this post was submitted on 16 Oct 2024
262 points (86.0% liked)

Technology

59436 readers
3636 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 90 points 1 month ago* (last edited 1 month ago) (4 children)

The problem with passkeys is that they're essentially a halfway house to a password manager, but tied to a specific platform in ways that aren't obvious to a user at all, and liable to easily leave them unable to access of their accounts.

Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.

If you're going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager

Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.

The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though (Edit: Might be my specific setup‘s fault).

[–] [email protected] 28 points 1 month ago (1 children)

people will pick the corporate options that are shoved on their faces, not the sensible open source user-respecting ones.

vendor lockin will happen if we adopt passkeys as they are right now.

[–] [email protected] 16 points 1 month ago (5 children)

Bitwarden just announced a consortium with Apple, Google, 1Password, etc to create a secure import/export format for credentials; spurred by the need for passkeys to be portable between password managers (but also works for passwords/other credential types)

load more comments (5 replies)
[–] [email protected] 15 points 1 month ago (1 children)

QR codes are good 50% of the time; when you're trying to log in on a pc.
The reverse case is extremely annoying

[–] [email protected] 9 points 1 month ago (3 children)

Could you elaborate? I am assuming that everbody would have the password manager on their mobile phone with them, which is used to scan the qr code. I think that’s a reasonable assumption.

I agree that if you wanted the pc to act as the authenticator (device that has the passkey) it wouldn’t work with qr codes. But is that a usecase that happens at all for average people? Does anyone login to a mobile device that you don’t own, and you only have your pc nearby and not your own mobile phone?

load more comments (3 replies)
load more comments (2 replies)
[–] [email protected] 47 points 1 month ago (2 children)

Yeah I didn't understand passkeys. I'm like why is my browser asking to store them? What if I'm using another browser? Why is my password manager fighting with my browser on where to store this passkey?

I felt so uneasy.

So I decided not to use passkeys for now until I understood what's going on.

[–] [email protected] 21 points 1 month ago* (last edited 1 month ago) (2 children)

Passkeys are unique cert pairs for each site. The site gets the public key, you keep the private to login under your account. The site never stores your private key.

To store them simply, turn off your browsers password/passkey storage. Store them in your password manager along with other sites passwords.

load more comments (2 replies)
[–] [email protected] 11 points 1 month ago* (last edited 1 month ago) (1 children)

I'm like why is my browser asking to store them? What if I'm using another browser? Why is my password manager fighting with my browser on where to store this passkey?

The answer to all of these questions is “For the exact same reason they do all these same things with passwords”

Think of a passkey as a very, very complex password that is stored on your device (or in a password manager) that you can use to log into websites with without ever having to know what the password is, and it’s never stored on the site you’re logging into, even in a hashed format, so it literally can’t be exposed in a breach.

It’s the exact same technology you use to connect securely to every website you visit, except used in reverse.

load more comments (1 replies)
[–] [email protected] 42 points 1 month ago (2 children)

His "just use email" like that isn't very obviously worse in every respect kind of undermines his whole premise.

[–] [email protected] 20 points 1 month ago (4 children)

His whole premise is undermined by him not doing any research on the topic before deciding to write a blog post. Proton passkeys for instance, are cross platform, and the ability to transfer passkeys between devices is one of the features being worked on by the other providers.

load more comments (4 replies)
[–] [email protected] 9 points 1 month ago

It’s because he has an email company he wants you to use for $100 a year lol

[–] [email protected] 34 points 1 month ago (1 children)

This article is FUD from big password.

[–] [email protected] 18 points 1 month ago (2 children)

If we all had big passwords, this may not have been an issue to begin with lol

load more comments (2 replies)
[–] [email protected] 29 points 1 month ago (13 children)

I have never understood the goal of passkeys. Skipping 2FA seems like a security issue and storing passkeys in my password manager is like storing 2FA keys on it: the whole point is that I should check on 2 devices, and my phone is probably the most secure of them all.

load more comments (13 replies)
[–] [email protected] 27 points 1 month ago (10 children)

There was a related news recently, that bitwarden and other pw managers will be able to sync passkeys between devices. Won't that solve these issues?

[–] [email protected] 32 points 1 month ago (10 children)

My thoughts exactly. I use Bitwarden and passkeys sync flawlessly between my devices. Password managers tied to a a device or ecosystem are stupid and people shouldn’t use them. This is true whether you use passwords or passkeys.

