Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing… that lives on my phone? What if I lose my phone? What if you steal my phone?
Until someone can explain to me how I can transfer, manage and control my passkeys without syncing them to some hostile corporation’s cloud infrastructure, passkeys will remain a super hard sell for me.
You can use Bitwarden to store passkeys. Not sure if the self hosted solution has support for it yet though.
I must admit that, despite reading about passkeys a bit, I still don’t understand the actual practicalities. I seem to recall that Bitwarden can store keys, but can’t generate them. If that’s true, who generates the passkey?
Bitwarden can both generate and store them in the browser extension. It can also use them through the browser extension but it can’t yet use them through the mobile apps (they’re working on it).
Bitwarden pro right? ($10 for the year, totally worth it). My mobile app can create/use them already too.
Don’t need the premium version of Bitwarden to use passkeys. The free version works.
That said, $10 per year is not a big cost to support the company storing your vault and developing the apps.
Vaultwarden does at least, I’ve been using it with passkeys for the last couple months and it’s been great.
2024.1.2 released with self-hosted server passkey support.
TBH though I would not trust myself to self host my keys to my digital life when the alternative is $40/year for the whole family. You may have a different perspective though.
You can just use something like YunoHost, and synchronize weekly encrypted backups via Nextcloud or Syncthing to all of your computers. That way, if your server ends up busted for whatever reason, you can just restore it elsewhere and go back to business
VaultWarden user here - yes you can now use your own self-hosted server to store passkeys and that’s a gigantic game-changer. Just install the BitWarden add-on on a recent version of Firefox and voilà
I currently use Syncthing to keep my Keepass database updated on my phone, laptop, and home server. Any change anywhere is instantly sent directly to the other 2 devices.
Yeah, I do the same but with nextcloud.
How’d you get nextcloud actually working? I’ve tried a few times and it was never stable.
I use the ebuild on Gentoo, combined with some custom nginx config, and a dedicated php-fpm instance just for Nextcloud. Never tried using any of the Docker packages for it so I can’t comment on those.
Updates involve merging the new package and running webapp-config to link the files into place, running occ upgrade, and refreshing ownership of the php files. Never had a serious problem with it.
this is the way
you can even tweak folders to either send or receive only on some devices
plus if you really want to be safe you can set file versioning and ignore deletes on a folder to make it strictly backup on more than one device
no internet connection required, you can set it all on lan
I think it is my favorite open-source project after Torvalds’ creations
Does KeePass support passkeys?
KeePassXC is working on it but I haven’t seen anything about the original KeePass.
Can you use SyncThing along with Nextcloud? I currently use Nextcloud to store my data, but the one part where it still lags a bit behind is on Android specifically (you need to manually sync certain changes).
I don’t know anything about Nextcloud. Syncthing is open source, and there are a couple of Android apps. I use Syncthing Fork and don’t have any problems.
Depends on where the line is as far as evil goes. Most of the popular password managers are now starting to support storing passkeys.
I draw the line at the password manager being fully local.
Browsers can save them and extensions like, KeepassXC, can behave like a passkey provider
That’s something, but isn’t half the benefit meant to be storing them in the TPM? Also, that won’t help if you’re logging into a game or app, surely? Would love to be wrong on that, of course.
Many apps now do the ‘app opens the browser for login’ process instead of having the login in their actual app. They don’t have to implement all the different ways to log in then, they can just use the same system that their normal account management stuff on their site uses.
You can get greater security with hardware-backed solutions like a TPM but the adoption rate was not great. I think the goal is to improve things over passwords, even if the credentials are then available on multiple devices via a sync or a password database file. Perfect being the enemy of good and all that. Hardware options still exist and you can still use them; they use the same WebAuthn standard that passkeys use.
Also, that won’t help if you’re logging into a game or app, surely?
MicroG has added support for passkeys already
Yeah, I personally will only use hardware solutions for passkeys – YubiKeys and TPM-backed WHFB creds.
But the other reply makes a very good point about adoption being more important than perfection since, even with software-backed passkeys, you still have the benefit of the secret never leaving the client.
You can create passkeys on individual devices without cloud syncing them. This is a normal usage pattern. How exactly this will be handled depends on the implementation.
Enpass stores the passkey in their db, can be used cross platform and has browser extensions and local (or WiFi) syncing.
