Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

Big Tech passkey implementations are a trap | Proton

  • Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security
  • Passkeys were developed to replace passwords for better account security, but their rollout by Apple and Google has limited their potential
  • Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
phoneymouse ,

Not commenting on the merits of the blogpost’s arguments, but Proton is selling their own product here too

StereoTrespasser ,

And if you believe in our mission and want to help us build a better internet where privacy is the default, you can sign up for a paid plan to get access to even more premium features.

Translation: don't give those other guys money, give us your money!

yamanii ,
@yamanii@lemmy.world avatar

The horrors of giving money to a company that actually cares instead.

Coasting0942 ,

They’re closer to a cooperative.

EncryptKeeper ,

Well no, their call to action isn’t to not give anyone else money. They didn’t have anything negative to say about their competition like 1Password. They’re just warning you about the shady things Google and Apple are doing specifically. And as an alternative they’re offering their own solution instead, which also doesn’t cost any money.

QuantumSparkles ,

As a fan of Proton services I don’t like “blog posts” from companies where the solution to a problem is just their product, regardless of who the company is

EncryptKeeper ,

Proton enabled passkeys in their free tier. So ultimately, yes by using their free tier and being safe in the thought that you can always leave if you want, that might drive you to pay for a paid plan.

But companies trying to earn your business by offering you a good honest product is not at all the same as a company using anti-consumer practices to keep you from leaving lol.

AA5B ,

As someone who is not familiar with photon, I love to see a vendor presenting a feature with a technical discussion, even if they’re also selling it. As far as I can tell, no one was hiding intent, no one was directly selling, so “well done”. Or maybe I just agree with the premise, I dunno

mypasswordis1234 , (edited )
@mypasswordis1234@lemmy.world avatar

I noticed that recently every post on Proton's blog has been an advertisement of their services.

They are hypocrites.

A few days ago they posted that corporations are bad because they collect fingerprints, profile users, etc., yet they are no better, as their mobile apps rely on Firebase Cloud Messaging (FCM) owned by Google to deliver notifications to their users.

In 2020 they wrote that they "may offer alternative push notification system", but apparently shitting on corporations is easier than making actual changes. Four years ago.

LodeMike ,

That's a google services issue. That's Google's fault.

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

It was their choice to not exclude this knowingly-evil service from their applications though.

LodeMike ,

Yes. It's still the fact that Google monopolizes shit. Same thing with Apple by the way.

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

But there are apps that have been built with Google-independent notifications. Proton could have supported UnifiedPush, for example, yet they decided not to.

LodeMike ,

Yes

capital ,

If I can't add your passkey to my Bitwarden vault, I'm not using your passkey.

FrankTheHealer ,

Yeah or if they only offer 2FA via SMS. Like 1) it's not even that much more secure and 2) it's just more awkward.

But I also hate how Steam and Blizzard only allow you to verify logins in their mobile app. Fucking ridiculous.

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

It is stupid that they not only require the app to be present, but to verify each and every trade. Even those for items that drop to everyone for free. Good thing it does work in an Android VM but still - very annoying.

Serinus ,

Bitwarden proper wants $40/year to have two users sharing passwords. You might try Vaultwarden?

hperrin ,

That doesn’t seem unreasonable at all for not having to host your own server.

Serinus ,

That's with hosting your own server. Unfortunately I only discovered this paywall after sending them $10 out of good will.

Of course it's open source, so it's certainly possible to break their DRM, and if it were something less sensitive I would.

I still might, but VaultWarden looks like a better alternative.

hperrin ,

Nowhere on their pricing page does it say you need to host your own server.

sugar_in_your_tea ,

I pay $10/year for my wife and I, total. The $40 is if you want 3-6 people. AFAIK, you still need to pay if you self-host and use the premium features, but you can self host on the free plan as well.

$10/year for my wife and I is completely reasonable, and I'd pay the $40/year if my kids needed their own accounts. It's a fantastic service.

Serinus ,

If you self host you need the $40 plan for two people. Seems kinda backwards, doesn't it?

Yeah, they absolutely don't make that clear or I wouldn't have gone with Bitwarden.

sugar_in_your_tea ,

Really? It says it's supported for each account type. It looks like you don't even need the $10/year account anymore for sharing with one other user.

Serinus ,

You'd think that based on your link, wouldn't you. I did.

My support ticket response:

Hi Serinus,
​There actually isnt a mistake what you are reading is the pricing page for premium individuals, which you already have.
But if you check our pricing page for orgs and you are in the free org, you will see that you cannot self-host the free org, as seen here.
You can find more information here; https://bitwarden.com/help/password-manager-plans/#compare-personal-plans
I hope you find this clear and helpful.
Kind regards,
A
Follow Bitwarden on social media:

Serinus ,

https://lemmy.world/pictrs/image/9bdcebd6-1170-4093-a2b3-e3240ce92f75.png

sugar_in_your_tea ,

Your issue is creating an org. The free tier allows again one collection with one user. So don't create an org, share a collection.

Serinus ,

One user can't share a collection with another user. An org is required to share.

sugar_in_your_tea ,

I'll have to check. I haven't self-hosted mine yet, but I thought the collection share I do with my wife is different.

You could very well be right, which would be disappointing.

Serinus ,

If you discover anything different, I'd love to try it! Currently we're either going to share a single login (which might get odd with 2fa devices) or just use VaultWarden.

