Technology

I have never understood the goal of passkeys. Skipping 2FA seems like a security issue and storing passkeys in my password manager is like storing 2FA keys on it: the whole point is that I should check on 2 devices, and my phone is probably the most secure of them all.

If you're using a hardware token to replace passwords, you're doing 2FA wrong

Dunno, we rolled it out without issue. But of course they also had keepass. You want password AND (TOTP token or hardware token)

Passkeys are also weirdly complex for the end user too, you can't just share passkey between your devices like you can with a password, there's very little to no documentation about what you do if you lose access to the passkeys too.

Yeah I didn't understand passkeys. I'm like why is my browser asking to store them? What if I'm using another browser? Why is my password manager fighting with my browser on where to store this passkey?

I felt so uneasy.

So I decided not to use passkeys for now until I understood what's going on.

I just wish that companies enabling passkeys would still allow password+MFA. There are several sites that, when you enable passkeys, lock you out of MFA for devices that lack a biometric second factor of authentication. I'd love to use passkeys + biometrics otherwise, since I've often felt that the auth problem would be best solved with asymmetric cryptography.

EDIT: I meant to say "would still allow passkeys+MFA." hooray for sleep deprivation lol.

I am very shitty on security (I would not write this reply on a post on the cybersecurity community), and I resisted MFA for several years as being too annoying having to login to mail/SMS. After finding open source apps supporting TOTP, I feel better about it and I manually do the syncing by just transferring the secrets between my devices offline.

Passkeys are another foreign thing that I think I will get used to eventually, but for now there are too many holes in support, too much vendor lock-in (which was my main distaste for MFA, I didn't want MS or Google Authenticator), and cumbersome (when email and SMS were the only options for MFA, difficulty of portability for passkeys).

The problem with passkeys is that they're essentially a halfway house to a password manager, but tied to a specific platform in ways that aren't obvious to a user at all, and liable to easily leave them unable to access of their accounts.

Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.

If you're going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager

Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.

The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though (Edit: Might be my specific setup‘s fault).

I do think that we need more standard procedures around what a reset/authorize new device looks like in a passkey world. There's a lot about that process that just seems like it's up to the implementer. But I don't think that invalidates passkeys as a whole, and most people are going to have access to their mobile device for 2 factor no matter where they are.

Incidentally I have no idea who this is or whether his opinion should be lent more weight.

His "just use email" like that isn't very obviously worse in every respect kind of undermines his whole premise.

Whenever I read an article about security (and read the comments, even here on Lemmy) I'm constantly frustrated and depressed by a couple of things.

1. Corporations making things shittier with the intention of locking customers in to their stupid proprietary ecosystem. And of course, they are always seeking more data harvesting. Security itself is way down the list of their priories, if it's even there at all.

2. Users being lazy trend-followers who quickly sacrifice their security on the altar of convenience and whatever shiny new FOMO thing is offered up for "better security".

It's a very bad combination. Doing security right is a bit inconvenient (which users hate) and expensive (which corporations hate).

There was a related news recently, that bitwarden and other pw managers will be able to sync passkeys between devices. Won't that solve these issues?

Passkeys are only good if they aren't in a online password manager. They are better than TOTP 2FA in terms of security and phishing resistance. I see 2FA as a last resort when someone even gets into my password manager. Storing passkeys completely makes this useless, as I'm sure anyone that can log into my accounts would've done so by getting a hold of my unencrypted password manager database. Unless android provides a real offline way of storing passkeys in the device, I am not interested alot.

With a password manager I'd argue its better but supports still not all there yet. I am waiting on bitwarden right now to support mull, basically its blacklisted, but it was added in the last 2 weeks so now its a waiting game.

thats close to what i have been fucking saying and getting hate for.

so im glad someone has written it on a damn blog to legitimize it?

Just. Use. A. Fucking. Password. Manager.

It isn't hard. People act like getting users to remember one password isn't how it's done already anyway. At least TFAing a password manager is way fucking easier than hoping every service they log into with "password123" has it's own TFA. And since nearly every site uses shit TFA like a text or email message, it's even better since they can use a Yubikey very easily instead.

Passkeys are a solution looking for a problem that hasn't been solved already, and doing it badly.

All the major password managers store passkeys now. I have every passkey I’ve been able to make stored in Bitwarden, and they’re accessible on all my devices.

Article is behind the times, and this dude was wrong to “rip out” passkeys as an option.

I wish all sites using 2FA would just support hardware keys instead of authenticator apps. It's so much easier to login to a site by just plugging in my hardware key and tapping its button, than going to my authenticator app and typing over some code within a certain time.

It's even sinpler than email 2fa or sms 2fa or vendor app 2fa.

For authenticator app you also can't easily add more devices unless you share the database which is bad for security. For hardware security key you can just add the key as an additional 2fa, if the site allows it.

I thought passkeys were supposed to be a hardware device?

This is typical embrace/extend/extinguish behavior from the large platforms that don't want their web-SSO hegemony challenged because it would mean less data collection and less vendor lock-in.

The whole idea of passkeys provided by an online platform should have been ruled out by the specification. It completely defeats the purpose of passkeys which is that the user has everything they need to authenticate themself.

I disagree with most of those arguments in the article… Additionally, there is nearly no passkey using service that does require you to still have PW and 2FA login active even if you use passkeys

We are right now in the learning/testing phase. It is not a flip and suddenly only passkey work. Transition to passkey only will be a very long time, like it was for 2FA, like, my girlfriend has it on, only at about 2 services, lol.

The main problem I have is, that people without knowledge get grabbed into walled gardens using passkeys. People with knowledge know that you can use alternative apps for passkeys, like proton or strongbox (keepass).