KeePass
Self hosted password keeper
I already use KeePass, but as far as I know it doesn’t do passkeys, only passwords?
I haven’t seen anything about the original KeePass supporting them but KeePassXC is working on it:
I have been super hesitant to look into KeePassXC, should I give it a chance?
Of course, unless I can also access these features on my phone it doesn’t really matter…
Yeah, unfortunately passkey support on mobile outside of what the OS/browsers provide is kind of not there at the moment but it’s being worked on. Android 14 apparently has some kind of framework for integrating in third-party passkey providers. At this point, you should view passkeys as an additional, more convenient and secure way to log in on the platforms it’s supported on, not necessarily the only way to log into an account.
Pull the software down and give it a look. Set up a database with no real passwords in it just to play with the various features.
I recently switched to KeePassXC and it looks nicer and is easier to use. The also include some addon functionality into the app so you don’t need to trust that. The only downside is that it doesn’t automatically fills the browser text fields, you have to click on a green icon in the text field - but that is more secure. They also have an android app.
Bitwarden does passkeys supposedly. Haven’t tried it myself yet because I don’t know what to make of passkeys.
Currently Bitwarden’s passkey support is limited to the browser extensions not the apps but from my experience it works relatively well. When logging into a site you just select the passkey from the extension popup and it logs you in.
Example passkey registration:
- Click create a passkey button in the accounts settings page
- Bitwarden extension pops up with a list of matching accounts
- Select the account in your password manager that you want to associate the passkey with
- Click Save passkey button
- The account now has a new passkey associated with it that’s stored in your Bitwarden vault
Example login:
- Click sign in with passkey button on the login page
- Bitwarden extension pops up with a list of matching accounts from your vault
- Select the account you want to sign in with
- Click Confirm button
- You’re signed in
I didn’t like that they interviewed a corporate PR person instead of a real security expert. Sorry but that lady is just deflecting and spinning and missing so many important details to promote 1password.
Generally like the verge but this one was a bit lazy ngl - was there really no neutral or open source expert available?
corporate PR person instead of a real security expert
That’s called an advertisement.
If only companies wouldn’t be patronizing ass hats about it. A few sites deny storing passkeys in software wallets because of “security”. So what, keep using my password is safer now? Fucktards.
Many websites only allow creating a passkey on mobile for example. I also created passkeys on quite a few sites that straight up removed the feature a few days after. I also never found a site that let you completely remove password authentication after adding a passkey.
Even on mobile they are asshats. I have my password manager registered as the passkey wallet in iOS, so creating a passkey in PayPal for example fails.
PayPal’s passkey implementation really is the worst of all worlds.
Didn’t allow me to create one because it doesn’t meet the Google’s security thing (unlocked bootloader).
Fun
Can somebody help me understand the advantages of passkeys over a password manager? Googling just brings up tons of advertising and obvious self promotion, or ELI5s that totally ignore best passwords practices using managers.
Passkeys work like a public/private key pair you’d use to secure SSH access to a server. You give the website a public key that corresponds to a private key generated on your local device. Unlike a password it’s not feasible to brute force and there’s nothing you have to remember which makes it more convenient for you to use. If a site is hacked and they gain access to the public passkey you use to authenticate, it can’t be used to authenticate anywhere.
It’s not really an alternative to a password manager, because you can use a password manager to generate and sync a single passkey between all your devices. In fact 1Password is a big proponent of passkeys and even maintain a big directory of sites that use passkeys.
there’s nothing you have to remember which makes it more convenient for you to use
Unlike my devices, I always have my brain on me. Devices are much more easily lost or stolen than memories. I often might want to access sites using my account from third party devices which I don’t want to be able to use my accounts when I’m not using them.
I just can’t understand how using passkeys (or password managers, for that matter, massive single points of failure that they are) is supposed to be in any way shape or form more convenient than simply remembering a passphrase (which can easily be customisable for each site using some simple formula so that no two sites will share the same but it’ll still be trivial to remember).
Both password managers and passkeys seem like colossal inconveniences and security risks to me when compared to passphrases, frankly. And if you want extra security there’s always two factor authentication (with multiple alternatives in case you don’t have access to one of them, of course; otherwise you might as well delete your account).
Coming up with a simple formula is a big security risk. It makes your passwords easier to brute force, and with enough entropy, probably easy to guess as well.