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

If I can't add your passkey to my local KeepassXC database, I am not using your passkey.

capital ,

You can also host it yourself.

https://bitwarden.com/blog/host-your-own-open-source-password-manager/

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

Yea, I know. But my preference is for my password manager to not be cloud at all.

capital ,

I don’t mean to be pedantic but self hosted isn’t cloud.

LodeMike ,

Doesn't it require cloud activation?

capital ,

It requires a key and id they generate.

https://bitwarden.com/help/install-on-premise-linux/

Though from the instructions, I’m not sure if the install needs continuing communication outbound to function.

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

Yea, I understand, and it's a perfectly valid choice. But does that disregard people's preference to not bother with this at all?

capital ,

I don’t think I understand the question.

To be clear, the alternatives are valid choices.

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

That was a rhetorical question. What I wanted to say was basically "if it is only supported by Big Tech walled gardens and some open, selfhostable cloud password managers, I am not using such passkeys, because for me it is far more comfortable to have my password manager fully offline".

Woovie ,

Why are us nerds like this? No one asked, please dont.

PM_Your_Nudes_Please ,

I mean, they were responding to someone who sounded like they were acting superior for self-hosting their password manager. This person chimed in with “well you can self-host Bitwarden too”. And now you’re upset because they offered a direct counterpoint, and furthered a conversation?

skeezix ,

This is a guy who planted some Cheerios because he thought they were donut seeds.

A_Random_Idiot ,
@A_Random_Idiot@lemmy.world avatar

Eh, easier to just use the same password for everything.

I use 12345, personally.

capital ,

Huh.. same as my luggage.

answersplease77 ,

what are passkeys? like biometrics fngerprints or facisl recognition you mean?

Passerby6497 ,

No, it's like a security certificate to authenticate. It's a secret that your key vault presents to the site to validate that you're who you say you are.

answersplease77 ,

like an encryption key? or cookies?
I'll try to look up how they work

Passerby6497 ,

Exactly like an encryption key. Here's a video from Security Now with Steve Gibson (a well known security researcher) who explained it in a fairly approachable fashion. That link should start at the beginning of that segment, about 1:31:00 in.

EncryptKeeper ,

They’re the private half of a public/private key pair, much like how you make encrypted connections to websites.

The gist of passkeys are that the secret you’re using to login to your accounts is stored on your device (Or in your password manager) and is never sent to or stored on the server. So if a website you have an account on is breached, unlike with a password, your passkey can’t be stolen, because they don’t have it.

Similarly, your passkey can’t be phished. If a malicious actor directed you to a fake login page and you didn’t notice and entered your password into the fake login form, they now have stolen your password. But because your passkey is not sent to the server like a password, the fake login page wouldn’t get anything.

And because your passkey isn’t something you have to remember, you can’t create an insecure one like with a password, and you can’t reuse the same one for different accounts.

MIDItheKID ,

I can wrap my head around the secret being stored in your device, but what happens when you go to a different device?

Let's say for example, I am at my friend's house, and for one reason or another, I don't have my phone. My Gmail account is passkey locked, but I need to check my email from my friend's laptop. Would that require that I install passkey on their laptop, and log in to my passkey account? Does that also mean that if I forget to log out of passkey, they can access all of my accounts correlated with my passkey account? If that's the case, what happens if my passkey account is compromised? All of my accounts are linked to a single point of failure?

A friend of mine had to break out some kind of USB dongle to log into his Google account on a new machine the other day. Is that a form of passkey? What happens if that dongle gets lost/stolen/broken? Or what if you just forgot it at home? Are you SOL?

I am all for more security and less password remembering, but I hop around a lot of computers.

EncryptKeeper ,

account is passkey locked, but I need to check my email from my friend's laptop. Would that require that I install passkey on their laptop

Yes but you would not want to do that. I can’t imagine a scenario where you could make it to your friends house without your phone, and also need to check your email so bad that you borrow their laptop, but in that case you would not be able to log in. Unless your passkey for that service is stored in your password manager, in which case you’d have to log in to that first.

Does that also mean that if I forget to log out of passkey, they can access all of my accounts correlated with my passkey account?

There is no “Passkey account”, it’s not a service or an app. It’s a file stored either on your device or in your password manager.

what happens if my passkey account is compromised? All of my accounts are linked to a single point of failure?

I already brought up that you have no “passkey account” to compromise, but if your passkey was somehow stolen, the only thing compromised would be the service that passkey is for.

A friend of mine had to break out some kind of USB dongle to log into his Google account on a new machine the other day. Is that a form of passkey?

You can get hardware devices to store passkeys on, yes.

What happens if that dongle gets lost/stolen/broken? Or what if you just forgot it at home? Are you SOL?

If it’s lost or stolen you’d want to make new passkeys yes. If you forgot it at home, you wouldn’t be able to log in if the hardware device was the only thing you had a passkey stored on.

I wonder how often you truly forget important every day articles at home, despite you needing to get connected to things at a moments notice. I don’t think I’ve forgotten my phone anywhere once in the last 15 years.

The thing is, all these scenarios you’re coming up with are no different for passkeys than they are for complex, unique, secure passwords. It sounds like your usual MO is being able to recall your password (In the case you’ve forgotten your phone and are in a borrowed device), which means your passwords likely aren’t secure, and you’re probably reusing them, which is more of a “single point of failure” than passkeys ever could be.

