this post was submitted on 16 Oct 2024
272 points (86.4% liked)

Technology

59982 readers
4137 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 26 points 2 months ago (5 children)

Passkeys are also weirdly complex for the end user too, you can't just share passkey between your devices like you can with a password, there's very little to no documentation about what you do if you lose access to the passkeys too.

[–] bandwidthcrisis 13 points 2 months ago (1 children)

I think that passkeys are simple, but no-one explains what they do and don't do in specific terms.

Someone compared it to generating private/public key pairs on each device you set up, which helps me a bit, but I recently set up a passkey on a new laptop when offered and it seemed to replace the option to use my phone as a passkey for the same site (which had worked), and was asking me to scan a QR code with my phone to set it up again.

So I don't know what went on behind the scenes there at all.

[–] ultranaut 1 points 2 months ago (2 children)

The passkey on your phone stopped working when you set one up on your laptop? I would expect the site to allow one per device instead of one per account.

[–] bandwidthcrisis 3 points 2 months ago

It seemed that way, it asked me to scan a QR code on my phone to link it, which didn't happen before.

Or maybe the option to use my phone was some older auth method, where I'd use the fingerprint reader on the phone to confirm a login on the laptop. I thought that was a passkey, but that doesn't fit with what I'm reading about what it does now.

[–] jj4211 1 points 2 months ago (1 children)

Some sites only allow one public key per account...

[–] Spotlight7573 1 points 2 months ago

Which is really stupid of them but technically within spec currently.

[–] vzq 13 points 2 months ago* (last edited 2 months ago) (1 children)

you can't just share passkey between your devices like you can with a password

Either you enroll a system that shares them between devices without the need for special interaction (password manager, iCloud etc) or you enroll each device separately into your account.

You can have more than one passkey for a service. This is a good thing.

[–] [email protected] 2 points 2 months ago

Gotcha, that makes more sense when explained that way!

[–] cmhe 10 points 2 months ago (2 children)

The only way I ever used passkeys is with bitwarden, and there you are sharing them between all bitwarden clients.

From my very limited experience, pass key allows to login faster and more reliable compared to letting bitwarden enter passwords and 2fa keys into the forms, but I still have the password and 2fa key stored in bitwarden as a backup in case passkey breaks.

To me, hardware tokens or passkeys are not there to replace passwords, but to offer a faster and more convenient login alternative. I do not want to rely on specific hardware (hardware token, mobile phone, etc.), because those can get stolen or lost.

[–] [email protected] 2 points 2 months ago* (last edited 2 months ago)

Interesting, maybe I'll give it a try. I didn't know they could just be synced between devices on bitwarden.

[–] [email protected] 1 points 2 months ago

+1 for Bitwarden. Seamless experience so far. EBay hasn’t yet worked properly, but GitHub does for sure. It’s very convenient, especially if your browser doesn’t store cookies

[–] Spotlight7573 1 points 2 months ago (1 children)

you can’t just share passkey between your devices like you can with a password

You would just sign into your password manager or browser on both devices and have access to them?

Additionally, whatever app or service you're storing them in can provide sharing features, like how Apple allows you to share them with groups or via AirDrop.

there’s very little to no documentation about what you do if you lose access to the passkeys too.

If you lose your password, there are recovery options available on almost all accounts. Nothing about passkeys means the normal account recovery processes no longer apply.

[–] [email protected] 2 points 2 months ago (1 children)

You would just sign into your password manager or browser on both devices and have access to them?

Does it work like that? Everything I see says they're tied to that device.

If you lose your password, there are recovery options available on almost all accounts.

Fair, I guess I've never lost a password because it's just a text string in my PW manager, not some auth process that can fail if things don't work just right.

[–] Spotlight7573 3 points 2 months ago (1 children)

Does it work like that? Everything I see says they’re tied to that device.

It depends on what kind you want to use. If you want the most security, you can store them on something like a Yubikey, with it only being on that device and not exportable. If you get a new device, you'll need to add that new device to your accounts. For less security but more convenience, you can have them stored in a password manager that can be synced to some service (self-hosted or in the cloud) or has a database file that can be copied.

Fair, I guess I’ve never lost a password because it’s just a text string in my PW manager, not some auth process that can fail if things don’t work just right.

That's fair. It can be a bit of a mess with different browser, OS, and password manager support and their interactions but it has continued to get better as there is more adoption and development.

[–] [email protected] 1 points 2 months ago

I'm excited to see where it is in another year or so, the idea of using public/private keys for logins is neat for sure.

[–] linearchaos 1 points 2 months ago

Any of the multi-platform password managers that support pass keys will solve this.

You walk into the vault on every platform and your pass keys are magically shared between every platform you're logged into.

In any system that I've used pass keys for (which is every system that supports them), you can go into the password section and delete devices/passkeys.

To regenerate new passkeys they either support it directly in the spot where you deleted it or you log out log back in with username password and 2FA and it asks you again if you want to set up a passkey. I've not run into anything else.