this post was submitted on 09 Apr 2024
503 points (92.7% liked)

Technology

59092 readers
4762 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s
[email protected]
[email protected]
L4s
enu
503
Big Tech passkey implementations are a trap | Proton (proton.me)
submitted 6 months ago by [email protected] to c/technology
221 comments fedilink hide all child comments
 
  • Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security
  • Passkeys were developed to replace passwords for better account security, but their rollout by Apple and Google has limited their potential
  • Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
top 50 comments
sorted by: hot top controversial new old
[–] phoneymouse 169 points 6 months ago* (last edited 6 months ago) (8 children)

Not commenting on the merits of the blogpost’s arguments, but Proton is selling their own product here too

[–] StereoTrespasser 37 points 6 months ago (2 children)

And if you believe in our mission and want to help us build a better internet where privacy is the default, you can sign up for a paid plan to get access to even more premium features.

Translation: don't give those other guys money, give us your money!

[–] yamanii 45 points 6 months ago (1 children)

The horrors of giving money to a company that actually cares instead.

load more comments (1 replies)
[–] EncryptKeeper 22 points 6 months ago

Well no, their call to action isn’t to not give anyone else money. They didn’t have anything negative to say about their competition like 1Password. They’re just warning you about the shady things Google and Apple are doing specifically. And as an alternative they’re offering their own solution instead, which also doesn’t cost any money.

[–] [email protected] 29 points 6 months ago

As a fan of Proton services I don’t like “blog posts” from companies where the solution to a problem is just their product, regardless of who the company is

[–] EncryptKeeper 22 points 6 months ago

Proton enabled passkeys in their free tier. So ultimately, yes by using their free tier and being safe in the thought that you can always leave if you want, that might drive you to pay for a paid plan.

But companies trying to earn your business by offering you a good honest product is not at all the same as a company using anti-consumer practices to keep you from leaving lol.

load more comments (5 replies)
[–] capital 73 points 6 months ago (15 children)

If I can't add your passkey to my Bitwarden vault, I'm not using your passkey.

[–] [email protected] 46 points 6 months ago (1 children)

If I can't add your passkey to my local KeepassXC database, I am not using your passkey.

[–] FrankTheHealer 16 points 6 months ago (1 children)

Yeah or if they only offer 2FA via SMS. Like 1) it's not even that much more secure and 2) it's just more awkward.

But I also hate how Steam and Blizzard only allow you to verify logins in their mobile app. Fucking ridiculous.

load more comments (1 replies)
load more comments (13 replies)
[–] [email protected] 59 points 6 months ago (1 children)

It seems no matter what new advancements we make in technology the big tech companies seek nothing more to implement it in a way that benefits themselves. Regardless if it means fucking over the consumer.

I really hate what the internet has become over the last couple of years.

[–] [email protected] 18 points 6 months ago (2 children)

That's capitalism for you. They're not interested in making things better, they're interested in making more profit.

load more comments (2 replies)
[–] LemmyFeed 58 points 6 months ago (4 children)

Is this an ad?

[–] EncryptKeeper 27 points 6 months ago

It’s a PSA with an ad at the end.

load more comments (3 replies)
[–] alsu2launda 58 points 6 months ago (6 children)

Not surprised,

Google too nowadays.

There's a reason why they removed their company motto "Don't be Evil"

[–] [email protected] 12 points 6 months ago

don't be google

load more comments (5 replies)
[–] elrik 56 points 6 months ago (2 children)

I am not using passkeys until it's possible to easily migrate them between providers (not just devices / browsers). If I used Proton Pass, and then later decided to use another password manager, could I export my passkey data?

[–] [email protected] 70 points 6 months ago (1 children)

We’ve also given passkeys and passwords equal priority so that you can use them interchangeably in our apps. This means you can store, share, and export passkeys just like you can with passwords.

https://proton.me/blog/proton-pass-passkeys

[–] elrik 24 points 6 months ago (1 children)

That's excellent. Thanks for pointing that out!

[–] [email protected] 12 points 6 months ago

The next question is does anyone actually let you import passkeys? I don't think there is ☹️

I have a few keys in Bitwarden but before I go adding more I am going to play with Proton Pass. A lot of users were understandably annoyed when Bitwarden released passkey support but in such a limited manner.

load more comments (1 replies)
[–] [email protected] 55 points 6 months ago (3 children)

Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.

I wonder if there could be any bias in Proton claiming their product is the best

[–] [email protected] 24 points 6 months ago

Well of course. It’s still right - the ecosystem lock-in is insane. There needs to be a standard for cloud to cloud transfer between providers.

Or you know, use Proton Pass or 1Password.