And what happens if the password is breached? Do you change the formula? What happens if a site requires a password change? Even if the formula accounts for versioning/iterating, how do you remember which iteration you’re on?
Extra security with 2FA I agree with, but that’s not mutually exclusive to using a password manager.
And are password managers really single points of failure? These password managers can sync to multiple devices, so your data is generally safe. If someone gets your password manager password, that’s a problem, yes, but they’d need access to your device to view anything, as installing on another device requires a separate master key to set it all up (which should not be stored digitally anywhere).
It makes your passwords easier to brute force
Passphrases are by definition hard to brute force.
The formula should not be obvious. Don’t just put the site’s name in the passphrase, put a similar sounding but easy to remember word, something that rhymes, the first and last letters of the site’s name plus the number of letters in the domain name, whatever.
An attacker would need to specifically target you and have more than one of your passphrases using the same formula in order to try to figure it out. Too much work. If they’re that interested in your password it’s easier to beat you up until you tell them.
And what happens if the password is breached? Do you change the formula? What happens if a site requires a password change?
You can have a couple different formulas or variations.
how do you remember which iteration you’re on?
Same way you’d remember the password you used for a site if you reused two or three different passwords.
And if you use the wrong one just try again; sure, passphrases can be a bit long, but having to type them multiple times is a good way to make sure you remember which one you used, lest you have to type it again.
Both password managers and passkeys seem like colossal inconveniences
Both my mom and my grandma who are extremely far from tech literate absolutely love that I forced them into using a password manager because it is so much more convenient.
My mom wouldn’t even do the special algorithm for each site, she just had like 2 or 3 passwords that she would use depending on site requirements, and even that simple setup was far less convenient for her than a password manager. She was the one who initially had the idea to make my grandma use one because she became evangelized about how much better a password manager is than having to remember passwords.
Your point about inconvenience is just straight up wrong.
I would also vehemently disagree with your claim that they are a security risk unless you just straight up use them wrong / use hunter2 as your master password. But this comment is already super long so I will just stop there.
The benefit of passkeys over passwords is that they’re phishing resistant and use strong encryption. They’re effectively an iteration on yubikeys meaning you can have as many (or as few) passkeys associated with a given login as you’d like. So, you can easily prevent there being a single point of failure in the system.
Passkeys are tied to accounts and devices and those devices are the only devices used for authentication. This means you can access your account form a public device without that device ever knowing your credentials provided you and your secure device are physically present so it avoids the whole keylogger issue.
This means you can access your account form a public device without that device ever knowing your credentials provided you and your secure device are physically presen
My secure device is in my other pants, though. I misplace my brain much less often.
Passwords are known (or accessible in a password manager) by the user and the user gives one to a site to prove they are who they say they are. The user can be tricked into giving that password to the wrong site (phishing).The site can also be hacked and have the passwords (or hashes of the passwords leaked), exposing that password to the world (a data breach).
With passkeys, the browser is the one checking that it’s talking to the right site before talking by making sure the domain name matches. Passkeys also don’t send a secret anywhere but instead use math to sign a message that proves they are the returning user. This security is possible because there is a public key and a private key. The user is the only one with a public key. The authenticity of the message is guaranteed by math by checking it with the public key that the user provided to the site when they registered their passkey. The site doesn’t need access to the private key that the user has to verify the message so there’s nothing sensitive for the site to leak.
In practical terms, instead of having to have your password manager autofill the username and password and then do some kind of second factor, it just signs a message saying “this is me” and the site logs you in.
So it sounds like basically it’s just client certificates?
Basically, but with a separate public/private key pair per login so they aren’t able to link your identity between sites or accounts with it and also synced or stored in a password manager so you don’t lose them.
Yep! In fact you can still use client certificates in certain passkey/WebAuthN authentication flows. It’s more or less how Windows Hello for Business works (although X.509 certificates are only one type of key it supports).
Basically but with better software and better branding.
We shouldn’t be getting rid of passwords, or one time passwords, or two factor authentication, or single use codes. The point of security is overlapping features is what brings convenience and deterrence.
It’s probably overkill for most people but I would love to have a system that lets me choose what combination of factors together work to login rather than just ‘password and something else’. Something like A,B,C are on the account and you can use A+B or B+C to login. It’d be great for those who don’t necessarily want to trust SMS-based one-time passwords (due to SIM swapping, theft, etc) if we could require something else along with it.