Honestly, my advice to you is before you even start considering passwords vs passkeys, you need to fix yourself up man. You need to get your shit together a lil bit.

Spotlight7573 ,

Let’s say for example, I am at my friend’s house, and for one reason or another, I don’t have my phone.

If you need to log into your friend's laptop to check your email, you would need your phone or some other passkey you had set up for your account, yes, as long as that was the only login method you have setup on your account. If you don't have your phone, you might not be able to pass the two-factor steps or account login location checks many accounts. If Google finds the new login attempt suspicious for some reason, it will ask for additional checks like a code sent to your email or through a text and you may not be able to log in with just the password anyways. Just because you have the right username and password, it doesn't mean that a service may let you log in without access to some kind of other trusted information accessible on an existing device.

Overall though, think of it like forgetting your physical keys.

Does that also mean that if I forget to log out of passkey, they can access all of my accounts correlated with my passkey account?

Yes, the same as if you had left your physical keys there and those keys provided access to all your accounts. There may be some technical protections like the timeout until it locks on a password manager but that's up to the password/passkey manager app to implement and for the OS to guarantee the security of. It's no different from loading up your password manager on the device. If you don't trust the device or the owner of the device, you should not access your password/passkey manager on it.

what happens if my passkey account is compromised? All of my accounts are linked to a single point of failure?

The same thing that happens if your password manager is compromised: you secure it (rotate encryption, create a new database, however you want) and then you set about updating new passwords and passkeys for your accounts. That's why it's recommended to only have your actual password/passkey manager on something you trust (your phone, your computer, etc) and use that device as the passkey for whichever other device your logging into rather than loading up your password/passkey manager on each device you're logging into.

A friend of mine had to break out some kind of USB dongle to log into his Google account on a new machine the other day. Is that a form of passkey?

It's a form of WebAuthn credential most likely, yes. Passkeys aren't actually entirely new in how they can be used with accounts, the standards have been there for a while now. It's mainly just a unified marketing from the big players as well as developing an ecosystem around it the standard such as the protocols for using a phone via Bluetooth as a passkey on a desktop/laptop to log in and other things like syncing the passkeys between devices using their existing password manager services for user convenience (so that the average person can actually use them). Under the hood it's still WebAuthn for the actual authentication. Hardware security keys that connect via USB, Bluetooth, or NFC have been around for a while but have usually operated in nonresident key mode where they've been used for second factor authentication. Nonresident key mode has the advantage of storing the private key in an encrypted format with the website or service your logging into, meaning that the actual hardware key doesn't need to have any storage capacity and can work with an infinite number of sites. This has the disadvantage that you have to provide a username (and typically a first factor like a password) to lookup which keys should be used (ie the ones associated with a specific account). That is probably how your friend logged in with a USB dongle. WebAuthn credentials that operate in resident key mode like passkeys do on the other hand store both the information related to identity and authentication, meaning that all you have to do is select the account you want to log into. This requires that they are stored on a trusted device like a phone, a laptop, or a hardware security key dongle that has storage.

What happens if that dongle gets lost/stolen/broken? Or what if you just forgot it at home? Are you SOL?

Again, the same thing that happens when you forget your physical keys for your car or home. You can't access the thing protected by them until you go get them. The alternative is to bypass the normal authentication workflow and work around it, such as with an account recovery process (similar to getting a locksmith to get back into your car or home).

I am all for more security and less password remembering, but I hop around a lot of computers.

Then you'd probably like being able to log in by just unlocking your phone and confirming things, rather than having to go through a password lookup and one time code entering process each time.

MIDItheKID ,

Cool, thanks for the info. This is something I have wanted to setup for a little while now, I just didn't understand all of the nuances.

Natanael ,

Asymmetric cryptographic signing keypairs. An ECDSA variant is used to create and validate signatures. Your device creates a unique keypair per domain you register on. It only sends signatures, which doesn't reveal what the secret key is, and each signature is based on a single use challenge value.

Spotlight7573 , (edited )

Passkeys are a way of doing public/private key-pair crypto to prove that you are in possession of the private key that corresponds to the public key that was registered with a site or service when you added the passkey to the account. The use of the passkey is often protected by biometrics like the fingerprint or facial recognition systems on your device but it doesn't necessarily need to use biometrics at all if you don't want to and you can instead use a passcode to unlock your device or password/passkey manager.

Basically instead of the normal way with passwords:

  • You ---password---> website
  • Website verifies password matches, either directly to an actual stored password (bad) or through a hash they have stored

With passkeys you have:

  • You <---challenge--- website
  • You sign the challenge with a private key that only you have
  • You ---signed challenge ---> website
  • Website verifies that the signed challenge corresponds to the public key you provided when you set up the passkey

In the password scenario, the website could be following best practices and hashing the password or it could just be storing them directly and insecurely. You have no idea what really goes on inside their systems. This also means that due to reused passwords, a security breach at one site can mean problems for other sites, even if they didn't do anything wrong.

In the passkey scenario, you're not sending anything particularly sensitive to each site so it's more secure.

SniffDoctor ,

If I use a password manager with long random passwords, and use 2FAS to generate those 6-digit two factor authentication codes whenever possible (as opposed to SMS/email 2FA), is there any advantage?

Is it just that you don't actually have to type anything, just press "I approve" on your phone after entering your username?

