I don't know anything about passkeys but if Microsoft is pushing for them I am immediately suspicious. I am admittedly paranoid but if you have been an adult using a computer over the past ~15 years and aren't paranoid you haven't been paying enough attention
If by "passkey" they mean an HSM I'm okay with it
I'd still rather have TOTP as my 2nd factor so I don't have to plug shit in
TOTP is the superior option, IMO, but I'm no expert on security so maybe they're insecure? it sure seems like some folks would rather do anything but time-based onetimes.
hardware keys are a pain in the neck, just one more thing to be lost.
I've plugged my phone in so many times and it doesn't detect shit. I'd rather stick with totp/email.
I kinda hate the push towards passkeys. If you have two factor Auth, going to passkeys makes you go back to 1 factor, aka less secured.
There's also more and more 2FA fatigue attacks going on, and they can affect passkeys too, and if you don't have a 2FA that involves the user writing a code on the 2FA device, passkeys could be quite possibly worse than passwords
Also, what happens if your device with the passkey fails?
Like the drive craps out?
You are supposed to have two redundant ones. Hooked up to every service. One leaves the house with you, the other stays in a safe, and you rotate them periodically
and nobody is gonna fucking do that lol
Mine are USB-A and USB-C so no two computers can use both. One of them randomly quit working (something in the OS dropped support for it maybe?) but then I think started working again?
At an old job I had a lot of control over my own infra and I used my HSM to log in to my forge. I haven't used it daily in years now.
Similar problem with 2FA though
I think this post is about git CLI, not www.github.com.
SSH keys are very secure and you can still encrypt them with a password if you wish.
encrypt them with a password if you wish.
SSH keys without passphrases are just fancy credential files sitting in your .ssh/ directory, basically like writing your passwords on paper and leaving it in your desk drawer.
but they require chmod 400 and they're ideally in on an encrypted disk
So the desk drawer is locked and the codes are Luks encrypted.
And for critical stuff, you should also have a password on the key.
If your ssh keys are like a passwords on paper in a drawer, you're doing it wrong.
Yeah, but who wants to type in a password everytime they push/pull?
Take a look at ssh-agent. It's bundled with ssh-client and designed to solve this problem.
The quick usage is, create a terminal and run:
eval `ssh-agent`
ssh-add /path/to/your/encrypted/key1
#type in password
ssh-add /path/to/your/encrypted/key2
...
# all commands in this terminal will use the keys above w/o asking you for a password
git clone [email protected]...
git push...
etc
So, basically you type your credentials once during the life cycle of your terminal.
If you really want to go full power-user, simple run ssh-agent (without the eval) and you'll see it just sets some env-vars, which can be imported into any terminal/shell you have open.
So, if you put some logic in your shells rc file, you can effectively share a single ash-agent between all your shells, meaning you just need to type your password for your keys once when you log into your system... and your now passwordless for any future terminals you create (this is my setup).
Also, if you're interested take a peek at the man pages for ash-agent. It has a few interesting features (ie: adding a password lock for your agent, removing keys from the agent, etc).
Under passkey implementations, you need to unlock the passkey device with biometrics or passwords. Something you are/know (biometrics/passwords) and something you have (passkey).
It's not impossible to screw it up. Put your passkeys in bitwarden, reuse a password and don't 2fa that.
My workplace doesn't allow Bitwarden because 'it's not secure'.
It's easy enough to enforce 2FA on it.
Most of the other online solutions are about the same.
Passkeys use public key authentication. This makes them very resistent to phishing attacks. It's also not possible for a phishing site to request authentication via a passkey created on a the original website.
In practice, they use Face ID, which has privacy implications.
In practice, they either use system authentication if you use the implementation bundled with iOS/Android - and sure, that can be Face ID if setup, or other forms of biometric authentication. Both operating systems have APIs that allow password managers to provide their own implementation of passkeys, and in that case you have to authenticate with your password manager - sure most of them support using system authentication (biometrics) as well, but this could also be a master password or hardware key (which work very similar to passkeys by the way).
I'd argue if you don't assume that whatever system you're using is reasonably secure/private, you probably shouldn't enter any passwords on that system either. This isn't a passkeys vs. passwords problem.
That sort of thing is the push I need to get entirely off of Github
Yeah. Passkeys are something I would love if they were a second factor because they are so much better than any other 2fa. And I use my yubikeys as second factors where I can. But why the hell would I not want a password too?
Passkeys are always supposed to be protected by another layer of authentication. e.g. a password should be required to unlock the passkey. If your passkey don't do that, stop using it.
It's different. It's still two factors if implemented correctly: 1. Possession of the passkey (better if you have a physical token, but passkey on your phone is passable). 2. Knowledge of your password (or bio authentication if you use face id or w/e).
Note you are not giving your password to the website, and if a hacker gets hold of your password they still can't do anything without your passkey device.
If this isn't referring to the Git CLI that prompts the user for username and password for a GitHub remote repository and GitHub rejecting password auth, then disregard this rant.
Git and GitHub are two seperate pieces of software. Git is the local client that does all the work and can optionally sync with a remote repository that can be stored in GitHub or GitLab or any other compatible remote. When Git asks for a password to authenticate, it has nothing to do with GitHub. GitHub then rejects that authentication method that Git provided because it believes that the method is insecure.
Wait until we tell them that Java and JavaScript are also different languages that are completely different things.
I mean, that’s just the Git behavior.
What happens to the account access if the passkey-registered device dies?
You can have more than one passkey.
You can still use password + 2fa
You can use google oauth.
You can use a YUBI key
You should probably have a primary and secondary auth for every site.
Or just a password that is known to you and only you.
Those are awfully dangerous on their own these days.
As soon as a poorly salted hash leaks or gasp, a hash with no salt, it's super easy to reverse those passwords now.
2FA severely reduces the danger of rainbow tables and keyloggers. The only real worry with 2FA is login replacement and interception. and passkey solves that, allbeit at the cost of complexity.
So, losing a passkey isn't a lost account?
I didn't know about the ability to use more than one passkey per platform. Something I'll have to investigate further.
Still using Github, the American company owned by Micro$oft, known for deleting repos? I'd consider switching away from them, If you're able to.
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.