Y’all are my people.
Uhhh… Can someone ELI18 to me the problem with passkeys? I use them wherever available and find them very convenient.
Yeah i can sum it up for you
Remember when tap-to-pay was new and didn’t work at a lot of places and some people were freaked out over it?
And now most of us use it without a 2nd thought.
I speculate passkeys will be like that.
I’d use it if it didn’t cost extra in my country. Swiping my card really isn’t much harder
Wow that’s madness
Passkeys are a great idea, but everyone involved seems like they want the process to be as much of a pain in the dick as possible. So until the industry pulls it’s collective head out of its collective ass (not going to hold my breath on that one), it’ll be passwords+2FA for me.
It feels like everyone is trying to tie people to their platform. Oh, and also use the opportunity to force shit like “no custom ROMs or bootloader unlocking” on Android at the same time.
Are custom ROMs or bootloader unlocking an issue for the passkey ecosystem? Not something I’d seen commented on yet.
You cant use it with grapheneOS, ive tried. I mainly use bitwarden for passkeys but some (most?) services only work with googles version
I hate 2fa so much, I never thought they would come up with anything more irritating. Little did I know.
I really like 2FA as long as it’s TOTP and I can use an offline app or program for it. It just works and is very easy and secure.
Until you lose the device with the 2fa app and can’t ever get into those accounts again. I’ve heard that horror story before and I avoid those apps because of it.
Lots of these apps let you export the entire vault as a file. I use this to import it on other devices. I currently have it on my phone (Aegis) and my pc (OTPClient) and is very satisfied with the experience.
I also have encrypted backups on a USB flash drive, an external HDD and five separate cloud services. I trust this solution.
I’m glad they have options, but if you don’t know you’re supposed to do that then it doesn’t help you after something goes wrong. Most people don’t know to prep for that.
Write down your set up codes on a piece of paper (or, just the important ones to get access to your digital backups) the others can live within your app of choice.
(Keepass2Android is a great, free app. Just toss a couple of coins to your dev if you’re feeling generous)
Jesus Christ, dude, that is exactly it.
We’re trying to implement passkeys at work and the testing has been an absolute nightmare. Literally have no control over the onboarding experience because each tech giant is clamoring over each other, interjecting into the process to be the “home” for your passkeys. It’s bananas.
When it’s all set up, it’s kinda great! But getting set up in the first place is an exercise in frustration.
It’s a chance for them to lock you (normies) into their platform forever. They’re not going to give that up.
Unless I’ve missed something big, passkeys are pretty easy for me if the website supports them imo.
Using KeePassXC, I click register on the website, register the passkey with KeePass, then it just works when I need to authenticate or login. My database is then synced across all my devices.
Passkey support is yet to come to KeePassDX on Android though, so I’ll be awaiting that feature
For me it’s just inconvenient to have to type my computer’s login, but the fingerprint on the phone is nice
If you live in the USA, don’t use fingerprints or any other biometrics. https://arstechnica.com/tech-policy/2024/04/cops-can-force-suspect-to-unlock-phone-with-thumbprint-us-court-rules/
It’s not for your security, it’s for the company’s. People suuuuuuuuck when it comes to credentials.
My company insists on expiring passwords every 28 days, and prevents reuse of the last 24 passwords. Passwords must be 14+ characters long, with forced minimum complexity requirements. All systems automatically lock or logout after 10 minutes of inactivity, so users are forced to type in their credentials frequently throughout the day.
Yes people suck with creating decent credentials, but it’s the company’s security policies breeding that behavior.
My company insists on expiring passwords every 28 days, and prevents reuse of the last 24 passwords. Passwords must be 14+ characters long, with forced minimum complexity requirements.
Outdated security practices & cargo culture. Someone should roll up a copy of NIST SP 800-63 to smack them over the head until they read it:
The following requirements apply to passwords:
- Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
- Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
- Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
- Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
- Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
- Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Maybe ask them their security qualifications & whether they follow the latest security research & industry standards.
Same. They also don’t allow password managers and I have multiple systems that don’t use my main password, so I have at least 5-6 work passwords for different systems.
Nobody can remember all that.
So everyone makes the simplest password they can (since it has to be regularly typed in) and writes it down somewhere so they don’t forget it.
Tell them the NIST recommendations for password frequency changes have been really reduced in recent times because it pushes people into other bad password practices. Among all factors, changing the password frequently is the least important.
I don’t get why people get upset at frequently expiring passwords. It’s not hard: just write it on a postit note and stick it on your monitor.
And yet admin, 1234, test, etc. remain the most commonly ‘hacked’ passwords. Your company’s policies may be annoying, but they certainly don’t make you use unsafe passwords.
I have the opposite situation, I bought yubikeys but nobody supports them.
Indeed. Why so many recommend them I have no idea.
Honestly, if you have a password manager that supports security keys then buy two cheap keys (one for backup) like the Thetis FIDO U2F Security Key and use those to secure your password vault. For everything else just use TOTP and Passkeys stored in your vault.
I invested in Yubikeys and yes it was a waste.
I’m getting ready to roll them out at work but it’s basically exclusively for the password managers. Having a password manager and every account be unique isn’t helpful if everyone’s going to just use shit passwords for their password manager
I have no idea what a passkey is and I will probably only learn what it is when they become mandatory
I will just use passwords + 2FA for the moment
Here is a demo you can try if you’re so inclined
I see, thanks. It mentions biometrics on that page. Maybe if my next laptop has a fingerprint reader then I should look into passkeys more.
I don’t use the biometric authentication on my laptop and am able to complete the demo on it. Chrome asks me for a PIN that I save and provide when it asks on my laptop. I don’t think biometrics are a requirement for passkeys.
