“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.
Literally just use a password manager and 2/MFA. It’s not a problem. We have a solution.
Actually, it is still a problem, because passwords are a shared secret between you and the server, which means the server has that secret in some sort of form. With passkeys, the server never has the secret.
The shared secret with my Vaultwarden server? Add mfa and someone needs to explain to me how passkeys do anything more than saving one single solitary click.
When a website gets hacked they only find public keys, which are useless without the private keys.
Private keys stored on a password manager are still more secure, as those services are (hopefully!) designed with security in mind from the beginning.
If a website with old-school passwords gets hacked, the hacker only gets salted hashes of passwords - this does not seem to be much worse?
(Websites that store plaintext passwords surely won’t implement passkeys either…)
Pass keys are for websites such as Google, Facebook, TikTok, etc. And then they go into what is currently your password manager or if you don’t have one, it goes into your device. You still have to prove to that password manager that you are, who you say you are, either by a master password of some sort or biometrics.
Best password manager is offline password manager.
KeepassXC makes a file with the passwords that is encrypted, sharing this file with a server is more secure than letting the server manage your passwords
This is not at all relevant to the comment you’re responding to. Your choice of password manager doesn’t change that whatever system you’re authenticating against still needs to have at least a hash of your password. That’s what passkeys are improving on here
I agree, and that’s my method as well. Although I do not ever share the file with a server either. I only transfer it from device to device with flash drives or syncthing.
How do you handle merging between devices? Do you manually transfer/sync every time you add a new password?
Not trying to sell you on putting it in cloud storage or anything, but one really nice benefit to doing so is automatic merging through clients like Keepass2Android. If I add a new site to my phone and it doesn’t already have the latest copy of my vault, it’ll fetch and merge that first.
Technically yes I don’t have to use a desktop or laptop very often and do most of my computing from my mobile phone running lineage OS obviously and so what I do is if I add a password once every quarter at least I back it up to a flash drive so that if nothing else I will only lose a few months worth of data. I also don’t go signing up for accounts and services all that often since I am particularly interested in keeping my privacy. So very few modifications occur with my passwords in three months. If I absolutely must get a new password onto my laptop immediately, then I will go ahead and plug in my flash drive and manually synchronize whenever that is required as well.
I do that too, I have my own server in my basement for storage
Look at us. A bunch of people who don’t trust society. LOL.
You can share passwords without the server seeing them. Many managers don’t but there’s nothing infeasible there. You just have a password to unlock the manager. Done.
What I’m getting at is that a web server has a password, in some form. And so if that site gets breached, your password itself may not get leaked, but the hash will. And if the hash is a common hash, then it can be easily cracked or guessed.
Ultimately I’m pro passkey but when it comes to password managers: if the hash of your vault is easy to crack you’ve fucked up big time. There shouldn’t be any way to crack that key with current tech before the sun explodes because you should be using a high entropy passphrase.
Oh, you absolutely should. And if you are not, that is nobody’s fault except your own.
Not anything sufficiently modern. Salted passwords should be exceedingly difficult to reverse.
Never forget that technologically speaking you’re nothing like the average user. Only 1 in 3 users use password managers. Most people just remember 1 password and use it everywhere (or some other similarly weak setup).
Not remembering passwords is a huge boon for most users, and passkeys are a very simple and secure way of handling it.
I work for multiple organizations. The majority of which have a Google sheet with their passwords in that are
c0mpanyname2018!
Those that aren’t are
pandasar3cute123?
At one point the organization I work for had a password that was literally
Password-022!
, guess what it was the following month?Exactly.
I had to start hashing passwords and sending it to the haveibeenpwned API.
I also fight with my users over data normalization because any time I add some rule (like don’t put “SO#” as part of the value of the “SO#” field), they’re too stupid to realize the point and find some other “hack” around it.
I mean, it is. Aside from an additional associated cost, it’s still much less convenient.
I’ll switch when it’s fully implemented in open source and only I am the one with the private key. Until then its just more corporate blowjobs with extra steps.
That’s exactly how passkeys work. The server never has the private key.
KeePass has passkey support
And we all remember the huge drama about it because they allowed for taking the keys out and backup them up.
I think a big part of it was exporting them plain text by default. I’m in the “I know what I’m doing” camp but I guess for someone who doesn’t that sort of handholdy stuff not allowing the export them without encryption stuff makes sense.
What do you means by this? What part do you want to be open source? Passkey are just cryptographic keys, no part of that requires anything unfree. There’s aready an open source authentication stack you can use to implement them. You can store them completely locally with KeyPassXC for selfhost Vaultwarden to store them remotely. Both are open source?
Passkeys are an ancient authentication setup, have always been better than passwords and are finally getting traction.
You can add them in vaultwarden.
I still have no idea how to use passkeys. It doesn’t seem obvious to the average user.
I tried adding a passkey to an account, and all it does is cause a Firefox notification that says “touch your security key to continue with [website URL]”. It is not clear what to do next.
