Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
if it undermines or circumvents my fifth amendment right not to testify against myself, then I’m not interested in ending the use of passwords.
You can set a pin on most passkey devices so that it doesn’t serve the authentication without it.
hot take: end users will be more likely to adopt security keys (or device attested passkey which = security key). Physical security, out-of-bounds cryptography to defeat AitM attacks (fake landing pages where six digit codes are stolen and silently used in perpetuity by the bad actor)
source: my job is to try to get end users to put strong MFA on all the things.
Tried Passkey in the past. I had many problems, especially could not understand why they must use my google account. Now my google account is gone, don’t gonna go that rabbit hole again, i am happy with my Bitwarden and Aegis.
Bitwarden does support access to access keys in (for example) firefox.
I have not tested outside of browser (firefox). So it may depend on if you use chrome or some other app.Edit: Just got a suggestion inside the Amazon app (Android. Yes, I hate Amazon as well but I got a gift card and I hate it even more to give them a free of charge credit) to add a passkey. So it seems to work (semi-)reliable outside of a browser.
You can now use thirds parties APIs for Passkey. I use ProtonPass on my part, it works great most of the time, but there are still some apps that have Google provider hard-coded.
seems like too much messing around to make it a widespread solution.
Acrually not really.
I do use it with my password manager.
Very convenient.BUT, it’s not hardware based so more suscepticle to attacks.
i see. gotta try it out for myself
Just don’t take away passwords + TOTP 2FA for those of us who are actually using it correctly.
While the lock-in issue is annoying and a good reason not to adopt these, the device failure issue is a tech killer. Especially when I can use a password manager. This means I can remember two passwords (email and password manager), make them secure, and then always recover all my accounts.
Passkeys are a technology that were surpassed 10 years before their introduction and I believe the only reason they are being pushed is because security people think they are cool and tech companies would be delighted to lock you into their system.
Cops also love them because they make getting access to your entire phone including all accounts simple as cake if you use fingerprint/faceID to unlock your device.
its being pushed because corporations want to control your passwords with lock-in.
no way i’m using that garbage over my own manager with recallable plaintext passwords.
You can transfer passkeys between platforms? This is a non-issue
Passkeys are a technology that were surpassed 10 years before their introduction
Question is by what? I could see an argument that it is an overcomplication of some ill-defined application of x509 certificates or ssh user keys, but roughly they all are comparable fundamental technologies.
The biggest gripe to me is that they are too fussy about when they are allowed and how they are stored rather than leaving it up to the user. You want to use a passkey to a site that you manually trusted? Tough, not allowed. You want to use against an IP address, even if that IP address has a valid certificate? Tough, not allowed.
They were surpassed by password managers and 2fa.
Technically they are the 2fa. The second factor is something you have. I store all my passkeys in my password manager too, so I’m not faulting you, but technically that’s just undoing the second factor, because now my two factors are “two things that are both unlocked by the same one thing I know”. Which is one complicated factor spread across two form fields.
Password managers are a workaround, and broadly speaking the general system is still weak because password managers have relatively low adoption and plenty of people are walking around with poorly managed credentials. Also doesn’t do anything to mitigate a phishing attack, should the user get fooled they will leak a password they care about.
2FA is broad, but I’m wagering you specifically mean TOTP, numbers that change based on a shared secret. Problems there are: -Transcribing the code is a pain -Password managers mitigate that, but the most commonly ‘default’ password managers (e.g. built into the browser) do nothing for them -Still susceptible to phishing, albeit on a shorter time scale
Pub/priv key based tech is the right approach, but passkey does wrap it up with some obnoxious stuff.
password managers have relatively low adoption and plenty of people are walking around with poorly managed credentials
All of the modern browsers have built in password managers so I doubt that very much.
Are they as secure as your self-hosted bit warden that is not accessible via the Internet? No.
But it does still keep track of your usernames and even alerts you if you have a breach.
Ok, I’ll concede that Chrome makes Google a relatively more popular password manager than I considered, and it tries to steer users toward generated passwords that are credible. Further by being browser integrated, it mitigates some phishing by declining to autofill with the DNS or TLS situation is inconsistent. However I definitely see people discard the suggestions and choose a word and think ‘leet-speak’ makes it hard (“I could never remember that, I need to pick something I remember”). Using it for passwords still means the weak point is human behavior (in selecting the password, in opting not to reuse the password, and in terms of divulging it to phishing attempt).
If you ascribe to Google password manager being a good solution, it also handles passkeys. That removes the ‘human can divulge the fundamental secret that can be reused’ while taking full advantage of the password manager convenience.
I use them with bitwarden and a self hosted vaultwarden. If my phone breaks, no issue. If my server breaks, I got local backups… Keys are stored encrypted in a postgres database for which I have access, if I need to restore it. No lock-in issue or risk of loosing access when one or two devices break.
