A lot of services support passkeys. Microsoft even has an option to make my account “passwordless”. Since they are more secure than passwords, will you be switching some / most of your accounts to passkeys any time soon? Interested to hear everyone’s thoughts on passkeys. 🔑
You must log in or register to comment.
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 57 users / day
- 383 users / week
- 1.5K users / month
- 5.7K users / 6 months
- 1 subscriber
- 2.82K Posts
- 70.8K Comments
- Modlog
passkeys were invented for vendor lockin and will be used to add friction to migration, say if you wanted to move from apple to bitwarden well sorry you can’t. fido originally made the protocol to sell their dongles and fought like hell to keep them off smart phones, platform vendors are only interested in this to lock you into their system too. there is absolutely nothing wrong with normal passwords.
Random passwords and MFA all the way!
Was about to post the great blog post from my bookmarks, but another commenter beat me to it (t y !). Here’s comments on that blog post on Lobsters and HN :
They’re FIDO keys but bad.
Here’s a great blog post from someone who knows what they’re talking about: https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/
Very enlightening read. That service lock-in is so real. I had some passkeys in Google Password manager (Android) just to try them out, and then wanted to move them to Bitwarden. I had already disabled Google Password manager on my phone to use Bitwarden. Imagine the headache I had to deal with to move a single passkey over to Bitwarden (really, I deleted one and added one, while dealing with UI hurdles). Until this improves (if ever), I’ll probably stick to my passwords and normal 2FA.
they don’t work. Technically they do, but they are a major major pain to manage.
They’re better than passwords in that they really are phishing proof and well they are basically RSA key pairs that are generated, so they are naturally brute force resistant. Great for the majority because most people reuse their crappy password over and over again, ignorant of the fact that password managers exist just because they have to spend 10 seconds more to press buttons to generate a password and store them in the db. The tech is great as long as the user knows how to keep them safe.
HOWEVER: Since third party password managers (like Bitwarden, 1Pass, etc.) just recently started to provide support for passkeys, alot of people who wanted to use passkey on first release were locked into big tech bros like Google on Android and Apple on iOS’ solutions. And well that’s not good at all. The tech is great though, I’m all for it. You just need to know where to store them. Ideally, I’d store them offline on my device and that exists already but not on Linux (afaik) nor on Android are they a reality yet.
^They definitely are not more than secure than my yubikey though.^
Passkeys as password replacements reduce the total factors required to login to a service. If you use 2fa for all your services anyway then passkeys are a downgrade. That’s why so many people are angry they are having security options removed.
For people who use the same username and password everywhere, then passkeys are a upgrade.
So normal people get a benefit from passkeys in exchange for getting locked into a ecosystem.
For security minded people I hate passkeys.
I WANT my logins to be something I know, something I have, and something I am. Password, hardware key, biometric unlock of key.
I don’t mind passkeys existing, but I HATE that services are replacing hardware key flows with passkey flows. I want to use my hardware key as fido2 not as a passkey. I don’t want to downgrade my security! Microsoft makes it impossible to use a 2fa hardware key as a second factor now, only as a passkey, that’s strictly worse then before.
To be fair, there is a “something you know” factor - the passphrase for the database containing the passkeys. But I kinda do wish they were more easily password-protected individually, like how you do with SSH keys. You can have a separate database for each passkey I guess… But yea, inconvenient.
deleted by creator
Passkeys are basically FIDO2.
FIDO2 wasn’t really adopted, so now they are marketing it under a new name (while also allowing more liberal ways of storing the keys, no “normal” user would keep a FIDO2 stick with them all the time). So, you can still use your FIDO2 stick (as long as it is not too old I guess) or a password manager like KeePassXC. No need to switch to the Apple/Google/Microsoft stuff.
Lol…
https://bitwarden.com/resources/passkeys-faq/
Really? Bunch of open source tools like Bitwarden and Firefox support passkey. Are you saying they all use and pay for licensed code?
I highly dislike the idea of a passkey replacing a password as it means you’ve lost the something you know and replace it only with something you have.
Passwords AND passkeys together sound great.
To be fair, you cant use the passkeys unless you are logged into your password manager, which requires a password you “know”.
It could be your phone or computer as well, they don’t have to be in a password manager.
And that’s often going to be the default people use.
Now it’s just your face or fingerprint, both of which are easier to bypass if it’s targeted.
Well, then its still 2FA. Something you are and something you have.
Just in addition to my other reply… that was assuming it’s not a government agency.
The police can just force you to do it, but they can’t force a password.
Everyone using a passkey and biometrics on their hardware is law enforcements wet dream.
Including border security where you have less rights.
This exactly why I have a phone that lets me use two factors to unlock it, pin plus fingerprint!
It let’s you require both?
It looks like it’s pin and optional fingerprint, not pin and fingerprint for me? On Android
This is why I always turn it off in airports though.
Pin to unlock phone
Fingerprint to unlock work profile.
It’s just much weaker than a password and passkey / security key.
Something you are can easily be taken from you. (Edit: eg lifting fingerprints can unlock things)
Something you know is harder and would escalate a situation if forced substantially.
I would like to use it (or any biometric authentication at all) on Linux with my USB fingerprint reader (DigitalPersona 4500), but it seems broken in libfprint and the devs are unresponsive to their gitlab issues. Using a Windows VM just for fingerprint support is not something I want to do either.
