A lot of services support passkeys. Microsoft even has an option to make my account “passwordless”. Since they are more secure than passwords, will you be switching some / most of your accounts to passkeys any time soon? Interested to hear everyone’s thoughts on passkeys. 🔑

    • American_Jesus@lemm.ee
      link
      fedilink
      arrow-up
      21
      arrow-down
      8
      ·
      3 months ago

      Passwords can be leaked, mostly by bad security on server side.

      Passkeys use secure keys, it checks public keys on both sides and send private key to authenticate, without both keys can’t login or if the server is compromised.

      It’s like GPG or SSH works.

      • Dark Arc@social.packetloss.gg
        link
        fedilink
        English
        arrow-up
        35
        arrow-down
        1
        ·
        edit-2
        3 months ago

        Close but private keys don’t get sent.

        It sends information encrypted via your public key to your client, then your client proves that it’s the real owner of the key by decrypting the message, and then sending a new message back encrypted by the private key that the server can then verify.

        This is what’s better than a password, the information for providing authentication (the private key) never leaves your computer (where as you almost in all implementations of password based auth, send the password itself to the server).

        • JubilantJaguar@lemmy.world
          link
          fedilink
          arrow-up
          7
          ·
          3 months ago

          A question, since you sound like you know what you’re talking about. Is this analagous to password-free SSH? I.e., private key used to log in on the basis of a pre-agreed public key?

          • Dark Arc@social.packetloss.gg
            link
            fedilink
            English
            arrow-up
            10
            arrow-down
            1
            ·
            3 months ago

            Yeah basically. See “What is a passkey” on https://fidoalliance.org/faqs/#PasskeysFAQs

            From a technical standpoint, passkeys are FIDO credentials that are discoverable by browsers or housed within native applications or security keys for passwordless authentication. Passkeys replace passwords with cryptographic key pairs for phishing-resistant sign-in security and an improved user experience. The cryptographic keys are used from end-user devices (computers, phones, or security keys) for user authentication.

            • JubilantJaguar@lemmy.world
              link
              fedilink
              arrow-up
              5
              ·
              3 months ago

              Which begs the question, “What is FIDO?”. To which the About FIDO page replies, literally, “FIDO authentication uses standard public key cryptography techniques to provide phishing-resistant authentication”.

              Arrghghgh! Orwell was right about people’s incredibly capacity to write with zero clarity.

              More generally, IMO what we have here is a classic case of ELI5 vs “ELI know something already”. I use SSH and manage the keys myself but I still can’t find an answer to this question: is a “passkey” just another word for “the private key in a public-private keypair?”

              Whenever I look into this, the explainer always either jumps straight into super-dense technical details, or describes it all in term of metaphors as if talking to a small child. Oh well.

              • Dark Arc@social.packetloss.gg
                link
                fedilink
                English
                arrow-up
                3
                arrow-down
                1
                ·
                3 months ago

                Reading through all the jargon and simplifying it, the answer: yes they’re the same in the way you mean.

                “SSH” and “passkey” are both technologies built on asymmetric cryptography. They thus at a fundamental level do work in the same way, it’s all the protocol and practices stuff that gets bolted on that is where things become different and where things took time to get into place so we could use these things on the web (and not just “we” who know what SSH is but “we” who make up society).

                Arrghghgh! Orwell was right about people’s incredibly capacity to write with zero clarity.

                The problem is arguably that for the people who understand it enough to say “yeah, they’re the same idea”, the key point is “asymmetric cryotherapy” in an authentication context, the key point is not SSH. SSH is just how most technically inclined users have most directly experienced asymmetric cryptography deployed as an authentication mechanism. It’s that same mistake textbooks often make of burying the lead in an otherwise obscure reference the reader may or may not pickup on.

                But yes, it would be helpful if some major site would provide this comparison “so that I don’t have to! 😉”

                See also “Enrollment and Sign-in with FIDO” in https://fidoalliance.org/how-fido-works/

                • JubilantJaguar@lemmy.world
                  link
                  fedilink
                  arrow-up
                  3
                  ·
                  3 months ago

                  It’s that same mistake textbooks often make of burying the lead in an otherwise obscure reference the reader may or may not pickup on.