Or is it more just designed to improve security for people like my family members who use the same ~10 digit passwords for everything?

Spotlight7573 ,

It's definitely trying to be user friendly enough that non-technical users like the family members you mention can use it to replace passwords. For your use case with a strong password and 2FAS to generate a code, it still gets rid of the phishing potential. The main advantage for the other people like your family is that they don't have to type or autofill anything, just select an account to log into or click approve on their phone. A main advantage for the service is that the user's diligence is taken out of the equation for a lot of it and they don't have to worry about a user giving their password and 2FA codes to a phisher. If a user tries to use a passkey at the wrong site (like a phishing site), it won't pop up as an option to select because the domain is wrong.

Passkeys can also help anyone who is using a service in an indirect way. The 23andMe "breach" was due to stolen credentials from other actually breached sites being used to log into accounts that have data shared with them. That 23andMe data was shared to those compromised users by people who may have actually had all their security turned up to the highest settings like 2FA but was nonetheless scraped and obtained by the bad actors anyways. If 23andMe had been using passkeys (or even magic login links in an email), there would have been no credentials from other sources to use against their 23andMe's users. Moving everyone to more secure authentication methods is in the best interest of everyone involved, it's just that typically it was a hassle to have to setup an authenticator app or a password manager for 2FA. Passkeys, when everything is working properly, finally provide both more security and more convenience for the average person than just a password and so people might actually adopt them.

viralJ ,

Could someone ELI5 (if possible) what passkeys actually are?

callmepk ,
@callmepk@lemmy.world avatar

Basically hardware keys (like YubiKey) without hardware

zewm ,
@zewm@lemmy.world avatar

So…. Software keys…

mp3 ,
@mp3@lemmy.ca avatar

a.k.a password-protected certificates

asmoranomar ,

From my understanding it's the concept of trust. Basic passwords are complete trust that both ends are who they say they are, on a device that is trusted, and passing the password over the wire is sufficient and nobody else tries to violate that trust. Different types of techniques over time have been designed to reduce that level of trust and at a fundamental level, passkeys are zero trust. This means you don't even trust your own device (except during the initial setup) and the passkey you use can only be used on that particular device, by a particular user, with a particular provider, for a particular service, on their particular hardware.....etc. If at any point trust is broken, authentication fails.

Remember, this is ELI5, the whole thing is more complex. It's all about trust. HOW this is done and what to do when it fails is way beyond EIL5. Again, this is from my own understanding, and the analogy of hardware passwords isn't too far off.

geophysicist ,

so it's basically what a SSH key is?
can I not log in to an account from my laptop if I set it up on my phone then? that seems like a massive hassle if it's the case

ShittyBeatlesFCPres ,

You setup passkeys for all your devices with biometric features. I know I have a Yubikey for my desktop, facial recognition on my phone, and a fingerprint reader on my laptop. So, I setup 3 passkeys using biometric (fingerprint or face). I also kept my password and 2FA for now because it’s all new. I wouldn’t recommend jumping in face first.

I only am using it on a few key sites and partly because I’m a web developer testing it all out. I wouldn’t advise it for the average user at the moment but it’ll mature and many password managers can store passkeys now. As it matures, I’m hopeful it becomes seamless like FaceID and fingerprint readers.

Spotlight7573 ,

It basically performs the same function as an SSH key (providing public key authentication), yes.

Your issue with logging in on your phone vs laptop can be solved by either syncing them (like the OS/Browser platforms of Google/Apple/Microsoft or a password manager like Proton Pass/Bitwarden do) or by setting up each device separately (like most people should do with SSH keys). Each method comes with trade-offs: syncing means they aren't device bound and can potentially be stolen, setting it up on each device can be a pain, etc.

The important thing to remember is that passkeys don't need to be the only authentication methods attached to an account. You can use the convenience of a passkey most of the time when it's possible and then fall back to another method (like a password/TOTP pair) when that's not available (such as when setting up a new device). There's also always the standard account recovery options if all else fails, those don't necessarily go away.

The other thing to remember is that it's not trying to be a perfectly secure solution to all authentication everywhere but to replace passwords with something better. Not having to generate and store random passwords with arbitrary complexity requirements, being able to log in with just a tap or a click, and not having anything that needs to be kept secret on the website's side can be enough of an improvement over passwords to make the change worthwhile.

geophysicist ,

If a passkey isn't device bound, what makes different/better than a complex password? Is it just the standardisation that you mention? Enforcing using passkeys becomes exactly the same as enforcing using complex passwords

Spotlight7573 ,

One key benefit regarding hacking: the data that's passed back and forth between the user's browser/app and the website/service is a challenge and a response and is no longer sensitive like a password is and the authentication related data (the public key) that the website stores for a user's account isn't useful to an attacker.

One key benefit regarding phishing: passkeys/WebAuthn credentials incorporate the domain name into part of the authentication and it's enforced by the browser. This means that using a passkey/security key on the wrong site won't give an attacker anything useful unless they also somehow control the DNS and have a valid TLS certificate to impersonate the site with. This is unlike the situation with a phishing website where a user can be tricked by a fake but convincing looking website into giving over not just a password but a one time code provided through SMS or a TOTP.

