Passkeys are phishing resistant, or so they say… but the web app still needs to let you in with password + 2FA… So I’m not sure how much that’s really worth.
I guess if the users are typically never seeing a 2FA prompt then it should be more suspicious when they see one?
Passkeys are a replacement for passwords. Passwords don’t solve the problem of a lost password, and passkeys don’t solve the problem of a lost passkey. How a site deals with lost credentials is up to them. It doesn’t need to be password + 2FA.
I just wish Google would stop overriding my passkey on Android for specific apps including their own.
You can change the provider to bitwarden.
Passkeys are light years ahead of 2fA in user experience. Why do you dislike them?
Security based on devices is one of the positive innovations of smartphones and perhaps the only area where they’ve improved over the desktop experience.
Passkeys make plausible deniability more difficult. “This user name isn’t necessarily associated with my real world identity” permits some important good things.
Passkeys use unique keys per site for that reason
How does that protect against “only you could have logged in because this passkey is only on your phone”?
That’s literally no different from a regular password manager or having a 2FA TOTP code app set up for it
Are you sure? TOTP secrets can be exported. I think passkey implementations explicitly prevent that. Unless I’m missing an option to export passkey creds, e.g. print them out.
That same disaster recovery feature (which I need) also helps avoid a future where every forum and avenue of dissent requires dis-repudiation via passkeys. It’s a weird nuance, ascribing a social effect to a simple ability to back up your keys without backing up your whole phone.
Why would I want security based on a device? What security this offers greater than a 64 chars password + 2FA?
TOTP codes can be phished, hardware security keys and passkey can’t
I doubt that anyone that doesn’t use “password” as a password and who knows what 2FA is could be easily subject to phishing.
It literally just takes a slightly different domain name. Lots of infosec pros have been phished when not paying attention
I very specifically don’t want my security tied to my device. Trying to migrate to new phones, and keeping things synced between a phone, desktop, and laptop is why I long ago moved to a password manager. Now, especially in the phone space, getting passkeys to function fully with a password manager ranges from “pain in the ass” to “not actually possible”.
Bitwarden: “I’m literally right here”
It just doesn’t work for apps on Android, which is a bummer. For example the Playstation app login with passkey stored in Bitwarden simply doesn’t work for me.
Bitwarden+Firefox+Android. That combo doesn’t support passkey creation.
I’m using Bitwarden, Firefox, and Android and passkeys have been working fine for me.
What am I doing wrong?
Ah, shit. Really? This is exactly my setup.
Heard of so many people losing their phone. Then they try to log into something and the company (quite often google) says “I don’t give a fuck if you know your passwords I’m never letting you log into your account get fucked, don’t call I won’t answer”
I had a botched phone battery replacement once resulting in the phone getting replaced very unexpectedly. It was a nightmare trying to get everything back together because I stupidly used google authenticator, which is tied to the specific phone it’s on. Not tying it to the device is the way to go.
Authenticator no longer works like that. You can now restore all of your 2fa codes by logging in to you google account and it’s been that way for almost 2 years now.
Wow, almost 2 years, such advancement…
?? What’s that supposed to mean?
it means it shows how poor the user experience was until only two years ago.
I didn’t consider the friction of integrating it into your existing process because I use a manual password manager. But who is saying you should replace a password manager with passkeys? It was always meant to be a parallel system.
Edit: I just wanted to add that people like you and I who have “solved” our credentials problems are a tiny minority. Passwords are shit. Just because we’ve grown accustomed to them doesn’t change that.
You’ll find that nobody has a problem with passkeys specifically. They have a problem with the implementation, and companies forcing passkeys onto users who don’t want or need them.
I don’t need passkeys because I use a password manager. My threat model requires that I can restore my password manager, all 2FA, and regain full access to all my accounts from anywhere in the world, even if a natural disaster occurs and all my devices are destroyed.
Passkeys and SMS 2FA are a direct threat to my threat model, and I can’t help but feel they’re designed to further entrench surveillance capitalism, and the invasion of privacy as a prerequisite for security.
I briefly looked into passkeys a while ago, but I think I remember really disliking them because they just seemed like another excuse for companies to lock you in.
Has this changed? With Bitwarden + passwords, I can change to any platform, any device, at any time, and instantly get all my creds moved over securely.
I don’t want to be in a situation where I’m locked into using Android, Chrome, iOS, or whatever because I can’t move my creds.