Passkey is essentially a branding of webauthn. Instead of typing some code that changes, you just do something with some sort of device or key manager.
Plug in a yubikey and touch the button to authenticate. Easier.
Coincidence or did you get that email from eBay today, too?
They probably got hacked and we’ll find out about it next year.
The amount of people in this thread that don’t understand passkeys surprises me. This is Lemmy. Aren’t we the technical Linux nerds of the Internet?
You understand that technical people often are the least likely to trust new technology and are often stuck in the mud when it comes to technology? Doubly so if you are anti-corporation. It seems anything that isn’t the Unix way of doing things can be questioned.
There is a good meme about people who love technology vs people who actually work with the stuff. The former using IoT devices to turn their lights on while the latter uses a light switch and has a gun in case the printer starts making weird noises.
Good point, and I love that meme.
The synchronization part is the annoying part. And when you have multiple accounts on one site you can end up with multiple passkeys for it.
brb opening and feature request for passkeys in Lemmy
edit: nevermind
2FA is just dead simple. I contact you, you contact me, handshake achieved. If you call me out of the blue I raise the alarm. If you get a login attempt with a failed handshake you raise the alarm.
Putting it all behind a pop up screen just isn’t trustworthy to the human brain.
TOTP 2FA is less secure than passkeys. 2FA TOTP keys can be phished. Passkey authentication cannot be phished. This is a security improvement which can make people completely immune to phishing attacks. That’s huge. And it doesn’t have any privacy risks, no loss of anonymity. It’s an open standard.
This is, objectively, a rare example of new technology which will make the world better and safer for us.
I get that, the problem is human psychology.
everyone is sick and tired of tech promising to make the world better, only to make everything worse. i totally get the mistrust, the feeling that this is probanly just another trick from big corporations to steal even more of your privacy. i know much better than most people what it’s like. i know you’ve got no real reason to believe me, i’m just a random silly gay furry boy, but, trust me, in this case, we should be adopting this tech. if you’ve got family members or friends who are more vulnerable to phishing scams - often scammers target the elderly - i’d really encourage you to encourage them to set up passkeys. as always, i strongly recommend bitwarden - it can manage passkeys and sync them between devices and it’s totally secure and open source.
much love & solidarity!
Yes, this point exactly, thank you for explaining this.
But I also worry about new areas of weakness with passkeys - anyone accessing the device with the passkey on it, or hacked that device, gets access automatically to the accounts. Also if logins are too fluid I worry that anything out of the ordinary during sign ins won’t be noticed.
yeah that’s totally true, but usually modern devices ensure that the passkeys are protected with a PIN or some biometric security, so I think it’s at least as strong as having a password manager on your device that can be unlocked with a PIN.
not really sure what you mean about “out of the ordinary” logins - it sounds like you’re thinking about phishing risks? but remember - passkeys cannot be phished. they verify the identity of both sides of the authentication token exchange - the server verifies you, and you verify the server. If you only use passkey authentication, you are safe from being phished. the most secure system would be one entirely without passwords/oath totp
SMS 2FA is notoriously compromised by various means.
I’m not debating that.
2FA is great, right up until you’re also the victim of a sim swap attack.
2FA is not SMS. SMS is the least secure, shittiest, and simplest form of 2FA, designed as the bare minimum for the average chucklefuck. Everywhere implemented it hastily because the average idiot still uses the same password for everything. It should be illegal as the only form of 2FA, but our governments are run by criminally corrupt dinosaurs.
Fun story! Back in 2017 I tried to remove SMS 2FA entirely, and switch to a data only mobile service. I use 2FA everywhere it’s available, but was able replace SMS with TOTP everywhere except banks, even on big tech platforms where you could only activate TOTP after adding a mobile number and enabling SMS 2FA (you could then remove the mobile number). I ultimately had to keep the voice service because banks required SMS 2FA, with no alternatives beyond their own custom 2FA apps, that can only be registered by SMS. Almost a decade later I have more SMS 2FA than ever before.
The moral of the story is we live in a clown world capitalist dictatorship.
Text has always been insecure. An authenticator app is better.
Passkey is multifactor: something the user has (key), something the user is (biometric) or knowns (password) to unlock the key. Yes, dead simple.
Yup, I’m not talking about the actual tech. Rather the human perception of it.
Passkeys are phishing resistant, or so they say… but the web app still needs to let you in with password + 2FA… So I’m not sure how much that’s really worth.
I guess if the users are typically never seeing a 2FA prompt then it should be more suspicious when they see one?
Passkeys are a replacement for passwords. Passwords don’t solve the problem of a lost password, and passkeys don’t solve the problem of a lost passkey. How a site deals with lost credentials is up to them. It doesn’t need to be password + 2FA.
Has this energy…
On the contrary i want more services using passkeys instead of 2fa methods that are less secure (sms).
I use passkeys through 1Password and it’s vastly less irritating to me than anything involving passwords, especially 2fa. I really don’t like having to wait for email to arrive or copying down digits from a text message, which seems to be how 2fa typically works 90% of the time.
Passkeys are one exception to the familiar pattern of “we give you more SeCuRiTY so we can spy on you more and control your behaviour better”. They actually are more secure. Problem is, a lot of technical issues with it still, a ton of stuff not working correctly yet
I’m still appalled that my Yubikey / FIDO2 still doesnt work on Firefox. I have it as a passkey for GitHub, realized it doesnt work on Firefox, so they just prompt me for my password. That seems backwards to have password as a fallback, too.
I think that’s a you specific problem. Mine works fine with Firefox, and has for a good long while. Could anything be blocking it?
