Not commenting on the merits of the blogpost’s arguments, but Proton is selling their own product here too
Technology
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
And if you believe in our mission and want to help us build a better internet where privacy is the default, you can sign up for a paid plan to get access to even more premium features.
Translation: don't give those other guys money, give us your money!
The horrors of giving money to a company that actually cares instead.
Well no, their call to action isn’t to not give anyone else money. They didn’t have anything negative to say about their competition like 1Password. They’re just warning you about the shady things Google and Apple are doing specifically. And as an alternative they’re offering their own solution instead, which also doesn’t cost any money.
As a fan of Proton services I don’t like “blog posts” from companies where the solution to a problem is just their product, regardless of who the company is
Proton enabled passkeys in their free tier. So ultimately, yes by using their free tier and being safe in the thought that you can always leave if you want, that might drive you to pay for a paid plan.
But companies trying to earn your business by offering you a good honest product is not at all the same as a company using anti-consumer practices to keep you from leaving lol.
If I can't add your passkey to my Bitwarden vault, I'm not using your passkey.
If I can't add your passkey to my local KeepassXC database, I am not using your passkey.
You can also host it yourself.
https://bitwarden.com/blog/host-your-own-open-source-password-manager/
Yea, I know. But my preference is for my password manager to not be cloud at all.
Yeah or if they only offer 2FA via SMS. Like 1) it's not even that much more secure and 2) it's just more awkward.
But I also hate how Steam and Blizzard only allow you to verify logins in their mobile app. Fucking ridiculous.
It seems no matter what new advancements we make in technology the big tech companies seek nothing more to implement it in a way that benefits themselves. Regardless if it means fucking over the consumer.
I really hate what the internet has become over the last couple of years.
That's capitalism for you. They're not interested in making things better, they're interested in making more profit.
Not surprised,
Google too nowadays.
There's a reason why they removed their company motto "Don't be Evil"
don't be google
I am not using passkeys until it's possible to easily migrate them between providers (not just devices / browsers). If I used Proton Pass, and then later decided to use another password manager, could I export my passkey data?
We’ve also given passkeys and passwords equal priority so that you can use them interchangeably in our apps. This means you can store, share, and export passkeys just like you can with passwords.
That's excellent. Thanks for pointing that out!
The next question is does anyone actually let you import passkeys? I don't think there is ☹️
I have a few keys in Bitwarden but before I go adding more I am going to play with Proton Pass. A lot of users were understandably annoyed when Bitwarden released passkey support but in such a limited manner.
Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
I wonder if there could be any bias in Proton claiming their product is the best
Well of course. It’s still right - the ecosystem lock-in is insane. There needs to be a standard for cloud to cloud transfer between providers.
Or you know, use Proton Pass or 1Password.
I'd trust them miles before Google or Apple. Hell, they dropped the prices on some of their products when they found ways to provide them cheaper. Proton is a good company.
Better yet: use a hardware 2FA token that supports passkeys
The issue is that most of them are limited in the amount of passkeys they can manage.
In the case of the Yubikey 5
Currently, YubiKeys can store a maximum of 25 passkeys.
When vaultwarden supports this I’ll play ball. If I don’t have control over my authentication methods, then they aren’t my authentication methods.
The way Apple or companies like Paypal implement two-factor authentication, let alone passkeys, drive me up the wall. This all could have been so much better.
I’m not even going to mention all the platforms that rolled out passkey creation support, but not passkey login support, for whichever damn reason
Yeah, Apple 2FA is infuriating, especially since you can do all factors from the same device. Kind of defeats the purpose of traditional 2FA/MFA. Also, companies that decide you 2FA experience has to use their app, instead of a standards-compliant TOTP app of your choosing....ugh.
Traditional 2FA (assuming you mean apps with codes) can be done from the same device (if you have the app with the codes installed on that device).
It doesn’t defeat the purpose of 2FA. The 2 factors are 1. The password and 2. You are in possession of a device with the 2FA codes. The website doesn’t know about the device until you enter the code.
If you think forcing everyone to carry an object other than their phone around so they can use 2factor on their phone is a good idea... Or if you said I need to go to my laptop when I’m logging in on my phone and vise versa… that’s nonsense too. Sure maybe some companies require this. But that’s different.
Authy on my phone is just as “dumb” as Keychain on my phone.
How else are you imagining this should work? Keep in mind normal people need to do it too.
I'm well versed in IT security, and even with (or because of) my knowledge, I still haven't looked deep into setting up passkeys on my services. Just because it's such a clusterfuck of weird implementations.
I can't imagine being a normal consumer and wanting to set them up. The poor support teams having to support this...
And I'm managing at least one service at work that could totally benefit from passkey integration. The headache of looking into how to properly implement them is just way too much
Lock downs are pretty much a hard pass for me. Anything I buy, I research, and if there's even the slightest hint of BS incompatibility, it's simply a no go.
Yeah I've avoided passkeys. Anything that Google is pushing to me is always in their interests.
That is not the takeaway here.
The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.
I noticed that recently every post on Proton's blog has been an advertisement of their services.
They are hypocrites.
A few days ago they posted that corporations are bad because they collect fingerprints, profile users, etc., yet they are no better, as their mobile apps rely on Firebase Cloud Messaging (FCM) owned by Google to deliver notifications to their users.
In 2020 they wrote that they "may offer alternative push notification system", but apparently shitting on corporations is easier than making actual changes. Four years ago.
Could someone ELI5 (if possible) what passkeys actually are?
Basically hardware keys (like YubiKey) without hardware
I'm very excited for the concept of passkeys, but indeed it is a bit of a mess right now. Android password managers can't use passkey inside other apps, basically limited to just the browser. I hope it all gets sorted soon and everyone sticks to an open standard compatibility.
I want to be able to export my passkeys and take them with me to any other chosen passkey manager.