this post was submitted on 30 Mar 2024
298 points (79.3% liked)

Technology

59627 readers
4014 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing attacks and make your online experience smoother and safer.

Unfortunately, Big Tech’s rollout of this technology prioritized using passkeys to lock people into their walled gardens over providing universal security for everyone (you have to use their platform, which often does not work across all platforms). And many password managers only support passkeys on specific platforms or provide them with paid plans, meaning you only get to reap passkeys’ security benefits if you can afford them.

They’ve reimagined passkeys, helping them reach their full potential as free, universal, and open-source tech. They have made online privacy and security accessible to everyone, regardless of what device you use or your ability to pay.

I'm still a paying customer of Bitwarden as Proton Pass was up to now still not doing everything, but this may make me re-evaluate using Proton Pass as I'm also a paying customer of Proton Pass. It certainly looks like Proton Pass is advancing at quite a pace, and Proton has already built up a good reputation for private e-mail and an excellent VPN client.

Proton is also the ONLY passkey provider that I've seen allowing you to store, share, and export passkeys just like you can with passwords!

See https://proton.me/blog/proton-pass-passkeys

#technology #passkeys #security #ProtonPass #opensource

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 62 points 7 months ago (5 children)

Proton is also the ONLY passkey provider that I've seen allowing you to store, share, and export passkeys just like you can with passwords!

1Password has had this for several months.

As others have mentioned, Bitwarden also has this. This really feels like an ad.

[–] slumberlust 7 points 7 months ago

Agreed. Saying PP four times in two sentences triggers my ad sense. Capitalism never capitulates.

[–] [email protected] 6 points 7 months ago

I don't see a way where this isn't an ad, especially with the end and it's frustrating.

[–] set_secret 5 points 7 months ago (2 children)

i looked at it and it literally says passkeys aren't supported on Android right now. so this is bullshit.

load more comments (2 replies)
load more comments (2 replies)
[–] Opisek 57 points 7 months ago (8 children)
[–] halcyoncmdr 47 points 7 months ago (2 children)

Bitwarden currently only supports storing and using Passkeys via the browser extension. You cannot use them on mobile.

[–] Opisek 16 points 7 months ago (1 children)

Ah I see. Hope to see it brought to mobile soon.

[–] lastweakness 12 points 7 months ago

They're rewriting their mobile apps to make it possible

load more comments (1 replies)
[–] victorz 4 points 7 months ago* (last edited 7 months ago)

Seems that way? Although I can't seem to create a passkey somehow. Or is that how it works? Should I be able to create one on a free Bitwarden plan?

Edit: only on browser extension, got it.

load more comments (6 replies)
[–] [email protected] 53 points 7 months ago* (last edited 7 months ago) (8 children)

I really want to like Proton and all their shit, but they seem to heavily advertise everything they have on every software and product they have in a very intrusive and annoying way.

Simply logging into Proton mail and being bombarded by Proton promotional shit feels like Google all over again.

The app reminds me constantly that I'm a piece of shit for not supporting them by subscribing to their VPN, etc etc.

[–] [email protected] 38 points 7 months ago (4 children)

I would rather they make money from advertising their own pretty awesome services than from advertising unsustainable (environmentally, but also unsustainable for the fucking soul!) bullshit via blood sucking multinational tech companies that prey on the masses with whatever data they can automatically dig up on you. The revenue Proton makes from converting free customers to paid allows them to grow a freely available service that is a user-friendly and is a technical rival of the surveillance capitalists.

My take is:

  • If you're the sort of person that is convinced your requirements need some custom covert ops pagan voodoo self hosted data center in an old cold war era bunker, don't let me stop you. You crack right on mate and good luck (sounds like you need it!).
  • If you want the sorts of services Proton provides, but don't want to be fucked, then Proton are a good shout.
  • If you can afford it, pay for it. It makes the experience smoother and keeps a relatively small but decent company going in an ocean of massive cunts.
  • If you can't afford it and don't want to use the free version of Proton, I hear Google and Microsoft will happily buy your soul and sell your data.
[–] Confused_Emus 8 points 7 months ago (3 children)

You’re just going to rub people the wrong way being condescending like that. Find another way to try and bring people to your point of view.