If you care about privacy then you care about security; if you care about security then why would you ever use a password again?
Security is a spectrum and not everyone has the same threat model. Also weaknesses that target passkeys might be useless for those who use passwords, and vice versa. And as another commenter said, you kinda lose the “something you know” when you’re only using a passkey. Or you could use both if a service allows it.
I’ll use passkeys if and only if they work with my password manager (Proton Pass). If not, I’m sticking with the password (and 2fa if they offer it)
Proton Pass already supports passkeys: https://proton.me/support/pass-use-passkeys
I know but not all websites do
The website has to build in support for them. Youll start seeing it more over time.
They are more secure than password authentication, though how much more secure depends on how the user manages their passwords.
If a user never reuses passwords across different services and maintains long complex passwords, preferably randomized strings; the security upgrade of Passkeys is quite marginal. Arguably marginal enough to not even bother. The farther a user gets from ‘ideal’ password security practices though, the more of a security upgrade Passkeys would be for them; though convincing them of that is another story…
Switching to Passkeys does take a lot of responsibility off of both the user and service provider. The user no longer needs to ensure passwords aren’t reused, insufficiently complex, or already compromised; and the service provider doesn’t need to worry about leaking your passkey as they only have the public key portion which can’t be used to login as you.
In some ways they can be more inconvenient though. With a password, even long unique complex passwords stored in my password manager; I can open the password manager on my phone, read the password I want, and manually enter it into an unfamiliar or shared device without having to load my entire password/key vault onto that device. Passkeys make that impossible; essentially forcing you provide the whole vault to the device or give up. It is also a big step for people that aren’t familiar with password managers and are used to just remembering their passwords, to then switch to a passkey manager where they can’t use their memory to login anymore.
There’s good sides and bad sides to everything really. Some people will prefer one way, some will want the other way. Ultimately I think we’ll get pushed into using Passkeys by most companies, just so they can shed some of the responsibility of keeping your credentials secure. A stolen passkey database, unlike a password database, would not allow you to pose as users, which leads to less claims of fraudulent activity.
Passkeys (depending on implementation) are more resistant to info stealer viruses.
The private key portion can be in your OS’s credential store and can be used to sign the challenge without being revealed to the calling application.
Of course this doesn’t work if you got rooted, but a lot of viruses of this kind try to steal what they can get as a regular user, and you can get a lot, ie AWS credentials, saved browser passwords etc.
In my view it’s cheap defense in depth.
I would very much prefer to use passkeys wherever possible. My password manager of choice Bitwarden also supports them. Unfortunately, Android 13 which I am running does not support setting a default app to handle passkeys. So I cannot access that functionality on my phone yet. I think in a few years I will be authenticating with passkeys for a lot of services. However there will be a lot of services that lag behind in terms of offering passkey authentication.
Since I use a good password manager. And use TOTP on everything I can. Which admittedly I do store in my password manager as well. I don’t think passkey really improves security very much in my case.
That being said though I’m a big fan of passkeys and use them everywhere I can. But I don’t store them on devices only in my password manager. So I don’t have to worry about if I lose a device.
I think where passkeys really shine though is for people who still aren’t using a password manager. While I’ve tried to get everyone I know using bitwarden most still don’t. And the ones that do still don’t have half of there accounts in it. They are still reusing passwords across multiple sites. So I think passkeys will massively increase security for the majority of ppl. And for those of us using password managers I still think its a slight improvement to convenience.
@bilbobaggins The good part: my self-hosted VaultWarden supports passkeys, so I’ve added them to everything I can. The bad part: Android does not support third-party passkeys on Android 13 and lower, and guess whose phone is stuck with 13 being the latest official release for his smartphone - that means that the websites that completely substitute the password with a passkey, such as PlayStation and Microsoft, are currently off-limits for me because I’ll end up locked outside.
Yeah, I noticed incomplete support as well even though I do have Android 14. I opened an incognito tab on my phone to log in to Google with my passkey and it kept asking for my device fingerprint. Not the passkey I saved in Bitwarden. It still logged me in but it wasn’t quite right. Feels like Android really wants me to use Google’s passkey manager 😓 hopefully this all changes in the future
Have not tried passkeys on mobile, so wonder how it is on Graphene and other degoogled OSes…
With Bitwarden, you can use passkeys on chromium browsers. Vanadium actually enabled support in advance.
You need to have Play Services installed, though. This is due to Chromium, nothing GOS can do about that. No need for even network permission for Play Services, luckily.
Firefox is supposedly adding a standalone implemetation, which won’t require Play Services, any year now…
Don’t have Proton Pass, so don’t know what’s the situation there. With BW+Vanadium, they work well. I just wish Play Services weren’t required. With Google Passwords they probably just work.
Ah, thanks! I don’t use passkeys myself yet, and I guess would be waiting longer - really don’t want Play Services in any form)
Mostly wondering for KeepassXC, as the managers you mentioned are cloud.
They are convenient, but there’s only a couple sites that support full login with passkeys. I’m reading between the lines of your comments none of them are sites you’d use (Microsoft, Github, Google, etc…)
Someone else commented KeepassXC has an open issue about passkeys, perhaps they’ll add support sometimes too.
You’re not really missing anything yet, to be honest. I’ve mostly tried them out just out of interest, and it’s still very much aimed at people using Google or Apple…