That said, the way passkeys are typically used satisfy multiple factors at once:
Password to unlock your password database that stores your passkey: something you know, the password + something you have, the database
Biometric to unlock your phone that has your passkey: something you are, fingerprint or face + something you have, the phone
Forget about biometrics, they are way too insecure.
Our cameras have reached a stage where we can replicate fingerprints from photos. ‘What you are’ is useless when we leave part of us everywhere. And furthermore, in parts of the world, authorities can force you to unlock your device with biometrics but not with passwords.
Biometrics can be fine when they are layered on top of other authentication methods.
Exactly. See my reply in another thread where I describe a “person trap” that I used to go through to get into a secure facility. Its biometric check analyzed the geometry of your entire hand. It wasn’t just a fingerprint scanner.
I strongly disagree. That’s like using MD5 and saying ‘It’s OK, we use SHA256 down the line’. Information encrypted with it might as well be in plain text.
That’s not how that works. If you were using MD5 and then immediately SHA256 the output and not using it for anything else, that would be fine. You’re not accomplishing much in this specific case, but it’d be fine.
When you layer security, the attacker has to pull back each layer. You don’t rely on any singular layer. If the attacker needs biometrics AND a code AND a physical key, that’s very good security.
For many people it works well as a trade-off between security and convenience. It may not be for everyone though and that’s okay. Nothing stops you from using a password/passcode to secure your passkey instead.
SMS second factor is so bad! The really dumb thing in my opinion is the place that uses SMS to factor the most is banks. Now how dumb is that?
In the EU they have to use something stronger if available. SMS is only used if requested by the user.
I wish it were that way here in the United States. But sadly, nope.
Banks are certainly behind the times and ‘bank-grade security’ is a joke in terms of what authentication methods they offer. I understand that they are slow to change anything though.
My crypto wallet is more secure than my bank because I hold the keys myself and I am not nearly as large a target as a bank. Is it better to go after one person’s money or one million people’s money?
I see SMS as a simple deanon rather than a 2FA.
Years ago I worked for a company whose servers were in a highly secure facility. I had to pass through a “person trap” to get in, which required three independent things to get through: something you have, something you know, and something you are.
Imagine a booth about the size of a phone booth, with doors on both sides. To open the outer door you need a card key. Once inside the outer door closes. To open the inner door you need to put your hand on a hand scanner, then enter a PIN. Only then will the inner door unlock and let you inside. I was told that the booth also weighed you and would refuse to let you through if your weight was something like 10% different from your last pass through. That was to prevent other people from piggybacking through with you.
Lots of people think that’s all overkill until I explain that it’s all to ensure an authorized person, and nobody else, could get through. A bad actor could steal my card key & might guess my PIN, but getting around my hand scan & weight would be extremely difficult.
The closer we get to this sort of multi-layer authentication with websites the happier I am. I want my bank account, etc. protected just as well as that data center…
Honestly that’s cool as heck
Was it like this?
I never screwed up entering my PIN or failed my hand scan, so the trap door never opened up while I was in it…
What if I lose my phone? What if you steal my phone?
Bitwarden supports passkeys, which are stored in your bitwarden vault. If you lost your device, as long as you can still access your bitwarden account, your passkey should still usable.
I can login with the same passkey on Firefox and Chrome using bitwarden. Too bad it doesn’t work on mobile yet.
Ok so 2fa is based on things you know (passwords) things you have (devices), and things you are (biometrics).
I could see passkeys replacing the phone portion of a 2fa, but replacing a password? That can both invalidate the point of 2fa (verifies you have a device twice) and kill the benefits of having a password (if I lose my device I can still login, if it’s stolen the attacker can’t access all of my accounts).
Passkeys are protected by either your device’s password/passcode (something you know) or your device’s biometrics (something you are). That provides two factors when combined with the passkey itself (something you have).
The benefit of the password is only available if you know your password for your accounts or if you have a password manager. People can only remember a limited number of passwords without resorting to systems or patterns. Additionally, with many accounts now knowing the password is not enough to log in, you must either be logging in from an existing device or perform some kind of 2FA (TOTP, SMS, hardware security key, etc). So you already need to have a backup device to log in anyways. Same with a password manager: if you can have a copy of your vault with your password on another device then you can have a copy of your vault with your passkey on another device. Nothing gets rid of the requirement to have a backup device or copy of your passwords/passkeys if you want to avoid being locked out.
