Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
While the lock-in issue is annoying and a good reason not to adopt these, the device failure issue is a tech killer. Especially when I can use a password manager. This means I can remember two passwords (email and password manager), make them secure, and then always recover all my accounts.
Passkeys are a technology that were surpassed 10 years before their introduction and I believe the only reason they are being pushed is because security people think they are cool and tech companies would be delighted to lock you into their system.
Password managers store passkeys. They’re portable and not device-locked. Been using them on Bitwarden for like 2 years now.
It is not portable in the sense that you need bitwarden installed on the device you are trying to connect from.
Passwords can be plain text, which means I can copy, paste, and dictate them to a device that does not have additional software installed.
I think they are being pushed because cool technology on paper. Whenever I read an article about them, I can’t help but think about the human factors. How are passkeys created, often by a password or email. okay… that looks a lot like a password. Oh you lost the passkey, here lets send you one again. It stinks of a second factor without a first. Sure, the passkey itself is hard to compromise, but how about its creation. If your email is compromised I see no difference from passwords or passkeys.
They don’t email you a passkey, what are you even talking about?
There are quite a few uninformed takes here & the number of upvotes they got for it is stunning. Lemmy. 😞
The flow I hear about when people talk about passkeys is sign up with email. Code gets sent to email. Code is entered, passkey gets generated. There always seems to be some similar step that looks like that, and often you have new device or reset that looks the same. Sure the passkey itself is secure, but how do you get it, how do you generate it, how do you validate the first time?
None of that is remotely true lol. You don’t get a passkey, you generate. Nothing is “sent” to you at any point in time, it has nothing to do with email.
Instead of saying how it doesn’t work, it’d be more constructive to explain how it does.
You mean like… the article you’re commenting on does?
its being pushed because corporations want to control your passwords with lock-in.
no way i’m using that garbage over my own manager with recallable plaintext passwords.
Question is by what? I could see an argument that it is an overcomplication of some ill-defined application of x509 certificates or ssh user keys, but roughly they all are comparable fundamental technologies.
The biggest gripe to me is that they are too fussy about when they are allowed and how they are stored rather than leaving it up to the user. You want to use a passkey to a site that you manually trusted? Tough, not allowed. You want to use against an IP address, even if that IP address has a valid certificate? Tough, not allowed.
They were surpassed by password managers and 2fa.
Password managers are a workaround, and broadly speaking the general system is still weak because password managers have relatively low adoption and plenty of people are walking around with poorly managed credentials. Also doesn’t do anything to mitigate a phishing attack, should the user get fooled they will leak a password they care about.
2FA is broad, but I’m wagering you specifically mean TOTP, numbers that change based on a shared secret. Problems there are: -Transcribing the code is a pain -Password managers mitigate that, but the most commonly ‘default’ password managers (e.g. built into the browser) do nothing for them -Still susceptible to phishing, albeit on a shorter time scale
Pub/priv key based tech is the right approach, but passkey does wrap it up with some obnoxious stuff.
Lack of adoption doesn’t really make password managers a workaround. What’s being worked around? People’s laziness?
Password managers actually do solve the phishing problem to an extent, since if you’re using it properly, you’ll have a unique password for every service, limiting the scope of the problem.
Putting TOTP 2fa codes in your password manager behind the same password as everything else actually destroys any additional security added by 2fa, since it puts you back to a single auth factor.
Well yes, that is a huge one. I know people who when faced with Google’s credible password suggestion say “hell no, I could never remember that”, then proceed to use a leet-speak thinking computers can’t guess those because of years of ‘use a special character to make your password secure’. People at work giving their password to someone else to take care of someething because everything else is a pain and the stakes are low to them. People being told their bank is using a new authentication provider and so they log dutifully into the cited ‘auth provider’, because this is the sort of thing that (generally not banks) do to people.
Exactly, it mitigates, but still a gap. If they phish for your bank credential, you give them your real bank password. It’s unique, great, but the only thing the attacker wanted was the bank password anyway. If they phish a TOTP, then they have to make sure they use it within a minute, but it can be used.
From the user perspective that knows they are using machine generated passwords, yes, that setup is redundant. However from the service provider perspective, that has no way of enforcing good password hygiene, then at least gives the service provider control over generating the secret. Sure a ‘we pick the password for the user’ would get to the same end, but no one accepts that.
But this proves that if you are fanatical about MFA, then TOTP doesn’t guarantee it anyway, since the secret can be stuffed into a password manager. Passkey has an ecosystem more affirmatively trying to enforce those MFA principles, even if it is, ultimately, generally in the power of the user to overcome them if they were so empowered (you can restrict to certain vendor keys, but that’s not practical for most scenarios).
My perspective is that MFA is overblown and mostly fixes some specific weaknesses: -“Thing you know” largely sucks as a factor, if I human can know it, then a machine can guess it, and on the service provider there’s so much risk that such a factor can be guessed at a faster rate than you want, despite mitigations. Especially since you generally let a human select the factor in the first place. It helps mitigate the risk of a lost/stolen badge on a door by also requiring a paired code in terms of physical security, but that’s a context where the building operator can reasonably audit attempts at the secret, which is generally not the case for online services as well. So broadly speaking, the additional factor is just trying to mitigate the crappy nature of “thing you know” -“Thing you have” used to be easier to lose track of or get cloned. A magstripe badge gets run through a skimmer, and that gets replicated. A single-purpose security card gets lost and you don’t think about it because you don’t need it for anything else. The “thing you have” nowadays is likely to lock itself and require local unlocking, essentially being the ‘second factor’ enforced client side. Generally Passkey implementations require just that, locally managed ‘second factor’.
So broadly ‘2fa is important’ is mostly ‘passwords are bad’ and to the extent it is important, Passkeys are more likely to enforce it than other approaches anyway.
I came to sorta say this. Regardless of the system if it can fail and if people have to recover an account then phishing will always be a thing. In person options to deal with an account like with bank branches or government offices are the only true way of making things more secure. I sometimes think it would make sense for this. One rare thing I have seen that gives me a bit of hope is the use of in person at the post office for us government accounts. Thats exactly how it should be done. Secretary of state for state and usps for federal. They are the only agencies with enough physical locations.
Not to mention Apple decided to make passkeys Airdropable. Fun.
I worked on a cool projected called FedID: https://fedid.me/ that creates a distributed identifier (DID) out in the world, federated with AvtivityPub, and gives you a key you can sign in with via OpenID Connect. It allows the DID to have multiple keys for multiple devices, and delegate authority, so losing a device/failure is no big deal.
That being said, Web passkeys can be stored in password managers, just like passwords.
Even if you are really careful, your details can always be leaked from a company server during a breach. If the companies adopt passkeys, that issue isn’t there. Because there isn’t a password anyone can randomly use. That’s why I feel big tech companies are moving towards it.
Companies should already be storing password hashes, so the risk of leaking a hash vs a public key is roughly the same. It’s just that private keys are generally longer than passwords and therefore harder to bruitforce.
Any company storing passwords in a recoverable format deserves to be hacked.
Yes, you have to trust the company storing the passwords.
A good company can store passwords in ways that are secure to most hacking attempts. It isn’t impossible to break the encryption typically used, but it is difficult enough that most thieves will not have the resources or time to make use of the data. They want the low effort password databases, not the difficult and expensive ones.