Bitwarden has passkey support! Syncs too!
Except for passkey login on Android app. For example Playstation app login with passkey won’t work.
Have you tried Bitwarden? I like their implementation best and its cross-platform.
My reply was specifically for Bitwarden.
Ahh, sorry, didn’t see that part.
Is it a problem with the PlayStation app not wanting to play nicely with the deep linking of Bitwarden?
Do other passkey apps work with it?
Yeah I don’t think it’s the only password manager that allows PassKeys either. Plus, they’re more secure by design; the website never has to store anything that can be reversed to allow access. Bitwarden even lets you store multiple passkeys per site.
I do hate how it’s promoted as “locked to your device” though but i imagine that’s because (unfortunately) password managers aren’t used by a majority of users.
Hm, ok. Maybe it’s time to take another look.
It’s not. There is almost zero security improvement between a passkey vs a randomly generated password + 2FA.
The only concern is if you’re dumb enough to give away your password, or not activate 2FA on critical accounts.
It’s not for your security, it’s for the company’s. People suuuuuuuuck when it comes to credentials.
My company insists on expiring passwords every 28 days, and prevents reuse of the last 24 passwords. Passwords must be 14+ characters long, with forced minimum complexity requirements. All systems automatically lock or logout after 10 minutes of inactivity, so users are forced to type in their credentials frequently throughout the day.
Yes people suck with creating decent credentials, but it’s the company’s security policies breeding that behavior.
I don’t get why people get upset at frequently expiring passwords. It’s not hard: just write it on a postit note and stick it on your monitor.
Same. They also don’t allow password managers and I have multiple systems that don’t use my main password, so I have at least 5-6 work passwords for different systems.
Nobody can remember all that.
So everyone makes the simplest password they can (since it has to be regularly typed in) and writes it down somewhere so they don’t forget it.
And yet admin, 1234, test, etc. remain the most commonly ‘hacked’ passwords. Your company’s policies may be annoying, but they certainly don’t make you use unsafe passwords.
Tell them the NIST recommendations for password frequency changes have been really reduced in recent times because it pushes people into other bad password practices. Among all factors, changing the password frequently is the least important.
My company insists on expiring passwords every 28 days, and prevents reuse of the last 24 passwords. Passwords must be 14+ characters long, with forced minimum complexity requirements.
Outdated security practices & cargo culture. Someone should roll up a copy of NIST SP 800-63 to smack them over the head until they read it:
The following requirements apply to passwords:
- Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
- Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
- Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
- Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
- Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
- Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Maybe ask them their security qualifications & whether they follow the latest security research & industry standards.
Coincidence or did you get that email from eBay today, too?
They probably got hacked and we’ll find out about it next year.
The amount of people in this thread that don’t understand passkeys surprises me. This is Lemmy. Aren’t we the technical Linux nerds of the Internet?
The synchronization part is the annoying part. And when you have multiple accounts on one site you can end up with multiple passkeys for it.
brb opening and feature request for passkeys in Lemmy
edit: nevermind
2FA is just dead simple. I contact you, you contact me, handshake achieved. If you call me out of the blue I raise the alarm. If you get a login attempt with a failed handshake you raise the alarm.
Putting it all behind a pop up screen just isn’t trustworthy to the human brain.
Passkey is multifactor: something the user has (key), something the user is (biometric) or knowns (password) to unlock the key. Yes, dead simple.
Yup, I’m not talking about the actual tech. Rather the human perception of it.
TOTP 2FA is less secure than passkeys. 2FA TOTP keys can be phished. Passkey authentication cannot be phished. This is a security improvement which can make people completely immune to phishing attacks. That’s huge. And it doesn’t have any privacy risks, no loss of anonymity. It’s an open standard.
This is, objectively, a rare example of new technology which will make the world better and safer for us.
Yes, this point exactly, thank you for explaining this.
I get that, the problem is human psychology.
everyone is sick and tired of tech promising to make the world better, only to make everything worse. i totally get the mistrust, the feeling that this is probanly just another trick from big corporations to steal even more of your privacy. i know much better than most people what it’s like. i know you’ve got no real reason to believe me, i’m just a random silly gay furry boy, but, trust me, in this case, we should be adopting this tech. if you’ve got family members or friends who are more vulnerable to phishing scams - often scammers target the elderly - i’d really encourage you to encourage them to set up passkeys. as always, i strongly recommend bitwarden - it can manage passkeys and sync them between devices and it’s totally secure and open source.
much love & solidarity!