People can only remember a limited number of passwords without resorting to systems or patterns.
People also don’t have a backup device though.
Password patterns are best.
People also don’t have a backup device though.
And that’s a problem with most authentication factors and with how most systems don’t rely on just the password anymore. If you don’t have a backup device, you’re going to run into issues.
wouldn’t it be 3fa with biometrics also ? Thanks for your explanation btw
Ideal MFA:
Something you have.
Something you know.
Something you are.
If getting married, add:
Something blue.
Fun fact, I frequently use the word blue as my security question answers. Not all of them but enough that even if a person got to “know” me enough to know what city I was born, they wouldn’t know which answers are true or which are blue.
I use my password manager to generate the answer. My mothers maiden name is CzyHcjMKMfwT4tZ7HXbavQrOPo and my first pet was Avhu6FqPTRsWwafA, but we called him Avhu for short.
I used to make them quite long until I was asked to confirm my identity over the phone using one once hahaha.
Now they’re max 10 alphanumeric characters and all lower case but still random.
I think it makes it even better when I have to read out my 30 character alphanumeric first girlfriend’s dog’s birth town’s name over the phone… they’re certainly gonna know it’s me calling lol
The absolute best is when you get to choose the security question and you can just put “read the Bitwarden secret.”
I like to think that if enough people ended up taking 10 minutes on a support call to validate someone’s identity, when it should take 10 seconds, maybe the companies would learn to stop asking stupid security questions. I like to think that, but in reality nothing will change.
All of that and the IRS will still ask what street your first pets mom died on.
Ah, yes, D7k3y2mHy5lZhbyHa St, I remember it well.
Yeah security questions like that are the dumbest goddamn thing. “Create a super secure password that no one can guess, and enter the answers of five trivia questions about yourself that are likely in the public record about you or that you’ll happily reveal in small talk with strangers just in case you forget that super secure password.”
Glad this is being discussed. Having worked adjacent to the authentication market, I have mixed feelings about it, though.
There are a few problems with passkeys, but the biggest one is that no matter what, you will always need a fallback. Yes, Apple promises a cloud redundancy so you can still log in even if you lose every device.
But that’s just Apple’s ecosystem. Which, for what its worth, is still evolving. So the passkey itself is phishing-resistant, but humans still aren’t. Fallbacks are always the weakest link, and the first target for bad actors. Email, or sometimes phone and SMS, are especially vulnerable.
Passkeys in their current iteration are “better” than passwords only in that they offload the fallback security to your email provider. Meanwhile, SIM swapping is relatively ready easy for a determined social engineer, and mobile carriers have minimal safeguards against it.
Usability? Great, better than knowledge-only authentication. Security? Not actually that much better as long as a parallel password, email, or SMS can be used as a recovery or fallback mechanism.
I’m not saying passkeys are bad, but I’m tired of the marketing overstating the security of the thing. Yes, it’s much more user-friendly. No one can remember reasonably complex passwords for all 100 of their online accounts. But selling this to the average consumer as a dramatic security upgrade, especially when so many still run passwords in parallel or fall back to exploitable channels, is deceptive at best.
But that’s just Apple’s ecosystem
Apple isn’t the only one allowing redundancy, most popular password managers allow you to lose all your devices and still have passkeys securely stored in the cloud. And people who don’t even know that password managers exists, aren’t going to the early adopters of passkeys.
I’d anticipate that most providers will do something similar. I just mentioned Apple because they’ve been pushing their “cloud backup” hard while still using SMS as a fallback.
I’d be interested to hear which provider, if any, has managed to get around the usual (vulnerable) channels for recovery.
The document you linked says it requires a combination of your apple account password plus an SMS text sent to a pre-registered phone number? Seems like a pretty good setup for most people. Also has the alternative of recovery contacts and recovery keys.
It looks like turning on advanced protection would eliminate the SMS method but I am not 100% sure. Then you would need recovery keys or recovery contact.
https://support.apple.com/en-us/102651
My biggest worry in these cases is not that I get locked out, but rather that Apple mangles my keychain. I have a USB CSV of my passwords in my bank safety deposit box. With passkey I am not sure of how I would get a similar backup.
I get what you’re saying, but it’s not about getting locked out. It’s about other people using recovery methods to take over your account. Why would anyone try to break through durable public-key encryption when you can just phish a victim’s email account password?