                  Exactly. Thanks for clarifying.

      • otp@sh.itjust.works
        link
        fedilink
        arrow-up
        5
        ·
        3 months ago

        Passwords can be leaked, mostly by bad security on server side.

        Wouldn’t this be solved by storing only hashed passwords?

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    29
    arrow-down
    1
    ·
    edit-2
    3 months ago

    Passkeys as password replacements reduce the total factors required to login to a service. If you use 2fa for all your services anyway then passkeys are a downgrade. That’s why so many people are angry they are having security options removed.

    For people who use the same username and password everywhere, then passkeys are a upgrade.

    So normal people get a benefit from passkeys in exchange for getting locked into a ecosystem.

    For security minded people I hate passkeys.

    • Less factors to login
    • Discoverable
      • Unlike fido2 webauthn the service the credentials attach to have to be known, so if anyone steals your hardware key, or gets access to your phone they can see all the passkeys and accounts you have

    I WANT my logins to be something I know, something I have, and something I am. Password, hardware key, biometric unlock of key.

    I don’t mind passkeys existing, but I HATE that services are replacing hardware key flows with passkey flows. I want to use my hardware key as fido2 not as a passkey. I don’t want to downgrade my security! Microsoft makes it impossible to use a 2fa hardware key as a second factor now, only as a passkey, that’s strictly worse then before.

    • EngineerGaming@feddit.nl
      link
      fedilink
      arrow-up
      4
      ·
      3 months ago

      To be fair, there is a “something you know” factor - the passphrase for the database containing the passkeys. But I kinda do wish they were more easily password-protected individually, like how you do with SSH keys. You can have a separate database for each passkey I guess… But yea, inconvenient.

  • Darkassassin07@lemmy.ca
    link
    fedilink
    English
    arrow-up
    25
    arrow-down
    2
    ·
    3 months ago

    They are more secure than password authentication, though how much more secure depends on how the user manages their passwords.

    If a user never reuses passwords across different services and maintains long complex passwords, preferably randomized strings; the security upgrade of Passkeys is quite marginal. Arguably marginal enough to not even bother. The farther a user gets from ‘ideal’ password security practices though, the more of a security upgrade Passkeys would be for them; though convincing them of that is another story…

    Switching to Passkeys does take a lot of responsibility off of both the user and service provider. The user no longer needs to ensure passwords aren’t reused, insufficiently complex, or already compromised; and the service provider doesn’t need to worry about leaking your passkey as they only have the public key portion which can’t be used to login as you.

    In some ways they can be more inconvenient though. With a password, even long unique complex passwords stored in my password manager; I can open the password manager on my phone, read the password I want, and manually enter it into an unfamiliar or shared device without having to load my entire password/key vault onto that device. Passkeys make that impossible; essentially forcing you provide the whole vault to the device or give up. It is also a big step for people that aren’t familiar with password managers and are used to just remembering their passwords, to then switch to a passkey manager where they can’t use their memory to login anymore.

    There’s good sides and bad sides to everything really. Some people will prefer one way, some will want the other way. Ultimately I think we’ll get pushed into using Passkeys by most companies, just so they can shed some of the responsibility of keeping your credentials secure. A stolen passkey database, unlike a password database, would not allow you to pose as users, which leads to less claims of fraudulent activity.

    • 777@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      3 months ago

      Passkeys (depending on implementation) are more resistant to info stealer viruses.

      The private key portion can be in your OS’s credential store and can be used to sign the challenge without being revealed to the calling application.

      Of course this doesn’t work if you got rooted, but a lot of viruses of this kind try to steal what they can get as a regular user, and you can get a lot, ie AWS credentials, saved browser passwords etc.

      In my view it’s cheap defense in depth.

