Uhhh… Can someone ELI18 to me the problem with passkeys? I use them wherever available and find them very convenient.
Yeah i can sum it up for you
I have the opposite situation, I bought yubikeys but nobody supports them.
Indeed. Why so many recommend them I have no idea.
Honestly, if you have a password manager that supports security keys then buy two cheap keys (one for backup) like the Thetis FIDO U2F Security Key and use those to secure your password vault. For everything else just use TOTP and Passkeys stored in your vault.
I invested in Yubikeys and yes it was a waste.
I’m getting ready to roll them out at work but it’s basically exclusively for the password managers. Having a password manager and every account be unique isn’t helpful if everyone’s going to just use shit passwords for their password manager
If they have a security key then fuck it, they can use ‘password’ as a password 😀
Has this energy…
You can store passkeys in your password manager lol
Remember when tap-to-pay was new and didn’t work at a lot of places and some people were freaked out over it?
And now most of us use it without a 2nd thought.
I speculate passkeys will be like that.
I’d use it if it didn’t cost extra in my country. Swiping my card really isn’t much harder
Wow that’s madness
sure, you can use a passkey as a primary authentication, but only “a device” or “system”(keypass/1pass etc) knows the passkey detail. with only passkey, if my passkey provider/ device is compromised then everything is lost. having single factor auth seems like a bad idea.
a password is something that I can know, so is still useful as a protection mechanism. having two factor auth should include password and passkey, which seems entirely reasonable whilst also providing an easier path forward for people used to TOTP.
Passkeys are one exception to the familiar pattern of “we give you more SeCuRiTY so we can spy on you more and control your behaviour better”. They actually are more secure. Problem is, a lot of technical issues with it still, a ton of stuff not working correctly yet
I’m still appalled that my Yubikey / FIDO2 still doesnt work on Firefox. I have it as a passkey for GitHub, realized it doesnt work on Firefox, so they just prompt me for my password. That seems backwards to have password as a fallback, too.
I think that’s a you specific problem. Mine works fine with Firefox, and has for a good long while. Could anything be blocking it?
I’m also having problems using passkeys (stored in Bitwarden) with Github in Firefox. It keeps prompting me to touch the security key, which I don’t have, so I plain can’t use a passkey for Github. Works perfectly for Google though
On the contrary i want more services using passkeys instead of 2fa methods that are less secure (sms).
Unless I’ve missed something big, passkeys are pretty easy for me if the website supports them imo.
Using KeePassXC, I click register on the website, register the passkey with KeePass, then it just works when I need to authenticate or login. My database is then synced across all my devices.
Passkey support is yet to come to KeePassDX on Android though, so I’ll be awaiting that feature
For me it’s just inconvenient to have to type my computer’s login, but the fingerprint on the phone is nice
If you live in the USA, don’t use fingerprints or any other biometrics. https://arstechnica.com/tech-policy/2024/04/cops-can-force-suspect-to-unlock-phone-with-thumbprint-us-court-rules/
I’ll use banks as an example
If they cared about your security there would not be a mobile app or website.
Hell, credit cards would still require a signature.
It’s about cost first and foremost and then convenience.
Has nothing about you as a consumer. They don’t give 2 shits about you as a consumer.
I mean you’re right about banks but your examples make no sense.
Banks generally don’t support 2fa, which is bad. Some banks (fidelity) still have character limits on passwords because they stores it in plaintext until recently so you could use it through the telephone system. They could implement a secure tap to pay system on your phones with enhanced security, rather than relying on Google to handle their job. And for credit cards themselves, switch to chip and pin.
“Banks don’t have mobile apps”?? “Signatures are secure”???🤡
How easy is it to fake a signature for a normal person who has not practiced a person’s signature for the intent purpose of faking it? Have you ever tried faking your parents signature to get out of school? I have.
Now the infrastructure required to adequately check signatures is not practical hence it doesn’t exist. It’s why we moved to pins. Pins are small and 2fa doesn’t exist for banks because again it’s about the bare minimum and they are out to make money and don’t care about customers plus there’s government safeguards in place specific to banking.
I will continue to argue that going back in time signatures are infinitely more secure than a 4 digit pin let alone tap but we have traded security for convenience.
Anyways full admit that I’m batshit crazy.
Have you ever tried faking your parents signature to get out of school? I have
Yeah. I’ve been able to do it since I was 10. It’s really easy. I can also fake my husband’s and siblings’. It’s also a pain in the ass to change your signature. So if someone learns to copy it (like say based on the signature that was literally required to be on the card), it’s much hard to change it compared to a pin (which should definitely not be written on the card).
Do you think signatures were at all secure? If they cared about security they’d do chip+pin like most civilized countries.
With proper infrastructure yes signatures are extremely secure. But that proper infrastructure doesn’t exist.
I struggle to think of what that extremely secure infrastructure would look like. Are you imagining signing on an electric terminal and having a computer compare signatures at the time of sale? That seems like the most secure and still wildly insecure compared to a pin.
ITT: people who think only SMS, email and TOTP exist as 2FA.
And people who think only your phone can be used as passkey.
When those are the only options given by some services, yeh it kinda is. I’d love to be able to just use my flipper as a u2f for everything, but unfortunately most websites are all “no” and you have to use a chrome browser instead of Librewolf even when you could use a yubikey, so fine I guess text me, oh whoops I changed my number and I’m now locked out of my acct, cool.
Passkey is “something you own” right?
I have something I own, it’s a Yubikey
And how many sites support Yubikeys/Security Keys? Not many. I doubt we’ll see more either now with Passkeys becoming more prominent.
I have two Yubikeys and other than securing my password manager vault they are rarely used elsewhere.
I thought passkeys had to be behind biometrics, so “own” + “are”?
I don’t think that’s true.
