Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
if it undermines or circumvents my fifth amendment right not to testify against myself, then I’m not interested in ending the use of passwords.
You can set a pin on most passkey devices so that it doesn’t serve the authentication without it.
While the lock-in issue is annoying and a good reason not to adopt these, the device failure issue is a tech killer. Especially when I can use a password manager. This means I can remember two passwords (email and password manager), make them secure, and then always recover all my accounts.
Passkeys are a technology that were surpassed 10 years before their introduction and I believe the only reason they are being pushed is because security people think they are cool and tech companies would be delighted to lock you into their system.
Not to mention Apple decided to make passkeys Airdropable. Fun.
I worked on a cool projected called FedID: https://fedid.me/ that creates a distributed identifier (DID) out in the world, federated with AvtivityPub, and gives you a key you can sign in with via OpenID Connect. It allows the DID to have multiple keys for multiple devices, and delegate authority, so losing a device/failure is no big deal.
That being said, Web passkeys can be stored in password managers, just like passwords.
Cops also love them because they make getting access to your entire phone including all accounts simple as cake if you use fingerprint/faceID to unlock your device.
its being pushed because corporations want to control your passwords with lock-in.
no way i’m using that garbage over my own manager with recallable plaintext passwords.
You can transfer passkeys between platforms? This is a non-issue
all at once? i don’t think so.
even then, corporate apps will always remove convenient features later for lock-in. i don’t fall for this shit anymore.
Passkeys are a technology that were surpassed 10 years before their introduction
Question is by what? I could see an argument that it is an overcomplication of some ill-defined application of x509 certificates or ssh user keys, but roughly they all are comparable fundamental technologies.
The biggest gripe to me is that they are too fussy about when they are allowed and how they are stored rather than leaving it up to the user. You want to use a passkey to a site that you manually trusted? Tough, not allowed. You want to use against an IP address, even if that IP address has a valid certificate? Tough, not allowed.
They were surpassed by password managers and 2fa.
Technically they are the 2fa. The second factor is something you have. I store all my passkeys in my password manager too, so I’m not faulting you, but technically that’s just undoing the second factor, because now my two factors are “two things that are both unlocked by the same one thing I know”. Which is one complicated factor spread across two form fields.
Password managers are a workaround, and broadly speaking the general system is still weak because password managers have relatively low adoption and plenty of people are walking around with poorly managed credentials. Also doesn’t do anything to mitigate a phishing attack, should the user get fooled they will leak a password they care about.
2FA is broad, but I’m wagering you specifically mean TOTP, numbers that change based on a shared secret. Problems there are: -Transcribing the code is a pain -Password managers mitigate that, but the most commonly ‘default’ password managers (e.g. built into the browser) do nothing for them -Still susceptible to phishing, albeit on a shorter time scale
Pub/priv key based tech is the right approach, but passkey does wrap it up with some obnoxious stuff.
password managers have relatively low adoption and plenty of people are walking around with poorly managed credentials
All of the modern browsers have built in password managers so I doubt that very much.
Are they as secure as your self-hosted bit warden that is not accessible via the Internet? No.
But it does still keep track of your usernames and even alerts you if you have a breach.
Ok, I’ll concede that Chrome makes Google a relatively more popular password manager than I considered, and it tries to steer users toward generated passwords that are credible. Further by being browser integrated, it mitigates some phishing by declining to autofill with the DNS or TLS situation is inconsistent. However I definitely see people discard the suggestions and choose a word and think ‘leet-speak’ makes it hard (“I could never remember that, I need to pick something I remember”). Using it for passwords still means the weak point is human behavior (in selecting the password, in opting not to reuse the password, and in terms of divulging it to phishing attempt).
If you ascribe to Google password manager being a good solution, it also handles passkeys. That removes the ‘human can divulge the fundamental secret that can be reused’ while taking full advantage of the password manager convenience.
I use them with bitwarden and a self hosted vaultwarden. If my phone breaks, no issue. If my server breaks, I got local backups… Keys are stored encrypted in a postgres database for which I have access, if I need to restore it. No lock-in issue or risk of loosing access when one or two devices break.
That sounds great, but also isn’t a solution for most people.
True. But most good stuff isn’t a solution for everyone. It takes real effort to escape vendor-lockin. Bigtech made sure of that.