That said, we cannot blame users for bad UX that some platforms and some devs provide.

load more comments (10 replies)
[–] [email protected] 14 points 1 month ago* (last edited 1 month ago)

Not in all situations. And in a way a user will not be aware of. The service or website can define what type of passkey is allowed (based in attestation). You may not be able to acutally use your "movable" keys because someone else decided so. You will not notice this until you actually face such a service. And when that happens, you can be sure that the average user will not understand what ia going on. Not all passkeys are equal, but that fact is hidden from the user.

load more comments (8 replies)
[–] [email protected] 26 points 1 month ago (4 children)

Just. Use. A. Fucking. Password. Manager.

It isn't hard. People act like getting users to remember one password isn't how it's done already anyway. At least TFAing a password manager is way fucking easier than hoping every service they log into with "password123" has it's own TFA. And since nearly every site uses shit TFA like a text or email message, it's even better since they can use a Yubikey very easily instead.

Passkeys are a solution looking for a problem that hasn't been solved already, and doing it badly.

[–] [email protected] 20 points 1 month ago (7 children)

Yes, use a password manager to store your passkeys.

Passkeys are a solution looking for a problem that hasn't been solved already, and doing it badly.

You say that and then

hoping every service they log into with "password123" has it's own TFA. And since nearly every site uses shit TFA like a text or email message

That’s literally a problem passkeys solve and password managers don’t lol

load more comments (7 replies)
[–] [email protected] 9 points 1 month ago (2 children)

You're looking at this from the perspective of an educated end user. You're pretty secure already from some common attack vectors. You're also in the minority. Passkeys are largely about the health of the entire ecosystem. Not only do they protect against credentials being stolen, they also protect against phishing attacks because identity verification is built in. That is of huge value if you're administering a site. Yes if everyone used a password manager there would be less value, but only about a third of users do that. And as an admin you can't just say "well that guy got phished but it's his own fault for not using a password manager."

load more comments (2 replies)
load more comments (2 replies)
[–] [email protected] 25 points 1 month ago (8 children)

Passkeys are also weirdly complex for the end user too, you can't just share passkey between your devices like you can with a password, there's very little to no documentation about what you do if you lose access to the passkeys too.

[–] [email protected] 13 points 1 month ago* (last edited 1 month ago) (1 children)

you can't just share passkey between your devices like you can with a password

Either you enroll a system that shares them between devices without the need for special interaction (password manager, iCloud etc) or you enroll each device separately into your account.

You can have more than one passkey for a service. This is a good thing.

load more comments (1 replies)
[–] [email protected] 12 points 1 month ago (4 children)

I think that passkeys are simple, but no-one explains what they do and don't do in specific terms.

Someone compared it to generating private/public key pairs on each device you set up, which helps me a bit, but I recently set up a passkey on a new laptop when offered and it seemed to replace the option to use my phone as a passkey for the same site (which had worked), and was asking me to scan a QR code with my phone to set it up again.

So I don't know what went on behind the scenes there at all.

load more comments (4 replies)
[–] [email protected] 10 points 1 month ago (2 children)

The only way I ever used passkeys is with bitwarden, and there you are sharing them between all bitwarden clients.

From my very limited experience, pass key allows to login faster and more reliable compared to letting bitwarden enter passwords and 2fa keys into the forms, but I still have the password and 2fa key stored in bitwarden as a backup in case passkey breaks.

To me, hardware tokens or passkeys are not there to replace passwords, but to offer a faster and more convenient login alternative. I do not want to rely on specific hardware (hardware token, mobile phone, etc.), because those can get stolen or lost.

load more comments (2 replies)
load more comments (5 replies)
[–] [email protected] 24 points 1 month ago (9 children)

All the major password managers store passkeys now. I have every passkey I’ve been able to make stored in Bitwarden, and they’re accessible on all my devices.

Article is behind the times, and this dude was wrong to “rip out” passkeys as an option.

[–] [email protected] 12 points 1 month ago (1 children)

That's a typical DHH article, essentially. He has some interesting insights, but everything else is borderline cult-leader opinions, and some people follow it as gospel

load more comments (1 replies)
load more comments (8 replies)
[–] [email protected] 18 points 1 month ago (3 children)

I wish all sites using 2FA would just support hardware keys instead of authenticator apps. It's so much easier to login to a site by just plugging in my hardware key and tapping its button, than going to my authenticator app and typing over some code within a certain time.

It's even sinpler than email 2fa or sms 2fa or vendor app 2fa.

For authenticator app you also can't easily add more devices unless you share the database which is bad for security. For hardware security key you can just add the key as an additional 2fa, if the site allows it.

load more comments (3 replies)
[–] [email protected] 18 points 1 month ago (6 children)

The problem with PassKey is simply that they made it way more complicated.