You can store them in keepassxc which can be accessed with a password.
I think it’s “have” + “know” or “are”.
So you have the device with the passkey, and know the unlock pin or are the person with the biometrics.
How i interpretted it is that the biometrics provide access to the tpm which is like a built in yubikey you “own”.
My primary and backup yubikeys: “Am I a joke to you?”
Of course, yubikeys implement passkey… Passkey is the new buzzword after lackluster success with the words used, webauthn…
25 passkey limit on my Yubikey. I have to buy a new one, with the exact same hardware, just to get the latest firmware that allows 100 passkeys. No thanks.
and thank god for that, i’d been saying for years, webauthn is great tech which will never be adopted by normal people, because it had an awful name. luckily we were able to just call OATH TOTP “two factor authentication” or that would have been totally DOA too. I got big hopes for passkeys!
There’s been a lot of pain in the attempt to portray it as “Just click the passkey button, and that’s it! Your login is secured for life!”
No - Buddy. It is secured for this one specific device that I have biometric authentication for. What about my computer? What about my other computer that isn’t on the same operating system? I have a password manager that stores these things, why didn’t you save to that when I registered? Why is it trying to take this shit from my Apple Keychain when it’s in Bitwarden?
And, the next ultra-big step: How would a non-techie figure this shit out?
And, the next ultra-big step: How would a non-techie figure this shit out?
They don’t have a computer, another computer with a different OS, or bitwarden.
And, the next ultra-big step: How would a non-techie figure this shit out?
They wouldn’t, because the people calling the shots in the tech world create UX with a focus on it sucking for everyone
For some people it is that easy.
When it is saved to a cross-platform password manager, it is secured on all devices that password manager runs on including your computer on other operating systems. You can also choose other in the OS prompt & redirect to a device with your passkey or use a hardware security key (I don’t). If your preferred password manager isn’t the primary one on all your devices, then fix that or use the other option mentioned before.
How would a non-techie figure this shit out?
The same way they figure out passwords & multifactor. Their pain isn’t ours for those who’ve figured this out & have a smooth experience.
I mentioned Bitwarden in my comment, and my frustration specifically comes from occasions that I had Account X ready in Bitwarden, started up an app that relied on Account X, but loaded an HTML login page that had no discernable controls to use that Bitwarden passkey; expecting entirely for it to exist in my Apple keychain, which I never use.
I think it’s very easy to claim this specific app / account was not implementing passkeys well. But if that’s the case, how can I guarantee any other accounts I move over won’t fuck it up somewhere? I haven’t seen anyone get the concept of passwords wrong, and even if they don’t understand how managers work, I have control of the copy-paste function and can even type a password myself if needed.
loaded an HTML login page that had no discernable controls to use that Bitwarden passkey; expecting entirely for it to exist in my Apple keychain, which I never use
I use Bitwarden, yet not macOS/iOS. Whenever a passkey dialog from the wrong authenticator comes up, I choose option other to redirect to a device running Bitwarden: I see macOS & iOS offer similar controls. However, Bitwarden’s passkey dialog (section with links to configuring that) usually pops up, so that isn’t necessary.
But if that’s the case, how can I guarantee any other accounts I move over won’t fuck it up somewhere?
Save a recovery code in Bitwarden (add field type hidden named Recovery code to the login entry)? That’s standard practice for me, though I’ve never needed them.
I haven’t seen anyone get the concept of passwords wrong
I have control of the copy-paste function and can even type a password myself if needed
I’ve seen forms disable paste. Much can go wrong with passwords. Passwords require sharing & transmitting a secret (a symmetric key), which either party can fail to secure. Passkeys, however, never transmit secrets. Instead, they transmit challenges using asymmetric cryptography. The application can’t fail to secure a secret it never has. Far more secure, and less to go wrong.
The password field is a more manual, error prone user interface. With passkeys/WebAuthn, you instead supply a key that isn’t transmitted: easier than passwords when setup correctly, & nothing to do until it’s setup correctly.
Similar situation with ssh: though it can accept passwords, ssh key authentication is way nicer & more secure.
I use both Bitwarden and Apple’s native Passwords.app and just save a passkey for each app. Usually you can name the passkey on the website/in the app as well.
This is also the system I use when saving 2FA TOTP codes as well so I guess I’m used to it, but it makes good sense to me to have reduncancy in my password apps. Also I lock up *the apps themselves* with passkeys in the respective app for ease of use.
:mastozany:This was roughly the state of affairs before but the state of things have relented where software password managers are now allowed to serve the purpose.
So if a hardened security guy wants to only use his dedicated hardware token with registering backups, that’s possible.
If a layman wants to use Google password manager to just take care of it, that’s fine too.
Also much in between, using a phone instead of a yubikey like, using an offline password manager, etc.
I have my passkeys saved in 1password. (With a yubikey as backup for important things).
No - Buddy. It is secured for this one specific device that I have biometric authentication for. What about my computer? What about my other computer that isn’t on the same operating system?
Then use a Yubikey.
I tried a yubikey but most websites want you to use the pin for that which requires windows hello, and if you reset windows you lose that.
OnlyKey seems to be a better choice than Yubikey, from what I can see. The only reason I haven’t switched is that I have a few accounts that I share with my partner, and I want to be sure that I can have two different keys work for the same account.
I just looked over their site and other than a physical pin, it looked basically the same to me. Can you tell me what seems to be better? Only issue I’ve ever had with Yubikey was NFC use to log into Bitwarden, but I think it was user error.
Bitches don’t know bout my awesome passkeys. It’s like ssh key authentication for web apps. Just save the passkeys to my password manager & presto: use same keys on all my devices.
It replaces opening a TOTP app to copy a token with a click to select the passkey in a prompt from my password manager.
Ancient meme