If something is too simple to set up or requires no set up, or comes from a for-profit company, but doesn’t cost anything, then it always suspicious.
I am just saying that the issue is not with passkey itself, but the individual implementations and that google/twitter/etc. is pushed towards regular users.
Critiquing passkey because vendor-lockin is like critiquing HTML for allowing ads.
Even if you are really careful, your details can always be leaked from a company server during a breach. If the companies adopt passkeys, that issue isn’t there. Because there isn’t a password anyone can randomly use. That’s why I feel big tech companies are moving towards it.
Yes, you have to trust the company storing the passwords.
A good company can store passwords in ways that are secure to most hacking attempts. It isn’t impossible to break the encryption typically used, but it is difficult enough that most thieves will not have the resources or time to make use of the data. They want the low effort password databases, not the difficult and expensive ones.
Tried Passkey in the past. I had many problems, especially could not understand why they must use my google account. Now my google account is gone, don’t gonna go that rabbit hole again, i am happy with my Bitwarden and Aegis.
You can now use thirds parties APIs for Passkey. I use ProtonPass on my part, it works great most of the time, but there are still some apps that have Google provider hard-coded.
Better title:
Passkeys: still trying to explain why it’s worth the hassle when it isn’t
There’s a hassle?
Every time I was prompted to use one by plugging my phone in to my computer nothing happened. That was a little over a year ago.
A better, well defined API for password managers to insert login information to the site compared to text boxes.
The biggest disadvantage:
Disadvantages of Passkeys
Ecosystem Lock-In – Passkey pairs are synced through each vendor’s respective clouds via end-to-end encryption to facilitate seamless access multiple devices.
More eggs in the American megacorp basket for more people, yay
Currently I use a FOSS (I think?) password manager, BitWarden, that supports passkeys. I use it across Mac, Windows and Android so I’m while my passkeys are locked yo the password manager, I am not locked to any of the aforementioned megacorps.
I use BitWarden too. OS , device and browser agnostic is a win
But I imagine the vast amount of people will use whatever their platform is pushing, so Apple Google or Microsoft. And in 5 years time “3rd party passkeys” are not “secure enough” and blocked by the OS. (Ok that’s a bit tinfoil hat, but Google’s recent Android app developer verification scheme is fresh in mind)
That’s not the biggest disadvantage “if used properly.” Any account you have should get a passkey on every device you own. Each device has it’s own passkey system. If you have an iPhone, yeah, you get an apple passkey, but then if you have a windows laptop, you have a microsoft passkey, a FLOSS system will have it’s own, and so on. You are already on whatever system would contain the passkey and can easily add different ones each time you get a new device.
The biggest issue is that most people use a small number of devices (including many who use 1). Passkeys work best if you have many devices, so if you lose one, you just use another to access your services. If you have 1, you need to use recovery codes (and people don’t save them).
A key for each service for each device is too impractical in real life.
Getting a new device would mean logging in to hundreds of services to link up the new device. Or somehow keep track of which services have keys with which devices. And signing up to a new service would mean having to remember to generate keys for a a handfull of devices, some of which might not be available at the time (like a desktop computer at home when you are out). Or you risk getting logged out if you loose the one device that had a key for that particular service.
I agree passkeys can make sense with something like BitWarden or KeyPassX. Something that is FOSS, and is OS and device agnostic, and let’s you sync keys across devices. And should have independent backups too. Sync is not backup.
Your password hashes (assuming they even hash them) already live on their servers…
Cool, they know the hash to that one service I signed up with them. Not every account ever.
Your passkeys aren’t synced to anything, so the passkey is no different than your password hash. They’re device locked unless you use something like bitwarden, so you’re no more dependent on American mega corps than you are right this second.I’m wrong.
Dont they all sync to the respective cloud services?
iOS vault -> synced apple cloud Android vault -> synced with Google cloud?