And it’s not like real-time phishing for 2FA/MFA isn’t widespread—it’s just not automated to the same level as other methods. That said, two- or multi-factor is going to stop 99% of automated hacks. It’s the determined ones that I’m concerned about.
In regards to the Apple thing… Apple passwords can be reset using a recovery email. That means the security of the account leaves Apple’s ecosystem and relies on the email provider. So, if I’m a cybercriminal determined to hack your account, I start there.
Then, if you’ve got your keychain all set up, it’s time for a SIM swap. I clone your SIM or convince your mobile carrier to give me a SIM with your number. And even if recovery contacts and keys are alternatives, the use of SMS is problematic. If you really can turn it off, then I’m all for it. But if you can’t be sure, neither can I.
SMS is a very low-security option that is showing its age. It was never intended to be a secure verification method, yet it’s become incredibly popular due to its availability. Unfortuantely, telecom companies are simply not interested in upping their security.
All SIM swap protection is opt-in at this point. Verizon and the gang might wise up considering the lawsuits leveled at them by victims—many of whom lost millions in cryptocurrency due to the carriers’ negligence—but it’s not likely.
The point here isn’t that passkeys are bad for consumers. They’re convenient and about as secure as existing methods. The problem is that they’re being sold on average folks as a security upgrade even though they’re more of a sidegrade. PKI/FIDO already existed before the whole passkeys buzz did, and it had the same limitations. This is mostly just branding and implementation.
If you enable advanced data protection apple cannot recover your account. You need your recovery keys or a designated recovery contact.
The apple doc implies (to me) that a SIM swap only works after you authenticate on an apple device (e.g. using your password) even without advanced data protection. I have never tested that.
You can use the long process (many days) to recover an account assuming you haven’t enabled advanced data protection. I’m okay with that as it is perfect for my grandparents (I had an older relative who got their account back through this method).
I get that you could SIM swap to recover other accounts (not Apple) if they have SMS as a recovery method. That sucks and it really sucks for people who don’t get that an email or SMS recovery can be a giant hole in security.
Gotcha, point taken. Ultimately, I think there needs to be a better identity proofing process overall. But that may rely on a total infrastructure overhaul, which seems unlikely.
So you really need two independent devices with their own passkeys to back each other up.
Not sure exactly what you’re getting at, but any authentication model must be designed with the assumption that a user can lose all their devices, passkeys included. That’s where fallbacks come into play. Even with Apple’s system, you can recover your keychain through iCloud Keychain escrow, which (according to their help page) uses SMS:
To recover your keychain through iCloud Keychain escrow, authenticate with your Apple ID on a new device, then respond to an SMS sent to a trusted phone number.
While SIM swaps aren’t super common, they’re not the most difficult attack. Passkeys are strong against direct attacks, for sure. But if I can reset your account using a text message sent to a device I control, is it really that much more secure?
So if you lose access to all of your devices, you’re completely locked out of everything until you’re able to get a new working phone activated on a trusted phone number? The trade-off of inconvenience for security here just doesn’t seem worth it to me.
Depends on the provider in question. While Apple does allow SMS recovery, they also let you designate a trusted contact who can let you in as an alternative. This is obviously more convenient (if you have a friend or family member who can be available when you need them), but the situation with SMS vulnerabilities is still my main gripe.
Is it possible to use some kind of fingerprinting to identify people? It works for marketers, could that idea be used for security?
I am a total noob who is interested, if I come across as uninformed it is because I am.
Totally! Browser and device fingerprinting are commonly used as first-line defenses against ATOs (account takeovers). There are other kinds of fingerprinting, like those that can learn about your installed hardware and drivers. Really, I’m learning about more fingerprinting methods all the time. That said, decisions are usually made based on several different information sources. These include variables like:
- GPS geolocation
- IP address/location
- Time of day
- Device ID, OS version, browser version, etc.
- Hardware profiles, including CPU and GPU architecture/drivers
- User behavior like mouse movement, typing patterns, and scrolling
- Whether the user is connecting via a known VPN IP address
- Cookies and extensions installed on the browser
There’s even some buzz around “behavioral biometrics” to identify individuals by how they type, but this is still not the sole method of identification. It’s mainly about flagging bots who don’t type like humans. However, learning how an individual types can help you determine if a subsequent visitor is the actual account owner or a bad actor.