That sounds great, but also isn’t a solution for most people.
Even if you are really careful, your details can always be leaked from a company server during a breach. If the companies adopt passkeys, that issue isn’t there. Because there isn’t a password anyone can randomly use. That’s why I feel big tech companies are moving towards it.
Yes, you have to trust the company storing the passwords.
A good company can store passwords in ways that are secure to most hacking attempts. It isn’t impossible to break the encryption typically used, but it is difficult enough that most thieves will not have the resources or time to make use of the data. They want the low effort password databases, not the difficult and expensive ones.
Better title:
Passkeys: still trying to explain why it’s worth the hassle when it isn’t
There’s a hassle?
Every time I was prompted to use one by plugging my phone in to my computer nothing happened. That was a little over a year ago.
It’s been a very seamless experience with Bitwarden. Pretty much “click passkey, now logged in”.
I mean when I was trying to set one up. I wasn’t ever prompted to use a password manager. It just said to plug my phone into my computer. I did. And it didn’t detect anything. With user experience in setup that poor I don’t trust them yet.
What are using lol? I have never been asked to plug in my phone to a computer. I have use Bitwarden and KeepassXC and also used my phone to scan the QR in chromium browsers for passkeys and it just worked in all the browsers flawlessly (even ungoogled chromium). I just want Linux Distros to allow setup a default password manager for the user and implement passkeys auth mechanism for the apps installed in the device.
I don’t know what to tell you. Multiple sites and services asked if I wanted to set up a passkey, every time I got prompted to plug my phone in via USB, and nothing happened when I did. At no point in the process did it give me a QR code or ask me if I wanted to set one up through a password manager instead of a phone. I didn’t do anything special or incorrect. I followed the normal prompts they gave me.
A better, well defined API for password managers to insert login information to the site compared to text boxes.
The promise of passkeys when i first grad about them was that it would be quick and easy - that you wouldn’t need to enter a username or use 2fa. The reality appears to be that this is that it’s used ** as** 2fa
Personally, I found that It works well with Microsoft, Paypal, Google, Shopify and Proton. I was really surprised to find the option on German government sites, worked there as well. Tested in Ungoogled Chromium and Librewolf. The only thing I find dissappointing is adoption
Most of the sites I’ve seen use it as the single auth source. That said, using multiple forms of authentication in a layered model only improves security.
The biggest disadvantage:
Disadvantages of Passkeys
Ecosystem Lock-In – Passkey pairs are synced through each vendor’s respective clouds via end-to-end encryption to facilitate seamless access multiple devices.
More eggs in the American megacorp basket for more people, yay
Currently I use a FOSS (I think?) password manager, BitWarden, that supports passkeys. I use it across Mac, Windows and Android so I’m while my passkeys are locked yo the password manager, I am not locked to any of the aforementioned megacorps.
I use BitWarden too. OS , device and browser agnostic is a win
But I imagine the vast amount of people will use whatever their platform is pushing, so Apple Google or Microsoft. And in 5 years time “3rd party passkeys” are not “secure enough” and blocked by the OS. (Ok that’s a bit tinfoil hat, but Google’s recent Android app developer verification scheme is fresh in mind)
That’s not the biggest disadvantage “if used properly.” Any account you have should get a passkey on every device you own. Each device has it’s own passkey system. If you have an iPhone, yeah, you get an apple passkey, but then if you have a windows laptop, you have a microsoft passkey, a FLOSS system will have it’s own, and so on. You are already on whatever system would contain the passkey and can easily add different ones each time you get a new device.
The biggest issue is that most people use a small number of devices (including many who use 1). Passkeys work best if you have many devices, so if you lose one, you just use another to access your services. If you have 1, you need to use recovery codes (and people don’t save them).
A key for each service for each device is too impractical in real life.
Getting a new device would mean logging in to hundreds of services to link up the new device. Or somehow keep track of which services have keys with which devices. And signing up to a new service would mean having to remember to generate keys for a a handfull of devices, some of which might not be available at the time (like a desktop computer at home when you are out). Or you risk getting logged out if you loose the one device that had a key for that particular service.
I agree passkeys can make sense with something like BitWarden or KeyPassX. Something that is FOSS, and is OS and device agnostic, and let’s you sync keys across devices. And should have independent backups too. Sync is not backup.
Your password hashes (assuming they even hash them) already live on their servers…
Cool, they know the hash to that one service I signed up with them. Not every account ever.
Your passkeys aren’t synced to anything, so the passkey is no different than your password hash. They’re device locked unless you use something like bitwarden, so you’re no more dependent on American mega corps than you are right this second.I’m wrong.
Dont they all sync to the respective cloud services?
iOS vault -> synced apple cloud Android vault -> synced with Google cloud?