But I also worry about new areas of weakness with passkeys - anyone accessing the device with the passkey on it, or hacked that device, gets access automatically to the accounts. Also if logins are too fluid I worry that anything out of the ordinary during sign ins won’t be noticed.
yeah that’s totally true, but usually modern devices ensure that the passkeys are protected with a PIN or some biometric security, so I think it’s at least as strong as having a password manager on your device that can be unlocked with a PIN.
not really sure what you mean about “out of the ordinary” logins - it sounds like you’re thinking about phishing risks? but remember - passkeys cannot be phished. they verify the identity of both sides of the authentication token exchange - the server verifies you, and you verify the server. If you only use passkey authentication, you are safe from being phished. the most secure system would be one entirely without passwords/oath totp
SMS 2FA is notoriously compromised by various means.
I’m not debating that.
2FA is great, right up until you’re also the victim of a sim swap attack.
2FA is not SMS. SMS is the least secure, shittiest, and simplest form of 2FA, designed as the bare minimum for the average chucklefuck. Everywhere implemented it hastily because the average idiot still uses the same password for everything. It should be illegal as the only form of 2FA, but our governments are run by criminally corrupt dinosaurs.
Fun story! Back in 2017 I tried to remove SMS 2FA entirely, and switch to a data only mobile service. I use 2FA everywhere it’s available, but was able replace SMS with TOTP everywhere except banks, even on big tech platforms where you could only activate TOTP after adding a mobile number and enabling SMS 2FA (you could then remove the mobile number). I ultimately had to keep the voice service because banks required SMS 2FA, with no alternatives beyond their own custom 2FA apps, that can only be registered by SMS. Almost a decade later I have more SMS 2FA than ever before.
The moral of the story is we live in a clown world capitalist dictatorship.
Text has always been insecure. An authenticator app is better.
You understand that technical people often are the least likely to trust new technology and are often stuck in the mud when it comes to technology? Doubly so if you are anti-corporation. It seems anything that isn’t the Unix way of doing things can be questioned.
There is a good meme about people who love technology vs people who actually work with the stuff. The former using IoT devices to turn their lights on while the latter uses a light switch and has a gun in case the printer starts making weird noises.
Good point, and I love that meme.
I use passkeys through 1Password and it’s vastly less irritating to me than anything involving passwords, especially 2fa. I really don’t like having to wait for email to arrive or copying down digits from a text message, which seems to be how 2fa typically works 90% of the time.
Amazon fucking insisting every damn time I log in.
I thought passkeys were supposed to be more secure?
They’re using the same standard as FIDO2 / WebAuthn hardware security keys. The protocol is phishing resistant, unlike TOTP and similar one time code solutions.
I prefer the physical ones, because they’re easy to organize. Passkey synchronization can be annoying.
There’s been a lot of pain in the attempt to portray it as “Just click the passkey button, and that’s it! Your login is secured for life!”
No - Buddy. It is secured for this one specific device that I have biometric authentication for. What about my computer? What about my other computer that isn’t on the same operating system? I have a password manager that stores these things, why didn’t you save to that when I registered? Why is it trying to take this shit from my Apple Keychain when it’s in Bitwarden?
And, the next ultra-big step: How would a non-techie figure this shit out?
For some people it is that easy.
When it is saved to a cross-platform password manager, it is secured on all devices that password manager runs on including your computer on other operating systems. You can also choose other in the OS prompt & redirect to a device with your passkey or use a hardware security key (I don’t). If your preferred password manager isn’t the primary one on all your devices, then fix that or use the other option mentioned before.
How would a non-techie figure this shit out?
The same way they figure out passwords & multifactor. Their pain isn’t ours for those who’ve figured this out & have a smooth experience.
I mentioned Bitwarden in my comment, and my frustration specifically comes from occasions that I had Account X ready in Bitwarden, started up an app that relied on Account X, but loaded an HTML login page that had no discernable controls to use that Bitwarden passkey; expecting entirely for it to exist in my Apple keychain, which I never use.
I think it’s very easy to claim this specific app / account was not implementing passkeys well. But if that’s the case, how can I guarantee any other accounts I move over won’t fuck it up somewhere? I haven’t seen anyone get the concept of passwords wrong, and even if they don’t understand how managers work, I have control of the copy-paste function and can even type a password myself if needed.