One key benefit regarding usability: The user just has to choose which account to log into from their password manager instead of having it need to autofill correctly on the website (I still run into sites that don't autofill right). They also don't need to worry about any specific password complexity requirements or changing passwords in response to breaches or password expiration times.

geophysicist ,

this makes a lot of sense, thanks!

asmoranomar , (edited )

Close, but you are still trusting the device you own. If I were to compromise that device, I could capture that key and use it. Again, this is my limited understanding, but a zero trust solution works in such a way that the actual keys are not stored anywhere. During setup, new temporary keys are generated. A keypass binds to the temporary key for use of authentication. The temporary key can be revoked at any time for any reason, whether it's due to a breach or routine policies. It can be as aggressive as it needs, and the implication is that if someone else (either you or an attacker) got issued a new temporary key then the other would not receive it. Using an incorrect temporary key would force an initialization again, using the actual keys that aren't stored anywhere.

The initialization process should be done in a high trust environment, ideally in person with many forms of vetting. But obviously this doesn't take place online, so there is the risk that your device is not trusted. This is why the process falls back on other established processes, like 2FA, biometrics, or using another trusted device. How this is done is up to the organization and not too important.

But don't get too hooked on the nuances of passwords, keys, passkeys,etc. The entire purpose is to limit trust, so that if any part of the process is compromised, there is nothing of value to share.

Disclosure: Worked in military and this seems to be a consumer implementation of public/private key systems using vector set algorithms that generate session keys, but without the specialized hardware. It's obviously different, but has a lot of parallels, the idea in this case is that the hardware binds to the private/public keys and generates temporary session keys to each unique device it communicates with, and all devices can talk with members of it's own vector set. Capturing a session key is useless as it's constantly being updated, and the actual keys are stored on a loading device (which is subsequently destroyed afterwards, ensuring the actual key doesn't exist anywhere and is non recoverable, but that's another thing altogether). My understanding of passkey systems is solely based on this observation, and I have not actually implemented such a solution myself.

Swarfega ,

I guess it's a bit like a bank card with a PIN. You go to pay for something and your card stores your credentials on it. To allow those credentials to be read you need to unlock them using the PIN.

Dark_Arc , (edited )
@Dark_Arc@social.packetloss.gg avatar

Not ELI5 level but...

If you understand SSH keys, it's basically the same thing made more general.

Whatever website (e.g. lemmy.world) has a copy of the public key, they encrypt something with the public key, you decrypt it, reencrypt it with your private key and send it back (where they can then decrypt it and verify what they got back is what they expected). By performing that round trip, you've verified you have the correct key, and the "door opens."

The net effect is you can prove who you are, without actually giving someone the ability to impersonate you. It's authentication via "secret steps only you would know" instead of authentication by a fixed "password" (that anyone who hears it can store and potentially use for their own purposes).

That's all wrapped up in an open protocol anyone can implement and use to provide a variety of (hopefully) user friendly implementations (like the one Proton made) 🙂

LemmyFeed ,

Is this an ad?

EncryptKeeper ,

It’s a PSA with an ad at the end.

aceshigh ,
@aceshigh@lemmy.world avatar

That was my observation as well. If it walks like a duck and it quacks like a duck…

Deceptichum ,
@Deceptichum@sh.itjust.works avatar

Its a witch?

Gabu ,

No, no, no. A Witch must float like a duck.

UnfairUtan ,

Any example of websites where I can try passkeys? I have both bitwarden and Proton pass to test out

filcuk ,

Github, Bitwarden itself, Cloudflare, Microsoft

OfficerBribe ,

Test site: https://webauthn.io/

Known sites: https://passkeys.directory/

AnActOfCreation OP ,
@AnActOfCreation@programming.dev avatar

I personally like the demo at https://www.passkeys.io/.

CriticalMiss ,

When vaultwarden supports this I’ll play ball. If I don’t have control over my authentication methods, then they aren’t my authentication methods.

cooopsspace , (edited )

Do you really think it's a good idea to store your password, TOTP and pass key in one place?

hydration9806 ,

Yes, as long as that place is only accessible by a physical passkey (such as a Yubikey). The risk is miniscule and the convenience is 100% worth it.

cooopsspace ,

I'm actually not sold that I should be putting all my keys in a single password manager like Bitwarden.

DreamlandLividity ,

To my bank? No.
To a Lemmy account? Yep.

Reddfugee42 ,

Treating social media accounts as irrelevant is fine as long as none of your real life friends associate with you on the same platform. Once that's the case, scammers can take over your platform and send messages to your friends telling them you're stuck and need money or other sorts of things that sound ridiculous but work all the time.

DreamlandLividity ,

I am not treating them as irrelevant, hence a password manager. But I am not treating it as fort knox. Most of my real-life friends probably don't even go that far.

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

I personally settled on having TOTP in the same application but in a different database.

ikidd ,
@ikidd@lemmy.world avatar

Bitwarden does, not sure about the self-hosted version.

dantheclamman ,
@dantheclamman@lemmy.world avatar

Still waiting for the mobile app. Maybe the firefox addon would work, but would prefer the app

bitwolf ,

Vaultwarden has supported pass keys for a while.
The client app does all the hard work in this pattern.

obviouspornalt ,

Passkeys sound great. Where's the support for Firefox, Proton Pass? Bitwarden has it.

sugar_in_your_tea ,

Yup, the only missing thing for Bitwarden is the mobile app, but so far none of my apps support it, so whatever.

squirrelwithnut ,

I use BitWarden's mobile app just fine on Android.

sugar_in_your_tea ,

For passkeys? My understanding is that's not implemented yet.

squirrelwithnut ,

Oh, I totally didn't register you were talking about passkeys. lol sorry. I don't use them, so I was just talking about the BW app in general .I haven't run into any compatibility issues with it.

vhstape ,
@vhstape@lemmy.sdf.org avatar

Better yet: use a hardware 2FA token that supports passkeys

BlackEco ,
@BlackEco@lemmy.blackeco.com avatar

The issue is that most of them are limited in the amount of passkeys they can manage.