After my password manager auto filled a password and logged me in the website said “Tired of remembering passwords? Want to add a passkey?” I didn’t know what it meant so I said no lol.
Me too, I don’t trust the system and I don’t want to be locked into a specific browser and/or device.
I think you actually have to buy a passkey device. Then configure it to work with a particular account.
You plug the passkey into your computer and then whenever it asks for a password you literally touch it and it does its thing. I think there are options like biometrics that you can add on top but you don’t have to have that.
Devices themselves can act as passkeys too - I.e. your phone, laptop etc…
…except the ones that can’t
I think it depends on whether you have a TPM chip in it
What are you talking about? KeepassXC, to my knowledge, is not dependent on any TPM, snd it does support passkeys.
devices themselves can act as passkeys
I didn’t say a device needs a TPM to support passkeys - I said I believe it it needs one to be a passkey
Thank you for your passive aggressive response caused by poor reading comprehension, though
From what I understand, “passkey” refers to software, so no such thing as “device being a passkey”. Unlike a hardware key.
You understand incorrectly. “passkey” refers to a token used for the public key authentication that is used for sign in, which needs to be stored somewhere - this can be stored in a hardware key like a YubiKey, or in your device’s credentials manager. In principle, this could be anywhere, but it needs to be somewhere secure to not be trivial to compromise (eg taking out your HDD and just copying your passkey off it)
In Windows’ case, this secure credentials store is the TPM chip, which is why you are not able to use passkeys on Windows devices that have no TPM chip (unless you use another hardware implementation).
Tldr: passkeys are data, not software, and to store the data, you need some form of hardware, which needs to be secure to not be a really bad idea.
If you’d like to do some reading before confidently correcting me further, I’d suggest reading about how passkeys work.
Thanks for clarifying
If that’s what’s needed, I can say with some certainty that adoption isn’t going to be picking up any time this decade.
They’ve been around forever as a concept I think I even have one for accessing some servers at work. You’re right no one uses them.
deleted by creator
ITT: Incredibly non-technical people who don’t have the first clue how Passkeys work but are convinced they’re bad due to imaginary problems that were addressed in this very article.
This is a weird thread. Lots of complaints about lock in and companies managing your keys, both of which are easily avoidable, the exact same way you’d do so with your passwords.
Also the people talking about added complexity? I’m convinced all the complaints are from people who haven’t set one up or used one and are immediately writing it off. Adding one is a single click of a button.
Then to sign in I literally just get a thumbprint request on my phone after entering my username. It’s far far simpler than passwords and MFA.
I’m never using biometrics on any device. Fuck that
Does it require an array of fucking containers and a flurry of webAPI calls? Then no.
No it’s actually pretty simple. No containers. Your passkeys can be managed in the browser (Google Passwords), by a plug-in like BitWarden, or in a third party hardware device like YubiKey.
I remember when Microsoft made a big deal about this on Windows and then their “implementation” was making the local signon a number PIN.
And not a proper separate auth operation lol. You either set up almost everything with the PIN or use a regular password, not both. Makes it useless on enterprise.
Realistically we should all be using a key/pass vault since that would make using passkeys much easier, but that’s too complicated for the internet in
20042024.If it were me, I’d just issue everyone a yubikey.
What separate auth operation is needed besides authenticating with the local device to unlock a passkey?
Am skeptical
I’m not convinced this is a good idea. Resident keys as the primary mechanism were already a big mistake, syncing keys between devices was questionable at best (the original concept, which hardware keys still have, is the key can never be extracted), and now you’ve got this. One of the great parts about security keys (the original ones!) is that you authenticate devices instead of having a single secret shared between every device. This just seems like going further away from that in trying to engineer themselves out of the corner they got themselves into with bullshit decisions.
Let me link this post again (written by the Kanidm developer). Passkeys: A Shattered Dream. I think it still holds up.
The author of your blog post comes to this conclusion:
So do yourself a favour. Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your passwords and manage them. If you really want passkeys, put them in a password manager you control. But don’t use a platform controlled passkey store, and be very careful with security keys.
The protocol (CXP) which the article is about, would allow you to export the passkeys from the “platform controlled passkey store” and import them into e.g. Bitwarden. So i would imagine the author being in favor of the protocol.
The real problem is not passwords so much as trusted sources. Governments should have an email account that citizens have a right to and will not go away and have local offices to verify access issues.
No. Wtf no.
well they deliver your mail. I am envisioning the same protections but also you don’t have to use it in general. but it would be how the government would send things to you.
based on?
You’ll need to read the article I don’t feel like breaking it down for you.
Im familiar with the concept and disagree. Just giving you a chance to back it up. You see anything can be called a false equivalency and each specific equivalency would have specifics on why.
Buddy. If you’re not able to tie in the conversation to the concept I can’t help. I recommended pasting the concept into an LLM to explain it to you.
Or if you’re looking to argue with a stranger on the internet… I can’t help you there either.
I don’t want my government hosting my email.