And no, I’m not a shill for Google or Microsoft, I’m a happily paying user of Proton’s products.

load more comments (3 replies)
load more comments (3 replies)
[–] [email protected] 21 points 7 months ago (5 children)

And yet I missed their announcement about their passkeys. In today's competitive world, I think any company that does not advertise in some way, is really not going to survive (as much as I don't like ads either). Maybe I don't see that much as I am paying.

[–] [email protected] 6 points 7 months ago (8 children)

I was getting these advertisements, even as a paid user, just before Christmas. Multiple other people have complained about it both here and on Reddit too. It seems to have gotten better now, but I know a few people have been quite turned off by this.

load more comments (8 replies)
load more comments (4 replies)
[–] [email protected] 6 points 7 months ago

I haven't noticed much beyond emails about general product news.

That's compared to Feedly which actively would popup "hey! have you considered paying us like... 2k/yr (or maybe it was 2k/month) for some service you don't care about that really should be part of our normal RSS product that you're already paying like 200/yr for? Also there's no way to turn these notifications off and we're going to keep sending them periodically. Oh! And we're not going to work on anything you might find interesting or reasonably priced, so ... have fun!"

[–] Confused_Emus 5 points 7 months ago

You get ads to subscribe to a service while using the free tier? Huh, that’s weird…

[–] [email protected] 5 points 7 months ago

When I set up my account, then during setup they asked if I wanted to get email notifications about their products and later it is also available and clearly marked in the account settings. I'd assume that if I turned those setting off, I'd stop getting those emails.

That being said, I have gotten 8 notifications from them over the last 3 months. I have all newsletters and promotional content enabled. This isn't much imo

load more comments (3 replies)
[–] [email protected] 40 points 7 months ago (3 children)
load more comments (3 replies)
[–] [email protected] 40 points 7 months ago (6 children)

This reads achingly like an advert pretenting to be a social media post. BitWarden works fine for third party pass keys on every site I've used it on, ta - and I can self-host it.

load more comments (6 replies)
[–] [email protected] 33 points 7 months ago* (last edited 7 months ago) (9 children)

all devices

Lies, there's no Linux app yet. As usual, Proton Inc continues to treat Linux users as third-class citizens, all whilst claiming they care about privacy and security.


Edit: They don't even have a macOS app yet lol.

load more comments (9 replies)
[–] [email protected] 32 points 7 months ago (1 children)

Vaultwarden is completely in my hands though

[–] [email protected] 6 points 7 months ago (2 children)

True, just hope they eventually get passkeys for mobile.

load more comments (2 replies)
[–] [email protected] 23 points 7 months ago (3 children)

They will have to rip Bitwarden (soon Vaultwarden) from my cold dead hands.

load more comments (3 replies)
[–] Brokkr 20 points 7 months ago (2 children)

I have a question that is kind of off topic. If I use a password manager and generally use randomized secure passwords, do passkeys offer any additional security?

By practicing good password behavior, I have struggled to see how the benefits of passkeys out weigh the hassles.

[–] EncryptKeeper 8 points 7 months ago* (last edited 7 months ago) (8 children)

Yes, passkeys are not brute-forcible, and are phishing resistant.

Whether or not they provide more security depends on how fully they’re implemented. A service that’s fully implemented them, like PlayStation for example, will remove the password from your account after activating your passkey.

Some websites have half-assed their implementations where you can use a passkey or a password to log in. In that scenario, your account isn’t really any more secure, it’s just a more convenient way to log in.

[–] Brokkr 13 points 7 months ago (1 children)

Are sufficiently long passwords susceptible to brute force attacks?

Don't passkeys get that feature by just being longer?