In the case of the Yubikey 5

Currently, YubiKeys can store a maximum of 25 passkeys.

https://www.yubico.com/blog/a-yubico-faq-about-passkeys/

BeatTakeshi ,
@BeatTakeshi@lemmy.world avatar

How is 25 bad? Do you need a passkey for each service /app/website? Can't you use the same key for many services? (trying to understand how they work)

BlackEco ,
@BlackEco@lemmy.blackeco.com avatar

Yes, you need a passkey per service, so you would quickly end up with your 25 slots full.

paraphrand ,

Having a key shared across sites wouldn’t be great. If it was great it would be an article talking about “passkey” not “passkeys” because you would just have one. Like some sort of Skeleton Passkey that unlocks all your shit when compromised.

lemmyvore ,

That's impossible. Passkeys were designed specifically to be impossible to share across different websites.

paraphrand ,

Well, that’s basically my point. It’s not a good idea.

BeatTakeshi ,
@BeatTakeshi@lemmy.world avatar

Thank you ; I misunderstood that one passkey could be like a fingerprint sort of

lemmyvore ,

Ideally yes, they're supposed to eventually replace all passwords. Of which I have hundreds. And yes not 100% of them will do that on the near future but a lot more than 25 will.

laughterlaughter ,

No, sharing passkeys across services is way too risky. One service gets compromised, someone gets your passkey, and then they have access to all of your services. It's the same principle with regular passwords.

Spotlight7573 ,

Uh, each service only has access to your public key, not the private one that stays with you. It's less risky than a regular password.

Even with U2F hardware keys where the server-side stores the encrypted key (to allow for infinite sites to be used with a single hardware key), it's only decryptable on your key and thus isn't that useful for someone who has compromised a service.

laughterlaughter , (edited )

Thanks. I'm still learning about this "new" technology (which already is, what, eight years?)

Natanael ,

It started with U2F which may be older?

CriticalMiss ,

I have 150 passwords in my password manager. I’m not buying 7 YubiKeys (and to be fair that’s not what they’re designated for)

BeatTakeshi ,
@BeatTakeshi@lemmy.world avatar

/aparté: being downvoted for trying to understand gives me reddit vibes well done

capital ,

Being down-voted for asking questions is bullshit. Your questions are valid and those people suck.

Natanael ,

You only need one per website if you want it to autofill the username, because resident keys held on the security token can be recognized and suggested automatically but otherwise you must first enter your username on the website and let the website send its challenge value for the corresponding domain and account pair so that your security token can respond correctly.

mp3 ,
@mp3@lemmy.ca avatar

It depends on the passkey type (resident vs non-resident keys)

BlackEco ,
@BlackEco@lemmy.blackeco.com avatar

Right, now I remember reading about that, I forgot.

hydration9806 ,

Passkey = Resident Key

Nonresident keys are not passkeys, they are solely a second form of authentication meaning the service you are logging into still requires a password.

Spotlight7573 ,

Couldn't a site theoretically use a nonresident key with just a username, in place of a password?

This seems to imply it might be possible:

https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Resident_Keys.html

Discoverable Credential means that the private key and associated metadata is stored in persistent memory on the authenticator, instead of encrypted and stored on the relying party server. If the credentials were stored on the server, then the server would need to return that to the authenticator before the authenticator could decrypt and use it. This would mean that the user would need to provide a username to identify which credential to provide, and usually also a password to verify their identity.

hydration9806 ,

For sure, but that still isn't a passkey. The method you are talking about is the equivalent of non-passphrase protected SSH protocol, which is a single form of authentication (i.e. if someone has your security key they have your account).

The term passkey implies MFA: having a physical key and a password, a physical key and a fingerprint scan, or equivalent.

Sure the username could be considered the password, but usernames are not designed to be protected the same way. For example, they typically are stored in clear text in a services database, so one databreach and it's over.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

Eh... That's not exactly a silver bullet or necessarily "way better"; it's got a lot of usability issues.

You really only want to do that for your most important sites and then you want to use multiple passkeys to make sure you retain access.

AWittyUsername ,

Yeah I've avoided passkeys. Anything that Google is pushing to me is always in their interests.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

That is not the takeaway here.

The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.

isles ,

Are we talking in circles here? "I avoid passkeys because of Google" "Passkeys implemented by Google have problems"

ItsMeSpez ,

Are we talking in circles here?

No. "I avoid passkeys because of Google" is avoiding an entire technology because of a bad implementation. "Passkeys implemented by Google have problems" is only avoiding passkeys implemented by Google, leaving using passkeys still on the table.

EncryptKeeper ,

The way out of the circle that you’ve put yourself in is realizing Google isn’t the only company implementing passkeys.

johannesvanderwhales , (edited )

And that most people are in multiple ecosystems...e.g. Android/iOS + Windows. So they can't use a solution that's not interoperable.