The last time they had to do anything important they stoled all the sensitive data in plain text in an Excel spreadsheet and then the spreadsheet got corrupted so they lost everything. Of course they didn’t have backups.
But at least since it was stolen, the backup was hosted for free on the hacker forums /s
well they deliver your mail. I am envisioning the same protections but also you don’t have to use it in general. but it would be how the government would send things to you. Also I have had corps almost constantly have a breach of my information but not once yet from the feds or my state.
I bet the gov would love to host your email and have access to all the same info Google does…
Better have your info shared with one government, rather than have it shared with every government
Allow me to introduce you to international intelligence-sharing alliances.
well they deliver your mail. I am envisioning the same protections but also you don’t have to use it in general. but it would be how the government would send things to you.
Whatever you’re smoking, do less of that
well they deliver your mail. I am envisioning the same protections but also you don’t have to use it in general. but it would be how the government would send things to you.
I’m lost on this - is this better than GPG?
More usable for the average user and more supported by actual sites and services, so yes.
Does this require any 3rd party to work? I remember reading a blog, something about attesting the client, which was some big corpo like Google/Apple/Microsoft… that’s not for this, right?
While the defaults are typically to use what the browser or OS has for storage and sync of the passkeys, you can use other things.
Like KeePassXC:
https://keepassxc.org/blog/2024-03-10-2.7.7-released/
As for attestation to how the key is stored securely (like in a hardware key), Apple’s implementation doesn’t support it for iCloud ones, so any site that tries to require it wouldn’t work for millions of people. That pretty much kills it except for managed environments (such as when a company provides a hardware key and wants to make sure that’s the only thing that’s used).
They are really satisfying when they work. I have been impressed by how well they work cross platform in the new bitwarden. It even worked from Android one time with a key made on windows! However, I dread when my mom tells me she needs help with an account and I can’t do anything because the key is on her iOS Keychain I don’t have access to
My password manager supports passkeys just fine, across Windows, macOS, Linux and iOS (and probably Android but I haven’t tried). Surprisingly, iOS integrates with the password manager so it’s usable just like their own solution and it works across the system (not just in the browser).
This seems to be more about finding a standard way to export/import between different password managers/platforms?
Correct. The spec is about making it easier and more secure to export your passwords and passkeys when you move from one password manager to another. People are misunderstanding this as some sort of federated authentication system to share your credentials between multiple password managers at the same time, which it is not.
Whenever I read stuff like this, my mind goes a bit hazy. Because I’m just finding myself asking ‘Why and when did the simple mechanic of passwords get this difficult?’
Maybe if password requirements weren’t stingingly stupid, companies cared more about actual security and not an obstacle course they’ve gotta send people through to do one thing. We wouldn’t ever know or need to know systems like this.
With passkeys you never need to worry about the storage method used by the site. Some sites STILL store passwords in plaintext. When that database gets hacked, it’s game over.
A public passkey, even stored in plaintext, is useless to an attacker.
Maybe that doesn’t matter for you or me, with our 64-character randomly generated passwords unique to each service, but the bigger picture is that most people just use the same password everywhere. This is how identity theft happens.
‘Why and when did the simple mechanic of passwords get this difficult?’
When and because people started storing all their intimate personal details on the internet and hackers sought to exploit those details.
Maybe if password requirements weren’t stingingly stupid, companies cared more about actual security and not an obstacle course they’ve gotta send people through to do one thing.
The obstacle course is the security, unfortunately. That’s the problem this aims to solve.
Passkeys are much simpler to use than passwords, password managers, 2FA etc. if simplicity is your goal, Passkeys are your personal wet dream.
That one site - what was it, Mozilla’s/Gnome’s git? - that needed Aegis for login. Which is unlocked by pasword btw.
Was this reply meant for me? I’m not sure what you’re saying
Meanwhile mobile Firefox doesn’t even support YubiKey / FIDO2 for some godforsaken reason.
deleted by creator
Ah. If we’re talking mobile, all bets are off. FIDO prompts require Apple and Google to provide the necessary APIs for third-party devs to use, and are still somewhat new. It’s likely that since iOS browsers are still just re-skinned WebKit (until the EU stuff settles and Mozilla implements Gecko on iOS), FF on iOS can leverage the OS APIs, but making it work with Gecko on Android requires more work.
I was referring to desktop, where those limitations aren’t a hindrance.
Yep, I had said
mobile Firefox
Just saying it’s sad that FF mobile on Android is basically the only time it doesn’t work.
What is the difference between a crypto wallet and a passkey?
Is it just that a passkey has less functionality (and therfore better usability)?
Passkeys are for logging into websites.
Passkeys seem to be equivalent to public addresses of blockchain wallets.
I think the main difference is that passkey are recoverable but blockchain wallet keys are private
No, and this analogy is completely unhelpful
Can you expand on why?
One argument could be that FIDO2 and WebAuthn primarily rely on algorithms like RSA and non blockchain elliptic curves, but extending the algorithms covered in standards shouldn’t be too difficult as open source libraries exist.