Windows Hello -> synced with Microsoft account?And if they’re not synced, that’s even worse. Loose your device and loose your account. Or keep track of which of your 5 devices are have keys for which of your 150 accounts
Well shit, you’re right. I must not have been paying attention when they updated them to include that
Say you don’t understand passkeys without saying you don’t understand them…
A passkey uses public key cryptography to secure your account instead of a password, it only grants you access to the one account you set it up for, and the account provider only holds your public key, you control the private key. Your passkey is a secure alternative to passwords because you CANNOT reuse it across services, cannot reasonably remember it, and the method of using it isn’t by copying and pasting into a field like a password, so it isn’t susceptible to the same attacks.
If the provider loses your public key, they can’t give you a challenge to verify you have the private key, so you lose access. Just like if they lose your password hash. It’s an identical scenario.
Everything you said is correct, but you misunderstood my point. I was referring to the fact that Google/Apple/whatever would hold your private key. In practical terms, it is barely different from the existing “Sign in with Google/Apple/whatever”.
The assumption is that the native passkey manager on the device (iPhone, android, windows) would sync the passkeys (to Apple , Google, Microsoft) for protection against device failure and easy of use across devices. Or you risk loosing your accounts if you loose your device.
That would happen if you store your passwords there too…
If you’re proactive enough with your passwords to manually store them in your own vault, you can be proactive enough to not use the corporate vaults that don’t allow exporting. This isn’t a “downside” of passkeys, it’s a downside of using the built in managers.
Just don’t take away passwords + TOTP 2FA for those of us who are actually using it correctly.
lets just hold the line of “the answer is always username/password + second factor”.
could be username/password + totp…
could be username/password + passkey…
if someone figures out my password, i dont lose everything…
if someone steals my passkey, i dont lose everything…
even if i do use the same password for everything, the second factor has it covered.
(nobody will ever guess my password of ******** anyway!)
hot take: end users will be more likely to adopt security keys (or device attested passkey which = security key). Physical security, out-of-bounds cryptography to defeat AitM attacks (fake landing pages where six digit codes are stolen and silently used in perpetuity by the bad actor)
source: my job is to try to get end users to put strong MFA on all the things.
I use Passkeys with Bitwarden in desktop Firefox, but for some reason I can’t get them to work in GrapheneOS/Vanadium even though I have Bitwarden set as my password provider
The promise of passkeys when i first grad about them was that it would be quick and easy - that you wouldn’t need to enter a username or use 2fa. The reality appears to be that this is that it’s used ** as** 2fa
Personally, I found that It works well with Microsoft, Paypal, Google, Shopify and Proton. I was really surprised to find the option on German government sites, worked there as well. Tested in Ungoogled Chromium and Librewolf. The only thing I find dissappointing is adoption
seems like too much messing around to make it a widespread solution.
Nope.
You missed some disadvantages. For example the UX and complexity are terrible.
Passkeys are cool but you still need 2fa. Which may as well be a passkey itself.
One factor is not great even if it’s a passkey.
- Built-In Two-Factor Security – Passkey logins use your private key stored on your device and your face or your fingerprint or your PIN. Unlike password, these cannot be easily replicated by a scammer.
Passkeys are cool but you still need 2fa.
How do you use it then if you need to share access in the whole team?
You don’t share your personal password across the whole team now, do you? At least for your teams sake I hope you don’t.
You know that not every account is only used by a single user, right?
I think that’s the problem right there… If you share accounts across multiple people you have far greater problems than how passkeys work…
Or they’re using it as intended. I’ve had more than one account I’ve gotten by cost sharing with friends. That’s not a problem, that’s a solution.
And it only takes one person with a grudge to cause a problem. I have seen it. I have shared accounts but very carefully and if someone abuses it then they permanently lose access to my stuff even if they are family.
share your personal password
We share a password. Then we don’t call it a personal password anymore. Was that your question?
Obviously not the personal password, but sometimes you need to share a password. Think about the password for a remote desktop your team may need to connect to for troubleshooting a problem for example.
I like passkeys but ONLY as the second factor. Using them as the primary makes no sense in majority of cases.
I store the passkeys in my self hosted vaultwarden, they are a good replacement for auto inserting random passwords via text boxes.
I’ve been mostly too lazy to look into how to use passkeys. If my normal flow is using 1password for 2fa (on mobile and on the computer), is there a way I can still use that with passkeys? It says they’re supported but I’m not sure how that’d work, because aren’t they device specific?
I just don’t want me losing access to my phone for whatever reason mean that I lose access to my accounts.