EncryptKeeper ,

Fortunately there are several interoperable solutions now. There weren’t as recently as last year though.

EncryptKeeper ,

Google pushed email accounts to you, do you not have an email address either?

dditty ,
@dditty@lemm.ee avatar

Email was already ubiquitous and generally standardized by the time Gmail released in 2004.

EncryptKeeper ,

Asymmetric cryptography has been ubiquitous and generally standardized by the time Google began letting you store Passkeys, so what’s your point?

Is Google supporting a particular service or system a dealbreaker for you or not? Because Google has far more fingers in the public operation of email than it does passkeys. So if you’re still ok with having an email account, then you should be just as ok with using passkeys.

AA5B ,

I’m not locked into Gmail: I know it implements standards and I choose it as long as it is most convenient.

A lot of what comes into my gmail account is actually addressed to various aliases from various providers, and I can point those aliases anywhere

In particular, all my recent online accounts use unique generated email addresses that I can disable at will, and that forward to my actual email

EncryptKeeper ,

Well that’s great news, then you’ll like passkeys because you can use them without being locked into anything.

AA5B ,

A lot of my hesitation is that not only are passkeys being pushed by the big vendors AND they seem to have a less than portable implementation BUT ALSO they don’t seem to give enough details. Everything is dumbed down for the less technical until it means nothing

I like that this thread already has more actual information than all the outreach of the big vendors over months

Natanael ,

The spec behind it is solid, it creates per-domain cryptographic keyspairs which allows your device to prove you're you in a standardized and secure way while avoiding adding a new way to track you across sites, and by using the device's TPM chip to hold the key it's also resistant to most types of manipulation.

johannesvanderwhales ,

People not getting phished is in their interests. That doesn't mean it's not in yours.

Spotlight7573 ,

People getting their accounts compromised leads to spam email, spam comments, fake crypto livestreams, etc that impact others. Google definitely has an interest in preventing people from getting their accounts compromised and not just for the benefit of the individuals with the accounts but their platforms as a whole.

ILikeBoobies ,

Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.

I wonder if there could be any bias in Proton claiming their product is the best

ikidd ,
@ikidd@lemmy.world avatar

I'd trust them miles before Google or Apple. Hell, they dropped the prices on some of their products when they found ways to provide them cheaper. Proton is a good company.

vermyndax ,

That doesn't mean they will be around forever. Economic realities care little about whether a company is good or not.

Andrenikous ,

In fact history has shown the good die out or become corrupt. Still using them for now though.

timbuck2themoon ,

Iirc you can export everything. Most allow export of passwords of course but i think proton allows export of passkeys too.

So there's portability if they ever do disintegrate.

gian ,

True, but this is valid for every company.
Let's say that since the company is Swiss based and, AFAIK, not quoted maybe they are not driven by the "the next quarter is all that matters" mentality of many quoted (US) companies.
There is a smaller chance that they will do something stupid to monetize more just to be ok next quarter (while risking to lose everything the next one) and will be there as long as they provide a value to the customer for the paid price.

sunbeam60 ,

Well of course. It’s still right - the ecosystem lock-in is insane. There needs to be a standard for cloud to cloud transfer between providers.

Or you know, use Proton Pass or 1Password.

Reddfugee42 ,

Do you typically just take people's word for their claims or do you do cursory research?

Swarfega ,

It seems no matter what new advancements we make in technology the big tech companies seek nothing more to implement it in a way that benefits themselves. Regardless if it means fucking over the consumer.

I really hate what the internet has become over the last couple of years.

Tak ,
@Tak@lemmy.ml avatar

That's capitalism for you. They're not interested in making things better, they're interested in making more profit.

sunbeam60 ,

Correct. But often that only happens if they make things better for you.

EncryptKeeper ,

On the contrary, companies making a profit by making things better for you as a concept is pretty close to extinct. See corporations realized they don’t have to make better products if they just box out the competition so that you no longer have a choice. Theres even a term for it now, because practically every company across every industry is doing it, enshittification. Charging more for inferior projects is the new goal.

A company that grows itself by making a better product is an objective rarity in the modern world.

dinckelman ,

The way Apple or companies like Paypal implement two-factor authentication, let alone passkeys, drive me up the wall. This all could have been so much better.

I’m not even going to mention all the platforms that rolled out passkey creation support, but not passkey login support, for whichever damn reason

plz1 ,

Yeah, Apple 2FA is infuriating, especially since you can do all factors from the same device. Kind of defeats the purpose of traditional 2FA/MFA. Also, companies that decide you 2FA experience has to use their app, instead of a standards-compliant TOTP app of your choosing....ugh.

WolfLink ,

Traditional 2FA (assuming you mean apps with codes) can be done from the same device (if you have the app with the codes installed on that device).

It doesn’t defeat the purpose of 2FA. The 2 factors are 1. The password and 2. You are in possession of a device with the 2FA codes. The website doesn’t know about the device until you enter the code.

plz1 ,

Yeah my point is it does not protect the local device well. It does protect well from remote compromise though.

9point6 ,

The factors are:

  • Something you have
  • Something you are
  • Something you know

Here the password is something you know and the device is something you have (typically also protected by something you are, like your fingerprint or face)

Someone with your phone but no password or fingerprint is SOL. Someone with your password but not your phone also SOL

paraphrand ,

If you think forcing everyone to carry an object other than their phone around so they can use 2factor on their phone is a good idea... Or if you said I need to go to my laptop when I’m logging in on my phone and vise versa… that’s nonsense too. Sure maybe some companies require this. But that’s different.

