Until someone can explain to me how I can transfer, manage and control my passkeys without syncing them to some hostile corporation's cloud infrastructure, passkeys will remain a super hard sell for me.
Technology
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
You can use Bitwarden to store passkeys. Not sure if the self hosted solution has support for it yet though.
I must admit that, despite reading about passkeys a bit, I still don't understand the actual practicalities. I seem to recall that Bitwarden can store keys, but can't generate them. If that's true, who generates the passkey?
Bitwarden can both generate and store them in the browser extension. It can also use them through the browser extension but it can't yet use them through the mobile apps (they're working on it).
Vaultwarden does at least, I've been using it with passkeys for the last couple months and it's been great.
I currently use Syncthing to keep my Keepass database updated on my phone, laptop, and home server. Any change anywhere is instantly sent directly to the other 2 devices.
Depends on where the line is as far as evil goes. Most of the popular password managers are now starting to support storing passkeys.
If only companies wouldn't be patronizing ass hats about it. A few sites deny storing passkeys in software wallets because of "security". So what, keep using my password is safer now? Fucktards.
Many websites only allow creating a passkey on mobile for example. I also created passkeys on quite a few sites that straight up removed the feature a few days after. I also never found a site that let you completely remove password authentication after adding a passkey.
Even on mobile they are asshats. I have my password manager registered as the passkey wallet in iOS, so creating a passkey in PayPal for example fails.
I didn't like that they interviewed a corporate PR person instead of a real security expert. Sorry but that lady is just deflecting and spinning and missing so many important details to promote 1password.
Generally like the verge but this one was a bit lazy ngl - was there really no neutral or open source expert available?
corporate PR person instead of a real security expert
That's called an advertisement.
Can somebody help me understand the advantages of passkeys over a password manager? Googling just brings up tons of advertising and obvious self promotion, or ELI5s that totally ignore best passwords practices using managers.
Passkeys work like a public/private key pair you’d use to secure SSH access to a server. You give the website a public key that corresponds to a private key generated on your local device. Unlike a password it’s not feasible to brute force and there’s nothing you have to remember which makes it more convenient for you to use. If a site is hacked and they gain access to the public passkey you use to authenticate, it can’t be used to authenticate anywhere.
It’s not really an alternative to a password manager, because you can use a password manager to generate and sync a single passkey between all your devices. In fact 1Password is a big proponent of passkeys and even maintain a big directory of sites that use passkeys.
Passwords are known (or accessible in a password manager) by the user and the user gives one to a site to prove they are who they say they are. The user can be tricked into giving that password to the wrong site (phishing).The site can also be hacked and have the passwords (or hashes of the passwords leaked), exposing that password to the world (a data breach).
With passkeys, the browser is the one checking that it's talking to the right site before talking by making sure the domain name matches. Passkeys also don't send a secret anywhere but instead use math to sign a message that proves they are the returning user. This security is possible because there is a public key and a private key. The user is the only one with a public key. The authenticity of the message is guaranteed by math by checking it with the public key that the user provided to the site when they registered their passkey. The site doesn't need access to the private key that the user has to verify the message so there's nothing sensitive for the site to leak.
In practical terms, instead of having to have your password manager autofill the username and password and then do some kind of second factor, it just signs a message saying "this is me" and the site logs you in.
So it sounds like basically it's just client certificates?
Basically, but with a separate public/private key pair per login so they aren't able to link your identity between sites or accounts with it and also synced or stored in a password manager so you don't lose them.
What if I lose my phone? What if you steal my phone?
Bitwarden supports passkeys, which are stored in your bitwarden vault. If you lost your device, as long as you can still access your bitwarden account, your passkey should still usable.
I can login with the same passkey on Firefox and Chrome using bitwarden. Too bad it doesn't work on mobile yet.
Good talk, glad this is being discussed. Having worked adjacent to the authentication market, I have mixed feelings about it, though.
There are a few problems with passkeys, but the biggest one is that no matter what, you will always need a fallback. Yes, Apple promises a cloud redundancy so you can still log in even if you lose every device.
But that's just Apple's ecosystem. Which, for what its worth, is still evolving. So the passkey itself is phishing-resistant, but humans still aren't. Fallbacks are always the weakest link, and the first target for bad actors. Email, or sometimes phone and SMS, are especially vulnerable.