  • NotMyOldRedditName@lemmy.world
    link
    fedilink
    arrow-up
    19
    arrow-down
    1
    ·
    3 months ago

    I highly dislike the idea of a passkey replacing a password as it means you’ve lost the something you know and replace it only with something you have.

    Passwords AND passkeys together sound great.

    • 9tr6gyp3@lemmy.world
      link
      fedilink
      arrow-up
      10
      arrow-down
      3
      ·
      3 months ago

      To be fair, you cant use the passkeys unless you are logged into your password manager, which requires a password you “know”.

      • NotMyOldRedditName@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        3 months ago

        It could be your phone or computer as well, they don’t have to be in a password manager.

        And that’s often going to be the default people use.

        Now it’s just your face or fingerprint, both of which are easier to bypass if it’s targeted.

          • NotMyOldRedditName@lemmy.world
            link
            fedilink
            arrow-up
            4
            ·
            edit-2
            3 months ago

            Just in addition to my other reply… that was assuming it’s not a government agency.

            The police can just force you to do it, but they can’t force a password.

            Everyone using a passkey and biometrics on their hardware is law enforcements wet dream.

            Edit: Including border security where you have less rights.

            • jet@hackertalks.com
              link
              fedilink
              English
              arrow-up
              1
              ·
              3 months ago

              This exactly why I have a phone that lets me use two factors to unlock it, pin plus fingerprint!

              • NotMyOldRedditName@lemmy.world
                link
                fedilink
                arrow-up
                2
                ·
                edit-2
                3 months ago

                It let’s you require both?

                It looks like it’s pin and optional fingerprint, not pin and fingerprint for me? On Android

                This is why I always turn it off in airports though.

          • NotMyOldRedditName@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            3 months ago

            It’s just much weaker than a password and passkey / security key.

            Something you are can easily be taken from you. (Edit: eg lifting fingerprints can unlock things)

            Something you know is harder and would escalate a situation if forced substantially.

  • akilou@sh.itjust.works
    link
    fedilink
    arrow-up
    18
    ·
    3 months ago

    I’ll use passkeys if and only if they work with my password manager (Proton Pass). If not, I’m sticking with the password (and 2fa if they offer it)

    • bilbobaggins@lemmy.worldOP
      link
      fedilink
      arrow-up
      8
      ·
      3 months ago

      Very enlightening read. That service lock-in is so real. I had some passkeys in Google Password manager (Android) just to try them out, and then wanted to move them to Bitwarden. I had already disabled Google Password manager on my phone to use Bitwarden. Imagine the headache I had to deal with to move a single passkey over to Bitwarden (really, I deleted one and added one, while dealing with UI hurdles). Until this improves (if ever), I’ll probably stick to my passwords and normal 2FA.

  • Unmapped@lemmy.ml
    link
    fedilink
    arrow-up
    14
    ·
    edit-2
    3 months ago

    Since I use a good password manager. And use TOTP on everything I can. Which admittedly I do store in my password manager as well. I don’t think passkey really improves security very much in my case.

    That being said though I’m a big fan of passkeys and use them everywhere I can. But I don’t store them on devices only in my password manager. So I don’t have to worry about if I lose a device.

    I think where passkeys really shine though is for people who still aren’t using a password manager. While I’ve tried to get everyone I know using bitwarden most still don’t. And the ones that do still don’t have half of there accounts in it. They are still reusing passwords across multiple sites. So I think passkeys will massively increase security for the majority of ppl. And for those of us using password managers I still think its a slight improvement to convenience.

  • shortwavesurfer@lemmy.zip
    link
    fedilink
    arrow-up
    10
    ·
    3 months ago

    As soon as KeepassDX supports it i absolutely will be making the switch where possible since it is more secure.

  • asudox@lemmy.world
    link
    fedilink
    arrow-up
    10
    ·
    edit-2
    3 months ago

    They’re better than passwords in that they really are phishing proof and well they are basically RSA key pairs that are generated, so they are naturally brute force resistant. Great for the majority because most people reuse their crappy password over and over again, ignorant of the fact that password managers exist just because they have to spend 10 seconds more to press buttons to generate a password and store them in the db. The tech is great as long as the user knows how to keep them safe.