I use both Bitwarden and Apple’s native Passwords.app and just save a passkey for each app. Usually you can name the passkey on the website/in the app as well.
This is also the system I use when saving 2FA TOTP codes as well so I guess I’m used to it, but it makes good sense to me to have reduncancy in my password apps. Also I lock up *the apps themselves* with passkeys in the respective app for ease of use.
:mastozany:No - Buddy. It is secured for this one specific device that I have biometric authentication for. What about my computer? What about my other computer that isn’t on the same operating system?
Then use a Yubikey.
I tried a yubikey but most websites want you to use the pin for that which requires windows hello, and if you reset windows you lose that.
OnlyKey seems to be a better choice than Yubikey, from what I can see. The only reason I haven’t switched is that I have a few accounts that I share with my partner, and I want to be sure that I can have two different keys work for the same account.
And, the next ultra-big step: How would a non-techie figure this shit out?
They don’t have a computer, another computer with a different OS, or bitwarden.
Bitches don’t know that passkeys are awesome. It’s like ssh key authentication for web apps. Just save the passkeys to my password manager & presto: use same keys on all my devices.
It replaces opening a TOTP app to copy a token with a click to select the passkey in a prompt from my password manager.
Ancient meme
Y’all are my people.
Uhhh… Can someone ELI18 to me the problem with passkeys? I use them wherever available and find them very convenient.
Yeah i can sum it up for you
What’s wrong with passkeys? I’m in love with passwordless sign-in with yubikey, so much easier and faster than password + totp
I don’t like how there isn’t a nice, cross-platform and secure way to sync my keys. Not all services allow multiple keys to exist at once.
I mean I’m just using my yubikey for the keys, it’s traveling in my pocket everywhere and use it on any platform
Bitwarden syncs passkeys.
The syncing of keys allows for much greater attack surface.
Its being worked on right now but the standard hasn’t been finalized yet.
Until exporting and syncing keys is properly implemented, passkeys can go kick rocks.
It’s shitty user experience when forced to dig out my phone to authenticate myself to a site I barely give half a shit about.
Like I wouldn’t even have an account if it wasn’t forced, and now you assholes want my phone too?
I think you’re describing SMS passcode, totp or other such factors.
Passcode doesn’t require phone necessarily, but you can use it too
A lot of the stuff that has implemented passkeys so far are on mobile. And I mean the apps serving them out, not things you authenticate to.
BitWarden has a desktop extension and it also handles 2FA. No reason to be using a password, which is way less secure and can be extracted from a website DB via a hack.
Doesn’t the 2FA protect users still, if they only got the password?
It does, but not everyone sets up their 2fa, or uses the least secure forms. Then passwords get hacked, and those lists get shared so when the next hack comes along, they have that many more tools to try and break the encryption (assuming there is any) on a bigger site, compromising even more people.
It’s a whole systemic shit bag. Passkeys were meant to solve a lot of these problems, and they would, but Big Tech is botching the execution in favor of yet another thing locking you into their ecosystem.
In practice, yes. IF IMPLEMENTED PROPERLY it would be extremely unlikely for an attacker to get in.
For example with a proper implementation of TOTP it would require an attacker to guess the correct number between 1 and a million in less than a minute. Most services make you wait a little bit (often less than humans notice) between attempts and don’t allow infinite attempts, so an attacker would have to be unimaginably lucky.
There are sadly lots of huge companies that DON’T IMPLEMENT 2FA PROPERLY. Sony Entertainment (account for PlayStation) for example. So a unique and long password is still important.
TOTP can be phished remotely, passkeys / hardware security keys can’t (need to get malware into the users’ computer instead)
Yes, extra security for your personal information is so irritating.
Security for who exactly?
If I don’t even want an account, it’s the “security” of the sites ad targeting data that IDGAF.
In store my passkeys in my password manager, which has a desktop app to access passkeys. What are you using that you have to always use your phone?
Google Chrome on PC can let you verify from the phone to unlock passkeys
Shouldn’t you still need 2fa, and use the passkey as the second auth?
The passkey is still protected with another factor, such as pin code or biometrics
Like when I login to my account, I put the yubikey to usb port, then browser asks me to unlock it using pin code, then I’ll touch the yubikey to confirm I’m in physical access to it, and only then it allows the authentication
In practice this takes about 2 seconds
Until sites start disallowing youbikeys because it doesn’t make it impossible for you to backup your keys…
What is planned to happen.