Anyone who has worked with SSH keys knows how this should work, but instead companies like Google wanted to ensure they had control of the process so they proceeded to make it 50x more complicated and require a network connection. I mean, ok, but I'm not going to do that lmao.

load more comments (6 replies)
[–] [email protected] 17 points 1 month ago (2 children)

Why does anyone still give a fuck what DHH has to say any more?

Rails is a ghetto has been a thing for over a decade, and the man is basically just a tech contrarian at this point.

load more comments (2 replies)
[–] [email protected] 15 points 1 month ago (1 children)

I am very shitty on security (I would not write this reply on a post on the cybersecurity community), and I resisted MFA for several years as being too annoying having to login to mail/SMS. After finding open source apps supporting TOTP, I feel better about it and I manually do the syncing by just transferring the secrets between my devices offline.

Passkeys are another foreign thing that I think I will get used to eventually, but for now there are too many holes in support, too much vendor lock-in (which was my main distaste for MFA, I didn't want MS or Google Authenticator), and cumbersome (when email and SMS were the only options for MFA, difficulty of portability for passkeys).

load more comments (1 replies)
[–] [email protected] 15 points 1 month ago (5 children)

I just wish that companies enabling passkeys would still allow password+MFA. There are several sites that, when you enable passkeys, lock you out of MFA for devices that lack a biometric second factor of authentication. I'd love to use passkeys + biometrics otherwise, since I've often felt that the auth problem would be best solved with asymmetric cryptography.

EDIT: I meant to say "would still allow passkeys+MFA." hooray for sleep deprivation lol.

load more comments (5 replies)
[–] [email protected] 14 points 1 month ago
[–] [email protected] 14 points 1 month ago (13 children)

I'm not gonna lie I still don't understand how passkeys work, or how they're different from 2fa. I'm just entering a PIN and it's ok somehow? I don't get it.

[–] [email protected] 11 points 1 month ago (2 children)

It uses asymmetric cryptography. You sign a login request with the locally stored private key and the service verifies the signature with their stored public key. The PIN on your device is used to unlock access to the private key to sign the login request.

load more comments (2 replies)
[–] [email protected] 9 points 1 month ago

The passkey stored locally in some kind of hardware backed store on your device or in your password manager is the first factor: something you have.

The PIN/password or fingerprint/face to unlock the device and access the stored passkey is the second factor: something you know or something you are, respectively.

Two factors gets you to 2FA.

load more comments (11 replies)
[–] [email protected] 14 points 1 month ago

I disagree with most of those arguments in the article… Additionally, there is nearly no passkey using service that does require you to still have PW and 2FA login active even if you use passkeys

We are right now in the learning/testing phase. It is not a flip and suddenly only passkey work. Transition to passkey only will be a very long time, like it was for 2FA, like, my girlfriend has it on, only at about 2 services, lol.

The main problem I have is, that people without knowledge get grabbed into walled gardens using passkeys. People with knowledge know that you can use alternative apps for passkeys, like proton or strongbox (keepass).

[–] [email protected] 12 points 1 month ago (5 children)

I thought passkeys were supposed to be a hardware device?

This is typical embrace/extend/extinguish behavior from the large platforms that don't want their web-SSO hegemony challenged because it would mean less data collection and less vendor lock-in.

The whole idea of passkeys provided by an online platform should have been ruled out by the specification. It completely defeats the purpose of passkeys which is that the user has everything they need to authenticate themself.

load more comments (5 replies)
[–] [email protected] 11 points 1 month ago* (last edited 1 month ago) (2 children)

Whenever I read an article about security (and read the comments, even here on Lemmy) I'm constantly frustrated and depressed by a couple of things.

  1. Corporations making things shittier with the intention of locking customers in to their stupid proprietary ecosystem. And of course, they are always seeking more data harvesting. Security itself is way down the list of their priories, if it's even there at all.

  2. Users being lazy trend-followers who quickly sacrifice their security on the altar of convenience and whatever shiny new FOMO thing is offered up for "better security".

It's a very bad combination. Doing security right is a bit inconvenient (which users hate) and expensive (which corporations hate).

load more comments (2 replies)
[–] [email protected] 10 points 1 month ago* (last edited 1 month ago)

I do think that we need more standard procedures around what a reset/authorize new device looks like in a passkey world. There's a lot about that process that just seems like it's up to the implementer. But I don't think that invalidates passkeys as a whole, and most people are going to have access to their mobile device for 2 factor no matter where they are.

Incidentally I have no idea who this is or whether his opinion should be lent more weight.

[–] [email protected] 9 points 1 month ago

DHH with a pants-on-head stupid argument just because he hates the big players in tech? Must be a day ending in Y again.

load more comments
view more: next ›