Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

Big Tech passkey implementations are a trap | Proton

  • Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security
  • Passkeys were developed to replace passwords for better account security, but their rollout by Apple and Google has limited their potential
  • Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
ILikeBoobies ,

Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.

I wonder if there could be any bias in Proton claiming their product is the best

ikidd ,
@ikidd@lemmy.world avatar

I'd trust them miles before Google or Apple. Hell, they dropped the prices on some of their products when they found ways to provide them cheaper. Proton is a good company.

vermyndax ,

That doesn't mean they will be around forever. Economic realities care little about whether a company is good or not.

Andrenikous ,

In fact history has shown the good die out or become corrupt. Still using them for now though.

timbuck2themoon ,

Iirc you can export everything. Most allow export of passwords of course but i think proton allows export of passkeys too.

So there's portability if they ever do disintegrate.

gian ,

True, but this is valid for every company.
Let's say that since the company is Swiss based and, AFAIK, not quoted maybe they are not driven by the "the next quarter is all that matters" mentality of many quoted (US) companies.
There is a smaller chance that they will do something stupid to monetize more just to be ok next quarter (while risking to lose everything the next one) and will be there as long as they provide a value to the customer for the paid price.

sunbeam60 ,

Well of course. It’s still right - the ecosystem lock-in is insane. There needs to be a standard for cloud to cloud transfer between providers.

Or you know, use Proton Pass or 1Password.

Reddfugee42 ,

Do you typically just take people's word for their claims or do you do cursory research?

capital ,

If I can't add your passkey to my Bitwarden vault, I'm not using your passkey.

FrankTheHealer ,

Yeah or if they only offer 2FA via SMS. Like 1) it's not even that much more secure and 2) it's just more awkward.

But I also hate how Steam and Blizzard only allow you to verify logins in their mobile app. Fucking ridiculous.

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

It is stupid that they not only require the app to be present, but to verify each and every trade. Even those for items that drop to everyone for free. Good thing it does work in an Android VM but still - very annoying.

Serinus ,

Bitwarden proper wants $40/year to have two users sharing passwords. You might try Vaultwarden?

hperrin ,

That doesn’t seem unreasonable at all for not having to host your own server.

Serinus ,

That's with hosting your own server. Unfortunately I only discovered this paywall after sending them $10 out of good will.

Of course it's open source, so it's certainly possible to break their DRM, and if it were something less sensitive I would.

I still might, but VaultWarden looks like a better alternative.

hperrin ,

Nowhere on their pricing page does it say you need to host your own server.

sugar_in_your_tea ,

I pay $10/year for my wife and I, total. The $40 is if you want 3-6 people. AFAIK, you still need to pay if you self-host and use the premium features, but you can self host on the free plan as well.

$10/year for my wife and I is completely reasonable, and I'd pay the $40/year if my kids needed their own accounts. It's a fantastic service.

Serinus ,

If you self host you need the $40 plan for two people. Seems kinda backwards, doesn't it?

Yeah, they absolutely don't make that clear or I wouldn't have gone with Bitwarden.

sugar_in_your_tea ,

Really? It says it's supported for each account type. It looks like you don't even need the $10/year account anymore for sharing with one other user.

Serinus ,

You'd think that based on your link, wouldn't you. I did.

My support ticket response:

Hi Serinus,
​There actually isnt a mistake what you are reading is the pricing page for premium individuals, which you already have.
But if you check our pricing page for orgs and you are in the free org, you will see that you cannot self-host the free org, as seen here.
You can find more information here; https://bitwarden.com/help/password-manager-plans/#compare-personal-plans
I hope you find this clear and helpful.
Kind regards,
A
Follow Bitwarden on social media:

Serinus ,

https://lemmy.world/pictrs/image/9bdcebd6-1170-4093-a2b3-e3240ce92f75.png

sugar_in_your_tea ,

Your issue is creating an org. The free tier allows again one collection with one user. So don't create an org, share a collection.

Serinus ,

One user can't share a collection with another user. An org is required to share.

sugar_in_your_tea ,

I'll have to check. I haven't self-hosted mine yet, but I thought the collection share I do with my wife is different.

You could very well be right, which would be disappointing.