In my experience, fingerprinting and adjacent identity proofs are rarely used in isolation. They’re often employed for step-up authentication. That means if something doesn’t match up, you get hit with a 2FA/MFA prompt.
Step-up can be pretty complex if you want it to be, though, with tons of cogs and gears in the background making real-time adjustments. Like you might not even realize you’ve been restricted during a session when you log in to your bank account, but once you try to make a transfer, you’ll get an MFA prompt. That’s the UX people in action, trying to minimize friction while maintaining security.
For me, it is the opposite. I would need passkeys to be like my SSH keys - not dependent on some proprietary software and never touching any cloud. For now I am a little bit afraid lock-in might happen at some point, so I wait until the technology matures enough until I can use KeepassXC for it confidently.
My view is that for most people who still use bad passwords it will be a huge upgrade. So even though I use super strong passwords, every service and bank has extra security features because they must cater to simple passwords. So you have to check your email for a stupid code and shit. Or worse, give them your phone number!! Which is an outrage because it’s linked to my government id!!!
Passkeys raise the lowest security ceiling, meaning there should be less checks needed. That’s what I’m excited about lol.
Passkeys feel so much more worse. It becomes one central point to lose everything.
it’s objectively a downgrade to have to get my phone out just to sign into youtube. i broke my phone screen and couldn’t sign into my damn bank until i got it fixed because they making me verify with a text. bullshit world these days
And than there’s Google itself, notorious for blocking people’s accounts for nothing and offering zero recourse to get it back.
Exactly, which is why passkeys are so good.
Exactly. You could have access to your password manager on your computer or a backup hardware security key instead. It doesn’t have to all be tied to just one phone, just like you don’t have to have just one house or car key.
It certainly feels dangerous if forced upon users not aware of the trade-offs. For people already accustomed to using hardware keys, it’s very much an improvement, as more services will support them too. The problem is in the awareness. On the other hand, people already treat regular passwords as throwaway data and expect services to just let them in, or even never log them out. In this scenario, maybe passkeys can still be an improvement: roughly just as much as enforcing using a password manager.
deleted by creator
If you already have a central point to lose everything in the form of a password manager, is it any worse? What’s the difference between a random password stored in your password manager that you don’t remember versus a private key stored in your password manager that you’re not expected to remember? You’ve always needed to make backups or have alternative ways to get in (recovery codes, customer support channels, etc), nothing about that has changed when going from passwords to passkeys. When passkeys are supported on sites, there can be no autofill issues (password or TOTP), no password complexity requirements, no worries about how they are hashing them on the server side, no phishing issues, etc. That’s an improvement over the system we have now.
And for those that don’t have a password manager, they are likely reusing passwords. Passkeys prevent the risk of password reuse and the risk of phishing.
I use a password manager and the database is automatically synchronized to multiple devices. I use syncthing for that, but a public cloud would be fine as well, because it’s encrypted (well, as long as the master password is strong enough)
I export my passwords from my manager regularly and keep them on paper in a secure place. At worst, it would be massively annoying if the password manager somehow blew up. But you can’t hack a paper. On the other hand, like some other person wrote, it’s incredibly easy to break your phone screen and then you’re screwed until you can fix it.
The person who broke their phone screen wasn’t mad about not being able to access the data on it in this case, but rather that they couldn’t receive a text message as the second factor to log in to their bank. Having a backup wouldn’t have mattered, they couldn’t receive the text. Like it or not, having two-factor authentication on accounts is a necessity with the phishing and malware problems out there. Having multiple (secure) factors attached to your account is the best protection against getting locked out.
The breaking of a phone and loss of the data on it can still be protected against by having backups in other locations or offline, like you have.
A huge amount of people use the same password everywhere.
It’s much easier for someone to get your password than your phone.
And it’s much easier for me to lose or break my phone than it is to lose my password.
It’s automatically backed up. This is no different than MFA in that regard. Which I hope you’re using.
Backed up to where and to who?
I highly recommend using something like Bitwarden or 1password (which can manage both passwords and passkeys), and then generating a passphrase using a method like Diceware. If you’re paranoid you might prefer rolling your own with Keepass but for most people that’s going to be a lot of work. I think 1password’s model is about as secure as you could hope for while still trusting a 3rd party. Definitely avoid Lastpass. In addition to widely reported breaches, they don’t even fully encrypt your data; only the password portion is encrypted while usernames and site data are plaintext.