Passkeys in their current iteration are "better" than passwords only in that they offload the fallback security to your email provider. Meanwhile, SIM swapping is relatively ready easy for a determined social engineer, and mobile carriers have minimal safeguards against it.
Usability? Great, better than knowledge-only authentication. Security? Not actually that much better as long as a parallel password, email, or SMS can be used as a recovery or fallback mechanism.
I'm not saying passkeys are bad, but I'm tired of the marketing overstating the security of the thing. Yes, it's much more user-friendly. No one can remember reasonably complex passwords for all 100 of their online accounts. But selling this to the average consumer as a dramatic security upgrade, especially when so many still run passwords in parallel or fall back to exploitable channels, is deceptive at best.
We shouldn't be getting rid of passwords, or one time passwords, or two factor authentication, or single use codes. The point of security is overlapping features is what brings convenience and deterrence.
It's probably overkill for most people but I would love to have a system that lets me choose what combination of factors together work to login rather than just 'password and something else'. Something like A,B,C are on the account and you can use A+B or B+C to login. It'd be great for those who don't necessarily want to trust SMS-based one-time passwords (due to SIM swapping, theft, etc) if we could require something else along with it.
That said, the way passkeys are typically used satisfy multiple factors at once:
Password to unlock your password database that stores your passkey: something you know, the password + something you have, the database
Biometric to unlock your phone that has your passkey: something you are, fingerprint or face + something you have, the phone
Forget about biometrics, they are way too insecure.
Our cameras have reached a stage where we can replicate fingerprints from photos. 'What you are' is useless when we leave part of us everywhere. And furthermore, in parts of the world, authorities can force you to unlock your device with biometrics but not with passwords.
Biometrics can be fine when they are layered on top of other authentication methods.
SMS second factor is so bad! The really dumb thing in my opinion is the place that uses SMS to factor the most is banks. Now how dumb is that?
Years ago I worked for a company whose servers were in a highly secure facility. I had to pass through a “person trap” to get in, which required three independent things to get through: something you have, something you know, and something you are.
Imagine a booth about the size of a phone booth, with doors on both sides. To open the outer door you need a card key. Once inside the outer door closes. To open the inner door you need to put your hand on a hand scanner, then enter a PIN. Only then will the inner door unlock and let you inside. I was told that the booth also weighed you and would refuse to let you through if your weight was something like 10% different from your last pass through. That was to prevent other people from piggybacking through with you.
Lots of people think that’s all overkill until I explain that it’s all to ensure an authorized person, and nobody else, could get through. A bad actor could steal my card key & might guess my PIN, but getting around my hand scan & weight would be extremely difficult.
The closer we get to this sort of multi-layer authentication with websites the happier I am. I want my bank account, etc. protected just as well as that data center…
Ok so 2fa is based on things you know (passwords) things you have (devices), and things you are (biometrics).
I could see passkeys replacing the phone portion of a 2fa, but replacing a password? That can both invalidate the point of 2fa (verifies you have a device twice) and kill the benefits of having a password (if I lose my device I can still login, if it's stolen the attacker can't access all of my accounts).
Passkeys feel so much more worse. It becomes one central point to lose everything.
it's objectively a downgrade to have to get my phone out just to sign into youtube. i broke my phone screen and couldn't sign into my damn bank until i got it fixed because they making me verify with a text. bullshit world these days
And than there’s Google itself, notorious for blocking people’s accounts for nothing and offering zero recourse to get it back.
It certainly feels dangerous if forced upon users not aware of the trade-offs. For people already accustomed to using hardware keys, it's very much an improvement, as more services will support them too. The problem is in the awareness. On the other hand, people already treat regular passwords as throwaway data and expect services to just let them in, or even never log them out. In this scenario, maybe passkeys can still be an improvement: roughly just as much as enforcing using a password manager.
I highly recommend using something like Bitwarden or 1password (which can manage both passwords and passkeys), and then generating a passphrase using a method like Diceware. If you're paranoid you might prefer rolling your own with Keepass but for most people that's going to be a lot of work. I think 1password's model is about as secure as you could hope for while still trusting a 3rd party. Definitely avoid Lastpass. In addition to widely reported breaches, they don't even fully encrypt your data; only the password portion is encrypted while usernames and site data are plaintext.
For some reason I thought The Verge was better about having transcripts for their podcasts. I was kinda interested but not around 28 minutes of audio interested. 😞
Eh... No, thanks.