I wish FIDO had paid more attention to SQRL. It's long in the tooth now, but with some attention it could have been a better solution than passkeys, IMO.
this post was submitted on 16 Oct 2024
174 points (86.9% liked)
Technology
58698 readers
5013 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
Passkeys are also weirdly complex for the end user too, you can't just share passkey between your devices like you can with a password, there's very little to no documentation about what you do if you lose access to the passkeys too.
you can't just share passkey between your devices like you can with a password
Either you enroll a system that shares them between devices without the need for special interaction (password manager, iCloud etc) or you enroll each device separately into your account.
You can have more than one passkey for a service. This is a good thing.
you can’t just share passkey between your devices like you can with a password
You would just sign into your password manager or browser on both devices and have access to them?
Additionally, whatever app or service you're storing them in can provide sharing features, like how Apple allows you to share them with groups or via AirDrop.
there’s very little to no documentation about what you do if you lose access to the passkeys too.
If you lose your password, there are recovery options available on almost all accounts. Nothing about passkeys means the normal account recovery processes no longer apply.
You would just sign into your password manager or browser on both devices and have access to them?
Does it work like that? Everything I see says they're tied to that device.
If you lose your password, there are recovery options available on almost all accounts.
Fair, I guess I've never lost a password because it's just a text string in my PW manager, not some auth process that can fail if things don't work just right.
Does it work like that? Everything I see says they’re tied to that device.
It depends on what kind you want to use. If you want the most security, you can store them on something like a Yubikey, with it only being on that device and not exportable. If you get a new device, you'll need to add that new device to your accounts. For less security but more convenience, you can have them stored in a password manager that can be synced to some service (self-hosted or in the cloud) or has a database file that can be copied.
Fair, I guess I’ve never lost a password because it’s just a text string in my PW manager, not some auth process that can fail if things don’t work just right.
That's fair. It can be a bit of a mess with different browser, OS, and password manager support and their interactions but it has continued to get better as there is more adoption and development.
I'm not gonna lie I still don't understand how passkeys work, or how they're different from 2fa. I'm just entering a PIN and it's ok somehow? I don't get it.
It uses asymmetric cryptography. You sign a login request with the locally stored private key and the service verifies the signature with their stored public key. The PIN on your device is used to unlock access to the private key to sign the login request.
So isn't the pin now the weakest link and shorter than a password
Typically in most situations where a PIN is used on a modern device, it is not just the number you enter but some kind of hardware backing that is limited to the local device and also does things like rate limiting attempts.
The passkey stored locally in some kind of hardware backed store on your device or in your password manager is the first factor: something you have.
The PIN/password or fingerprint/face to unlock the device and access the stored passkey is the second factor: something you know or something you are, respectively.
Two factors gets you to 2FA.
If you've ever used ssh it's very similar to how ssh keys work. You create a cryptographic key for the site; this is the passkey itself. When you go to "log in" the client and server exchange cryptographic challenges, which also verifies the site's identity (so you can't be phished...another site can't pretend to be your bank, and there are no credentials to steal anyway). Keys are stored locally and are generally access restricted by various methods like PIN, passphrase, security key, OTP, etc. When you're entering your PIN it's how the OS has chosen to secure the key storage. But you've also already passed one of the security hurdles just by having access to that phone/computer. It is "something you have".
So one password to access them all basically?
That's quite a weakness.
It''s really up to the end device (and the user of said device) to decide how much security to put around the local keys. But importantly, it also requires access to the device the passkeys are stored on which is a second factor. And notably many of the implementations of it require biometrics to unlock.
The "one password" thing is also true of password managers, of course. One thing about having one master passphrase is that if you do not have to remember 50 of them, then you can make that passphrase better then you otherwise might, plus it should be unique, which prevents one of the most common attack vectors.
So one password to access them all basically?
That's essentially how all password managers work currently though?
True, I hoped for something better :-/
If it makes you feel better, most PINs on modern devices are hardware backed in some way (TPM, secure enclave, etc) and do things like rate limiting. They'll lock out using a PIN if it's entered incorrectly too many times.
If you get my master keepass password, you have all my passwords, too.
As I said to Spotlight7573 yes true, I just hoped for something better.
If you're paranoid about this, go buy a yubikey and use that to secure your device/access to your passkeys. Being able to secure your own data instead of relying on the admin who may or may not know what they're doing to secure the server is an advantage of passkeys.
Why does anyone still give a fuck what DHH has to say any more?
Rails is a ghetto has been a thing for over a decade, and the man is basically just a tech contrarian at this point.
Whatever way the world is moving, expect DHH to have a different opinion about it.
Random email auth is some thought leadering for sure.
Passkeys aren't a full replacement in my opinion, which is what DHH gets wrong. It's a secure, user-friendly alternative to password+MFA. If the device doesn't have a passkey set up you revert to password+MFA.
And the fewer times that people are entering their password or email/SMS-based 2FA codes because they're using passkeys, the less of an opportunity there is to be phished, even if the older authentication methods are still usable on the account.
DHH with a pants-on-head stupid argument just because he hates the big players in tech? Must be a day ending in Y again.
I disagree with most of those arguments in the article… Additionally, there is nearly no passkey using service that does require you to still have PW and 2FA login active even if you use passkeys
We are right now in the learning/testing phase. It is not a flip and suddenly only passkey work. Transition to passkey only will be a very long time, like it was for 2FA, like, my girlfriend has it on, only at about 2 services, lol.
The main problem I have is, that people without knowledge get grabbed into walled gardens using passkeys. People with knowledge know that you can use alternative apps for passkeys, like proton or strongbox (keepass).
Just. Use. A. Fucking. Password. Manager.
It isn't hard. People act like getting users to remember one password isn't how it's done already anyway. At least TFAing a password manager is way fucking easier than hoping every service they log into with "password123" has it's own TFA. And since nearly every site uses shit TFA like a text or email message, it's even better since they can use a Yubikey very easily instead.
Passkeys are a solution looking for a problem that hasn't been solved already, and doing it badly.
Yes, use a password manager to store your passkeys.
Passkeys are a solution looking for a problem that hasn't been solved already, and doing it badly.
You say that and then
hoping every service they log into with "password123" has it's own TFA. And since nearly every site uses shit TFA like a text or email message
That’s literally a problem passkeys solve and password managers don’t lol
load more comments
(4 replies)
load more comments
(4 replies)
view more: next ›