Just a heads up for anyone, bitwarden can be self hosted using vaultwarden. All of the bitwarden apps and extensions will work.
Also, for anyone already using their stuff, Proton Mail rolled out their password manager. I like it so far, the free edition is good.
I just don’t trust myself enough to self host Bitwarden. It’s just too critical of a service for me to be willing to accept any mistake I might make in hosting it. Absolutely worth the $10/year (or $40/year for the whole family), to have some IT professionals and Azure doing the hosting.
Am I paying for Bitwarden?
I’ve legit been telling people that it’s free. xD
Oh well you don’t have to pay for it, but I do for the premium features, most notably family sharing of passwords
Good call, and I agree. I self hosted it but mine was offline, and would only update if I was in my house. Saw proton pass release, and made the switch since I’ve been using their services for awhile, now.
Is keepass really a lot of work though? If you use xc you have a client that works in windows or Linux, the file itself can be hosted anywhere, I ran for years with it on a USB key. There’s no accounts to create, you just download and go.
It’s definitely more work than just buying the service from someone that has a ready made app. I don’t think it’s a thing I would recommend to, for example, my parents. I know xc has some sort of form fill thing but it’s not nearly as nice as the browser plug-ins made by the various password manager vendors.
There’s a Firefox plugin that provides that functionality. As for getting my parents on board, any attempt to get my mil onboard with a password manager has been futile, actually using it seems to be the biggest barrier to adoption in my anecdotal experience
I’m just saying, the user needs to set up Keepass (on multiple ecosystems), find a solution to sharing their database across multiple devices (and note that sites like Dropbox or Google Drive are blocked on a lot of people’s work computers), find a tool for filling those passwords in their web browser, potentially find different solutions for things like secure notes or syncing passkeys, and then maintain all of those things separately. Or they can pay a monthly fee and just have one integrated solution. A lot of people are gonna choose the latter.
KeepassXC works on Mac, too and there’s KeepassDX for Android.
Did not know about the Mac version, my partner is using Strongbox on her mac, I don’t personally use Mac os. I’ve been using keepass2android for a long time, I like that there’s so many different clients for keepass
Since 1P switched to subscription only (which is a dealbreaker for me), I switched to Strongbox. It’s based on keepass, you can store/backup/host your own vault, and it also supports both passkeys and passwords. The UX is almost as good as 1P (few little minor annoying things, but no showstoppers for me). Been great so far.
For some reason I thought The Verge was better about having transcripts for their podcasts. I was kinda interested but not around 28 minutes of audio interested. 😞
Yeah, I get some people prefer that format, but I’m going to skip any article that’s just a link to a recording.
Eh… No, thanks.
No.
That adds nothing to the conversation.
Just my disdain for the idea that passwords will ever go away 😹
Why? Passwords are already used a lot less that they would need to be if we didn’t have things like OAuth tokens, the FIDO2 protocol for 2FA devices, biometrics, etc.
Why should I have to type a password to authenticate myself to a website when I’ve already authenticated myself to the device I’m using and it can present the web site with credentials that prove in who I claim to be?
I think this makes sense for many low impact scenarios, but there’s always going to be a set of services that I dont want to trust to the same provider. For me its my bank, even though passwords have plenty of flaws, and i am trusting my phone to protect tap pay tokens, i would never link my bank login to my google account so I use a memorized password.
of course this is tinfoil hat territory because a threat to my passcodes would probably involve breaking the security systems on android.
I think passcodes currently get consolidated with an entity like Google, but I’ve read Bitwarden is adding support for them. It definitely won’t be an issue long term.
Tuta mail keeps prompting me for a passkey, and I don’t know where to get what it wants. So I basically can’t use it.
Will I be able to export/import a PassKey from a device?
By default the big three (Chrome, Safari, Edge) store them via their normal syncing processes (Google Passwords, iCloud Keychain, Edge’s password manager). If you use a different password manager (e.g. Bitwarden) it’s handled by their normal processes (cloud, syncing a database file, etc). I don’t believe there is a way to export a passkey from most of these at the moment but you can almost always have multiple passkeys attached to an online account so you can always just add your new password manager to your account as another passkey.
There is a way to use a key backed by the hardware that is not exportable such as using a TPM or a physical USB security key but I believe that most are pushing the synced ones for the convenience of the end user.
Bitwarden plans to implement that.