    HOWEVER: Since third party password managers (like Bitwarden, 1Pass, etc.) just recently started to provide support for passkeys, alot of people who wanted to use passkey on first release were locked into big tech bros like Google on Android and Apple on iOS’ solutions. And well that’s not good at all. The tech is great though, I’m all for it. You just need to know where to store them. Ideally, I’d store them offline on my device and that exists already but not on Linux (afaik) nor on Android are they a reality yet.

    ^They definitely are not more than secure than my yubikey though.^

  • csolisr@hub.azkware.net
    link
    fedilink
    arrow-up
    9
    ·
    3 months ago

    @bilbobaggins The good part: my self-hosted VaultWarden supports passkeys, so I’ve added them to everything I can. The bad part: Android does not support third-party passkeys on Android 13 and lower, and guess whose phone is stuck with 13 being the latest official release for his smartphone - that means that the websites that completely substitute the password with a passkey, such as PlayStation and Microsoft, are currently off-limits for me because I’ll end up locked outside.

    • bilbobaggins@lemmy.worldOP
      link
      fedilink
      arrow-up
      11
      ·
      3 months ago

      Yeah, I noticed incomplete support as well even though I do have Android 14. I opened an incognito tab on my phone to log in to Google with my passkey and it kept asking for my device fingerprint. Not the passkey I saved in Bitwarden. It still logged me in but it wasn’t quite right. Feels like Android really wants me to use Google’s passkey manager 😓 hopefully this all changes in the future

        • oranki@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          3 months ago

          With Bitwarden, you can use passkeys on chromium browsers. Vanadium actually enabled support in advance.

          You need to have Play Services installed, though. This is due to Chromium, nothing GOS can do about that. No need for even network permission for Play Services, luckily.

          Firefox is supposedly adding a standalone implemetation, which won’t require Play Services, any year now…

          Don’t have Proton Pass, so don’t know what’s the situation there. With BW+Vanadium, they work well. I just wish Play Services weren’t required. With Google Passwords they probably just work.

          • EngineerGaming@feddit.nl
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            3 months ago

            Ah, thanks! I don’t use passkeys myself yet, and I guess would be waiting longer - really don’t want Play Services in any form)

            Mostly wondering for KeepassXC, as the managers you mentioned are cloud.

            • oranki@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              3 months ago

              They are convenient, but there’s only a couple sites that support full login with passkeys. I’m reading between the lines of your comments none of them are sites you’d use (Microsoft, Github, Google, etc…)

              Someone else commented KeepassXC has an open issue about passkeys, perhaps they’ll add support sometimes too.

              You’re not really missing anything yet, to be honest. I’ve mostly tried them out just out of interest, and it’s still very much aimed at people using Google or Apple…

  • Earth Walker@lemmy.world
    link
    fedilink
    arrow-up
    8
    ·
    3 months ago

    I would very much prefer to use passkeys wherever possible. My password manager of choice Bitwarden also supports them. Unfortunately, Android 13 which I am running does not support setting a default app to handle passkeys. So I cannot access that functionality on my phone yet. I think in a few years I will be authenticating with passkeys for a lot of services. However there will be a lot of services that lag behind in terms of offering passkey authentication.

  • nanimono1@sh.itjust.works
    link
    fedilink
    arrow-up
    6
    ·
    3 months ago

    passkeys were invented for vendor lockin and will be used to add friction to migration, say if you wanted to move from apple to bitwarden well sorry you can’t. fido originally made the protocol to sell their dongles and fought like hell to keep them off smart phones, platform vendors are only interested in this to lock you into their system too. there is absolutely nothing wrong with normal passwords.

  • refalo@programming.dev
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    3 months ago

    I would like to use it (or any biometric authentication at all) on Linux with my USB fingerprint reader (DigitalPersona 4500), but it seems broken in libfprint and the devs are unresponsive to their gitlab issues. Using a Windows VM just for fingerprint support is not something I want to do either.