Windows Hello -> synced with Microsoft account?And if they’re not synced, that’s even worse. Loose your device and loose your account. Or keep track of which of your 5 devices are have keys for which of your 150 accounts
Well shit, you’re right. I must not have been paying attention when they updated them to include that
Say you don’t understand passkeys without saying you don’t understand them…
A passkey uses public key cryptography to secure your account instead of a password, it only grants you access to the one account you set it up for, and the account provider only holds your public key, you control the private key. Your passkey is a secure alternative to passwords because you CANNOT reuse it across services, cannot reasonably remember it, and the method of using it isn’t by copying and pasting into a field like a password, so it isn’t susceptible to the same attacks.
If the provider loses your public key, they can’t give you a challenge to verify you have the private key, so you lose access. Just like if they lose your password hash. It’s an identical scenario.
Everything you said is correct, but you misunderstood my point. I was referring to the fact that Google/Apple/whatever would hold your private key. In practical terms, it is barely different from the existing “Sign in with Google/Apple/whatever”.
The assumption is that the native passkey manager on the device (iPhone, android, windows) would sync the passkeys (to Apple , Google, Microsoft) for protection against device failure and easy of use across devices. Or you risk loosing your accounts if you loose your device.
That would happen if you store your passwords there too…
If you’re proactive enough with your passwords to manually store them in your own vault, you can be proactive enough to not use the corporate vaults that don’t allow exporting. This isn’t a “downside” of passkeys, it’s a downside of using the built in managers.
I’ve been resisting using them and decided to set one on my rarely-used and unimportant Piefed account to try it out.
Saved to Bitwarden fine on my desktop browser. When I try to log in with a browser on my phone, it asks for my username and does nothing more after that dialog closes. While I’m not sure if this is a problem with Piefed, Bitwarden, or Firefox, I’m now disinclined to try it with anything important, especially if that thing might then discourage me from logging in with a password.
I recognize the theoretical advantages, but passkeys don’t do much to solve problems I actually have. All my passwords look like
#vVukh9c$3Kw4Cs8NP9xgazEuJ3JWEand are unique. Bitwarden won’t autofill the wrong domain. I don’t enter credentials in links from emails I didn’t trigger myself immediately before. I haven’t checked whether I can reliably backup and restore them in my Bitwarden vault.I self host vaultwarden, and use bitwarden clients everywhere. Passkeys are stored there
Passkeys to me, are a better way to insert login information. Some developers don’t think of passwords getting automatically filled in, so this autofill sometimes breaks. Passkeys might be a improved interface to integrate password managers. Also, sometimes 2FA keys from my bitwarden client gets copied into the clipboard, which sometimes overwrites the stuff I wanted to preserve in there. This does not happen with passkeys.
I’ve been mostly too lazy to look into how to use passkeys. If my normal flow is using 1password for 2fa (on mobile and on the computer), is there a way I can still use that with passkeys? It says they’re supported but I’m not sure how that’d work, because aren’t they device specific?
I just don’t want me losing access to my phone for whatever reason mean that I lose access to my accounts.
I use Bitwarden and it syncs it all up between devices.
The biggest annoyance is disabling Firefox’s popovers that tend to cover the Bitwarden popovers.
Ok I see a lot if discussion on this topic but no one seems to have mentioned the main feature of the spec that makes them phishing resistant: presence detection. This is what makes FIDO resistant to credential replay. The spec is not perfect but it prevents most common phishing attacks.
Nope.
Okay, so long as a passkey is something I can memorise. Otherwise, it’s significantly worse than a regular password (assuming you use good passwords and don’t reuse passwords etc).
It seems like they want to tie it to a physical computer (like the one in your pocket), which sucks big time. What happens if I don’t have access to that computer at all times, or it breaks, or is lost?
I’m planning on getting rid of my smartphone for something that just does calls and texts for example, because I’m sick of how unhealthily reliant I, and everyone, have become on this thing, and I want to be more connected to the real world. What then?
My brain is the best place to store passkeys, it can’t be hacked, stolen, lost, etc, unlike every other option. It’s easily capable of storing lots of randomised unique passwords for each service (surely I’m not the only one that can do this?). It’s the clear winner.
How many good passwords can you memorize? I can maintain 2-3 in my head long term, especially if only used rarely, and you can be phished if you are typing it in. Not tenable for online accounts. The only real comparison with security parity is a password manager + 2fa generated on-device, compared with passkeys. In both cases, you have “strong” password, no re-use, resiliency to fishing, and requires both “something you know and something you have.” I think a password manager is slightly more usable, but I’m not convinced either is a “good” experience yet.
security parity is a password manager + 2fa generated on-device
This experience works perfectly for me. I have no need of whatever junk the latest consortium of megacorps has come up with.
🤷♂️
You just need to memorise the PIN at max. If your device has biometric recognition you could even use your face scan or fingerprint so even remembering a PIN is not needed in that case.
You missed some disadvantages. For example the UX and complexity are terrible.