[–] ikidd 18 points 6 months ago (4 children)

I'd trust them miles before Google or Apple. Hell, they dropped the prices on some of their products when they found ways to provide them cheaper. Proton is a good company.

load more comments (4 replies)
load more comments (1 replies)
[–] [email protected] 54 points 6 months ago* (last edited 6 months ago) (2 children)

Better yet: use a hardware 2FA token that supports passkeys

[–] [email protected] 36 points 6 months ago (20 children)

The issue is that most of them are limited in the amount of passkeys they can manage.

In the case of the Yubikey 5

Currently, YubiKeys can store a maximum of 25 passkeys.

https://www.yubico.com/blog/a-yubico-faq-about-passkeys/

load more comments (20 replies)
load more comments (1 replies)
[–] CriticalMiss 50 points 6 months ago (10 children)

When vaultwarden supports this I’ll play ball. If I don’t have control over my authentication methods, then they aren’t my authentication methods.

load more comments (10 replies)
[–] dinckelman 42 points 6 months ago (2 children)

The way Apple or companies like Paypal implement two-factor authentication, let alone passkeys, drive me up the wall. This all could have been so much better.

I’m not even going to mention all the platforms that rolled out passkey creation support, but not passkey login support, for whichever damn reason

[–] plz1 34 points 6 months ago (3 children)

Yeah, Apple 2FA is infuriating, especially since you can do all factors from the same device. Kind of defeats the purpose of traditional 2FA/MFA. Also, companies that decide you 2FA experience has to use their app, instead of a standards-compliant TOTP app of your choosing....ugh.

[–] [email protected] 32 points 6 months ago (1 children)

Traditional 2FA (assuming you mean apps with codes) can be done from the same device (if you have the app with the codes installed on that device).

It doesn’t defeat the purpose of 2FA. The 2 factors are 1. The password and 2. You are in possession of a device with the 2FA codes. The website doesn’t know about the device until you enter the code.

load more comments (1 replies)
[–] paraphrand 16 points 6 months ago* (last edited 6 months ago) (6 children)

If you think forcing everyone to carry an object other than their phone around so they can use 2factor on their phone is a good idea... Or if you said I need to go to my laptop when I’m logging in on my phone and vise versa… that’s nonsense too. Sure maybe some companies require this. But that’s different.

Authy on my phone is just as “dumb” as Keychain on my phone.

How else are you imagining this should work? Keep in mind normal people need to do it too.

load more comments (6 replies)
load more comments (1 replies)
load more comments (1 replies)
[–] [email protected] 35 points 6 months ago* (last edited 6 months ago) (4 children)

I'm well versed in IT security, and even with (or because of) my knowledge, I still haven't looked deep into setting up passkeys on my services. Just because it's such a clusterfuck of weird implementations.

I can't imagine being a normal consumer and wanting to set them up. The poor support teams having to support this...

And I'm managing at least one service at work that could totally benefit from passkey integration. The headache of looking into how to properly implement them is just way too much

load more comments (4 replies)
[–] werefreeatlast 30 points 6 months ago

Lock downs are pretty much a hard pass for me. Anything I buy, I research, and if there's even the slightest hint of BS incompatibility, it's simply a no go.

[–] AWittyUsername 22 points 6 months ago (10 children)

Yeah I've avoided passkeys. Anything that Google is pushing to me is always in their interests.

[–] [email protected] 33 points 6 months ago (5 children)

That is not the takeaway here.

The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.

load more comments (5 replies)
load more comments (9 replies)
[–] mypasswordis1234 21 points 6 months ago* (last edited 6 months ago) (5 children)

I noticed that recently every post on Proton's blog has been an advertisement of their services.

They are hypocrites.

A few days ago they posted that corporations are bad because they collect fingerprints, profile users, etc., yet they are no better, as their mobile apps rely on Firebase Cloud Messaging (FCM) owned by Google to deliver notifications to their users.

In 2020 they wrote that they "may offer alternative push notification system", but apparently shitting on corporations is easier than making actual changes. Four years ago.

load more comments (5 replies)
[–] viralJ 16 points 6 months ago (11 children)

Could someone ELI5 (if possible) what passkeys actually are?

[–] callmepk 11 points 6 months ago (1 children)

Basically hardware keys (like YubiKey) without hardware

[–] zewm 34 points 6 months ago (17 children)

So…. Software keys…

load more comments (17 replies)
load more comments (10 replies)
[–] [email protected] 11 points 6 months ago* (last edited 6 months ago) (6 children)

I'm very excited for the concept of passkeys, but indeed it is a bit of a mess right now. Android password managers can't use passkey inside other apps, basically limited to just the browser. I hope it all gets sorted soon and everyone sticks to an open standard compatibility.

I want to be able to export my passkeys and take them with me to any other chosen passkey manager.

load more comments (6 replies)
[–] [email protected] 10 points 6 months ago (4 children)

Passkeys sound great. Where's the support for Firefox, Proton Pass? Bitwarden has it.

load more comments (4 replies)
load more comments
view more: next ›