Serinus ,

If you discover anything different, I'd love to try it! Currently we're either going to share a single login (which might get odd with 2fa devices) or just use VaultWarden.

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

If I can't add your passkey to my local KeepassXC database, I am not using your passkey.

capital ,

You can also host it yourself.

https://bitwarden.com/blog/host-your-own-open-source-password-manager/

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

Yea, I know. But my preference is for my password manager to not be cloud at all.

capital ,

I don’t mean to be pedantic but self hosted isn’t cloud.

LodeMike ,

Doesn't it require cloud activation?

capital ,

It requires a key and id they generate.

https://bitwarden.com/help/install-on-premise-linux/

Though from the instructions, I’m not sure if the install needs continuing communication outbound to function.

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

Yea, I understand, and it's a perfectly valid choice. But does that disregard people's preference to not bother with this at all?

capital ,

I don’t think I understand the question.

To be clear, the alternatives are valid choices.

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

That was a rhetorical question. What I wanted to say was basically "if it is only supported by Big Tech walled gardens and some open, selfhostable cloud password managers, I am not using such passkeys, because for me it is far more comfortable to have my password manager fully offline".

Woovie ,

Why are us nerds like this? No one asked, please dont.

PM_Your_Nudes_Please ,

I mean, they were responding to someone who sounded like they were acting superior for self-hosting their password manager. This person chimed in with “well you can self-host Bitwarden too”. And now you’re upset because they offered a direct counterpoint, and furthered a conversation?

skeezix ,

This is a guy who planted some Cheerios because he thought they were donut seeds.

A_Random_Idiot ,
@A_Random_Idiot@lemmy.world avatar

Eh, easier to just use the same password for everything.

I use 12345, personally.

capital ,

Huh.. same as my luggage.

obviouspornalt ,

Passkeys sound great. Where's the support for Firefox, Proton Pass? Bitwarden has it.

sugar_in_your_tea ,

Yup, the only missing thing for Bitwarden is the mobile app, but so far none of my apps support it, so whatever.

squirrelwithnut ,

I use BitWarden's mobile app just fine on Android.

sugar_in_your_tea ,

For passkeys? My understanding is that's not implemented yet.

squirrelwithnut ,

Oh, I totally didn't register you were talking about passkeys. lol sorry. I don't use them, so I was just talking about the BW app in general .I haven't run into any compatibility issues with it.

LemmyFeed ,

Is this an ad?

EncryptKeeper ,

It’s a PSA with an ad at the end.

aceshigh ,
@aceshigh@lemmy.world avatar

That was my observation as well. If it walks like a duck and it quacks like a duck…

Deceptichum ,
@Deceptichum@sh.itjust.works avatar

Its a witch?

Gabu ,

No, no, no. A Witch must float like a duck.

UnfairUtan ,

Any example of websites where I can try passkeys? I have both bitwarden and Proton pass to test out

filcuk ,

Github, Bitwarden itself, Cloudflare, Microsoft

OfficerBribe ,

Test site: https://webauthn.io/

Known sites: https://passkeys.directory/

AnActOfCreation OP ,
@AnActOfCreation@programming.dev avatar

I personally like the demo at https://www.passkeys.io/.

mypasswordis1234 , (edited )
@mypasswordis1234@lemmy.world avatar

I noticed that recently every post on Proton's blog has been an advertisement of their services.

They are hypocrites.

A few days ago they posted that corporations are bad because they collect fingerprints, profile users, etc., yet they are no better, as their mobile apps rely on Firebase Cloud Messaging (FCM) owned by Google to deliver notifications to their users.

In 2020 they wrote that they "may offer alternative push notification system", but apparently shitting on corporations is easier than making actual changes. Four years ago.

LodeMike ,

That's a google services issue. That's Google's fault.

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

It was their choice to not exclude this knowingly-evil service from their applications though.

LodeMike ,

Yes. It's still the fact that Google monopolizes shit. Same thing with Apple by the way.

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

But there are apps that have been built with Google-independent notifications. Proton could have supported UnifiedPush, for example, yet they decided not to.

LodeMike ,

Yes

  • All
  • Subscribed
  • Moderated
  • Favorites
  • technology@lemmy.world
  • random
  • incremental_games
  • meta
  • All magazines
    •