this post was submitted on 14 Feb 2024
228 points (88.8% liked)

Technology

59135 readers
6622 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
L4s@lemmy.world
L3s@fry.gs
L4s@fry.gs
enu@lemmy.world
228
Passkeys might really kill passwords (www.theverge.com)
submitted 8 months ago by Ninjazzon@infosec.pub to c/technology@lemmy.world
174 comments fedilink hide all child comments
 

Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing... that lives on my phone? What if I lose my phone? What if you steal my phone?

you are viewing a single comment's thread
view the rest of the comments
[–] Pulptastic@midwest.social 2 points 8 months ago* (last edited 8 months ago) (1 children)

So you really need two independent devices with their own passkeys to back each other up.

[–] monko@lemmy.zip 3 points 8 months ago (2 children)

Not sure exactly what you're getting at, but any authentication model must be designed with the assumption that a user can lose all their devices, passkeys included. That's where fallbacks come into play. Even with Apple's system, you can recover your keychain through iCloud Keychain escrow, which (according to their help page) uses SMS:

To recover your keychain through iCloud Keychain escrow, authenticate with your Apple ID on a new device, then respond to an SMS sent to a trusted phone number.

While SIM swaps aren't super common, they're not the most difficult attack. Passkeys are strong against direct attacks, for sure. But if I can reset your account using a text message sent to a device I control, is it really that much more secure?

[–] unconfirmedsourcesDOTgov@lemmy.sdf.org 4 points 8 months ago (1 children)

So if you lose access to all of your devices, you're completely locked out of everything until you're able to get a new working phone activated on a trusted phone number? The trade-off of inconvenience for security here just doesn't seem worth it to me.

[–] monko@lemmy.zip 2 points 8 months ago

Depends on the provider in question. While Apple does allow SMS recovery, they also let you designate a trusted contact who can let you in as an alternative. This is obviously more convenient (if you have a friend or family member who can be available when you need them), but the situation with SMS vulnerabilities is still my main gripe.

[–] Pulptastic@midwest.social 1 points 8 months ago (1 children)

Is it possible to use some kind of fingerprinting to identify people? It works for marketers, could that idea be used for security?

I am a total noob who is interested, if I come across as uninformed it is because I am.

[–] monko@lemmy.zip 3 points 8 months ago

Totally! Browser and device fingerprinting are commonly used as first-line defenses against ATOs (account takeovers). There are other kinds of fingerprinting, like those that can learn about your installed hardware and drivers. Really, I'm learning about more fingerprinting methods all the time. That said, decisions are usually made based on several different information sources. These include variables like:

  • GPS geolocation
  • IP address/location
  • Time of day
  • Device ID, OS version, browser version, etc.
  • Hardware profiles, including CPU and GPU architecture/drivers
  • User behavior like mouse movement, typing patterns, and scrolling
  • Whether the user is connecting via a known VPN IP address
  • Cookies and extensions installed on the browser

There's even some buzz around "behavioral biometrics" to identify individuals by how they type, but this is still not the sole method of identification. It's mainly about flagging bots who don't type like humans. However, learning how an individual types can help you determine if a subsequent visitor is the actual account owner or a bad actor.

In my experience, fingerprinting and adjacent identity proofs are rarely used in isolation. They're often employed for step-up authentication. That means if something doesn't match up, you get hit with a 2FA/MFA prompt.

Step-up can be pretty complex if you want it to be, though, with tons of cogs and gears in the background making real-time adjustments. Like you might not even realize you've been restricted during a session when you log in to your bank account, but once you try to make a transfer, you'll get an MFA prompt. That's the UX people in action, trying to minimize friction while maintaining security.