’t cost any money.
The horrors of giving money to a company that actually cares instead.
Proton enabled passkeys in their free tier. So ultimately, yes by using their free tier and being safe in the thought that you can always leave if you want, that might drive you to pay for a paid plan.
But companies trying to earn your business by offering you a good honest product is not at all the same as a company using anti-consumer practices to keep you from leaving lol.
As someone who is not familiar with photon, I love to see a vendor presenting a feature with a technical discussion, even if they’re also selling it. As far as I can tell, no one was hiding intent, no one was directly selling, so “well done”. Or maybe I just agree with the premise, I dunno
Is this an ad?
That was my observation as well. If it walks like a duck and it quacks like a duck…
Its a witch?
No, no, no. A Witch must float like a duck.
It’s a PSA with an ad at the end.
told ya so, i got downvoted for being skeptical of this shit.
if google or similar is pushing it, is should NOT be trusted!
That is not the takeaway here.
The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.
This isn’t some “owned by the billionaire class”. It’s an open standard that’s why Bitwarden and Proton both have implementations. Big tech of course provided implementations that are not as portable as possible, that’s all that’s going on here.
There’s really not some big conspiracy to kill kittens or whatever. Passkeys are far more secure (and for most people far more usable) than passwords.
The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.
then get them implemented by someone else useably. that open authentication login garbage they pushed years ago was also supposed to be an open standard, but you can only use it if you lock yourself in to facebook/google to this day. i still have to use a different password for each damn website still.
id like to see its opennes at work in the real world, in practice, first.
Proton, Bitwarden, 1Password, Yubico (via the Yubikey), and others (including big tech) already have their own independent implementations(?)
Even Keypass has at least a partial implementation https://github.com/keepassxreboot/keepassxc/pull/8825
i’m sure they do, but can i login to most websites using them?
99/100 i get the option to use facebook, google or just bite the bullet and make an account. i’m talking about this by the way:
Yes. Any website that has implemented passkey authentication can be logged into by any Passkey provider. There are no websites that “Only accept Apple passkeys”
I think you better understood their question; thanks for jumping in.
You still deserve those downvotes. There’s nothing to not trust about passkeys.
The billionaire owner class are defacto untrustworthy.
No one is suggesting that you secure your online accounts with the billionaire owner class. They’re suggesting you secure them with passkeys.
nah, give me an alternative not exclusively controlled by oligarchs and i will consider it.
Youre get downvoted by the same MS defender chuds.
Fuck the billionaires.
Not sure what Google has to do with passkeys besides the fact that they’ve implemented them. Google implemented passwords too but I’m guessing you’re fine with those?
Passkeys are not exclusively controlled by oligarchs so I guess by your own admission you should consider them.
i will, when i see these claims of openness estabilished and working in practice.
Well you’re in luck, they’re currently established and working in practice.
Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
I wonder if there could be any bias in Proton claiming their product is the best
Well of course. It’s still right - the ecosystem lock-in is insane. There needs to be a standard for cloud to cloud transfer between providers.
Or you know, use Proton Pass or 1Password.
I’d trust them miles before Google or Apple. Hell, they dropped the prices on some of their products when they found ways to provide them cheaper. Proton is a good company.
That doesn’t mean they will be around forever. Economic realities care little about whether a company is good or not.
In fact history has shown the good die out or become corrupt. Still using them for now though.
Iirc you can export everything. Most allow export of passwords of course but i think proton allows export of passkeys too.
So there’s portability if they ever do disintegrate.
Do you typically just take people’s word for their claims or do you do cursory research?
Any example of websites where I can try passkeys? I have both bitwarden and Proton pass to test out
I personally like the demo at https://www.passkeys.io/.
Test site: https://webauthn.io/
Known sites: https://passkeys.directory/
Github, Bitwarden itself, Cloudflare, Microsoft