[–] EncryptKeeper 17 points 7 months ago* (last edited 7 months ago) (3 children)

Are sufficiently long passwords susceptible to brute force attacks?

Yes. Thought obviously the odds of success go down the longer and more complex that password.

Don't passkeys get that feature by just being longer?

Put simply… no. Passkeys aren’t just ”longer passwords” sent to the same place. Unlike passwords, Passkeys aren’t a “shared secret” that you’re sending to the service you’re authenticating to. Passkeys use asymmetric encryption and are neither sent to nor stored on the server you’re authenticating to. Your passkey is a private key stored on your device and secured by biometrics, the paired public key for which lives on the server you created the passkey to authenticate to.

In a traditional brute force operation, you’re sending guesses to a server that knows your password. If you send the correct guess, you get in. It’s also possible to steal the password from the server and brute force that offline.

With a passkey on the other hand, the server uses your public key to encrypt a string in a challenge message, this string can only be decrypted by your passkey. You then send a response that’s encrypted by your private key, which can then only be decrypted by the public key on the server. So the thing you’re sending to the server to authenticate isn’t your passkey, and it’s unique every time you log in.

So could you perform some kind of operation that would technically still be a kind of brute force? Theoretically yeah. But even so you’d be limited to brute forcing against the server, which isn’t very effective even against passwords. However you would not at all be susceptible to offline brute forcing based on the capture of a passkey either in flight by breaking encryption, or by breaching the server, because your passkey never leaves your device.

load more comments (3 replies)
load more comments (7 replies)
load more comments (1 replies)
[–] [email protected] 19 points 7 months ago

Everyone should downvote ads type post if you want to keep the community clean.

[–] FrostKing 9 points 7 months ago (3 children)

Can I get an explanation on what exactly passkeys are? I already use bitwarden for passwords, is there any good reason to switch to passkeys if that works for me?

[–] EarMaster 9 points 7 months ago (3 children)

Passkeys are a form of passwordless authentication. You store them in Bitwarden like regular passwords, but when you want to access a site that supports them (e.g. eBay) instead of asking for you password and autofilling or copy pasting it from Bitwarden your Bitwarden pops up and asks you if you want to login and it just happens (if you have multiple passkeys associated with a site you can select which you want to use). That's it. No password fields which get autofilled and no password in your clipboard (history).

[–] FrostKing 4 points 7 months ago (1 children)

Thanks for the explanation. From the sound of it I'll probably stick with passwords—i like being able to copy them, cause I'm often signing in to an application, not a website, etc.

load more comments (1 replies)
load more comments (2 replies)
load more comments (2 replies)
[–] irotsoma 8 points 7 months ago (2 children)

I don't like passkeys yet because they're implemented poorly on most platforms, IMHO, because they replace two factors with one. Some don't let you also turn on two factor auth at all which is dumb, but the ones that do then often only have options that use your device as a factor either through text or email. So if the passkey is your phone and you add text messages as the 2 factor option, that's still your phone. Or if your passkey is your laptop and you're logged into your email on the laptop, it's just one.

[–] EncryptKeeper 7 points 7 months ago (9 children)
load more comments (9 replies)
load more comments (1 replies)
[–] [email protected] 6 points 7 months ago* (last edited 7 months ago) (2 children)

Does it beat Bitwarden though? Bitwardan has supported at least 2 services for me using passkeys ,one of which is google.

I might be misunderstanding this,but it doesn't seem like proton beat anyone to anything.

Edit for info: https://bitwarden.com/passwordless-passkeys/

[–] [email protected] 10 points 7 months ago (9 children)

They're talking about the fact that Bitwarden doesn't support passkeys on mobile

load more comments (9 replies)
load more comments (1 replies)
[–] NightAuthor 5 points 8 months ago

I started using Strongbox on iPhone & Mac for passkey support Bitwarden is still there too, esp for PC, but I may move to an all KeePass setup.

load more comments
view more: next ›