Authy on my phone is just as “dumb” as Keychain on my phone.

How else are you imagining this should work? Keep in mind normal people need to do it too.

sudneo ,

I bring my yubikey with me, it's in my keychain.
This is not only more secure against phone theft/access, which probably is not very relevant for most people, but it spreads the risk of locking yourself out.

For example, I was in Iceland with my girlfriend and she "lost" her phone. We wanted to locate it, so I logged to Google for her, which asked 2FA. If she used her phone, she would have been toast. Instead I made her use yubikeys too, and she just logged in and found her phone.

Obviously you can lose your hardware tokens too, but it's generally less likely (you take out your home keys way less than your phone, for example). You can also backup your TOTP on multiple devices etc., of course.

plz1 ,

If I'm on my laptop, and the 2fa code shows on that same laptop, it defeats the purpose of it. The point is sortation of security privileges, ask this just adds more work while providing no less security to the device. It does protect you from remote compromise, though.

jkrtn ,

It doesn't defeat the purpose of it, as you indicate, it can protect from remote attacks.

AA5B ,

Also most or all of these should require some for of local authentication.

For example I have 2fa apps on my phone, where I need to use them, so yes, that’s less than ideal. However

  • it protects against remote attacks
  • it protects against SIM attacks
  • and even if someone stole my phone and unlocked it, they’d still need my face id for every use
AA5B ,

For Apple, it’s your iCloud account that everything depends on, and it’s the weakest point. Not by itself maybe, but in practice there needs to be a way to reset your iCloud password, even without your phone. Currently I believe that’s just an Apple representative asking life questions, but that information is mostly publicly available. There needs to be a better way.

A physical 2fa device may be just what we need to securely rest our iCloud passwords, keeping everything else more secure

paraphrand ,

That’s a fair point. iCloud Keychain is a single point of failure.

friend_of_satan ,

PayPal for sure, because at one point they actually removed the ability to use a hardware mfa token.

A little known fact about iCloud is that you can use hardware MFA tokens. I think this feature was just recently released though. They force you to enroll at least two tokens too, which is a nice safety. I set this up about a month ago and it's been great.

CaptDust ,

I'm very excited for the concept of passkeys, but indeed it is a bit of a mess right now. Android password managers can't use passkey inside other apps, basically limited to just the browser. I hope it all gets sorted soon and everyone sticks to an open standard compatibility.

I want to be able to export my passkeys and take them with me to any other chosen passkey manager.

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

I have hopes for a normal implementation because KeepassXC does have passkeys now.

BeatTakeshi ,
@BeatTakeshi@lemmy.world avatar

Same; I hope the EU does something before it's a total mess

mp3 ,
@mp3@lemmy.ca avatar

The idea of a passkey is that it is a security certificate that permanently bound to the software/hardware and can't be exfiltrated, in the same fashion you'd make one SSH private key per device connecting to a server, never leaving the computer it was generated from. Or how you'd keep your primary PGP keys in a safe location and deploy a unique subkey per device to use it. That way you can revoke an individual subkey if compromised, without revoking the entire chain.

You don't backup your Passkeys, you associate multiple passkeys per account (ie: ProtonPass, Bitwarden, Yubikeys) as a contingency.

If you can back it up, it can be stolen.

CaptDust ,

Hmmm see this is how I thought it worked but then Google and Apple providers are syncing passkeys around devices without issue? There are definitely backups and cloud syncs happening. I'm aiming to use an OS agnostic provider like 1password which I'd expect to sync across hardware- but with everything in its infancy I'm not sure how that shakes out.

But tbh that does bring up another concern of mine: I have some 200+ accounts, assuming a passkey world where everything is using them, if a user wanted to change ecosystems it seems they will need to visit every service, edit the account and reconfigure their keys instead of transferring the private keys into the new ecosystem? Sounds like a nightmare!

Spotlight7573 ,

For the accounts that are highly important, you might want to use only keys that are bound to a device like a computer, phone, or hardware security key. This would require a bit of manual management as you swap out devices and hardware keys but for a limited number of important accounts this should be feasible. For all the other general accounts, storing them in a password manager can continue to be the most convenient way to use them. The Google/Apple/Microsoft solutions take this second approach and allow them to be synced across devices.

As for the portability, it's still relatively early and I don't think there's a standardized format to export passkeys into. It's only a matter of time before things settle down and different password/passkey managers support importing and exporting to at least one format that will work.

mp3 ,
@mp3@lemmy.ca avatar

syncing passkeys around devices without issue?

they are syncing, but under no circumstances it let you see the passkey's private key in a format that you can import elsewhere, which reduce the amount of damage that can be done, but still if an attacker gain access to your Google account and its "password manager" (or any other password managers tbh) it's mostly game over at that point.

Personally I don't have all my passkeys on a physical device, they're mostly stored in my Bitwarden vault for the convenience of multi-device sync, and the important accounts that offers SSO into other services (Google, Facebook, Amazon, Apple, plus Bitwarden) are protected by multiple hardware tokens with a Passkey for redundancies.

Security is as strong as its weakest link.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • technology@lemmy.world
  • random
  • incremental_games
  • meta
  • All magazines
    •