this post was submitted on 11 Oct 2023
292 points (98.0% liked)

Technology

60101 readers
2888 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
 

Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won't work on another device.

Now I don't know if that key can be stolen or not, or if it's really more secure or not, as people have really unsecure pins.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 162 points 1 year ago (3 children)

Man, the amount of fearmongering and anti-Google rhetoric in this thread makes me sad. Passkeys are almost entirely a good thing and are supported by many big and small companies.

No, it won’t lock you into Google, it’s an open web standard. Google will have an Authenticator, Apple will, and third parties will spring up to support it as well. And there’s no lock in, you can get a new passkey when you want to switch devices or providers.

No, someone who gets access to your device can’t get access to everything if you have basic security hygeine. Secure your passkeys with a secondary password or use biometric authentication.

Yes, it’s almost a straight upgrade to text passwords. They are immune to phishing attacks and other social engineering tricks, and you don’t need to remember long strings of numbers and letters anymore.

Do your research people, sheesh.

[–] [email protected] 61 points 1 year ago (7 children)

This is starting to really get on my nerves, and I feel like discourse on the fediverse is worse; basically the attitude is that if it's not FOSS and self-hosted, it's shite. That attitude is fucking grating for the rest of us.

[–] alvvayson 44 points 1 year ago

The irony is that it's an open standard. There are FOSS implementations you can self-host. Server side, client side, soft token, hard token. Everything.

https://github.com/herrjemand/awesome-webauthn

People on this thread are just really ignorant, even self-proclaimed security experts.

load more comments (6 replies)
[–] CosmicTurtle 42 points 1 year ago (3 children)

The problem with passkeys is that surrender of a physical key is not protected by the 4th amendment and subject to seizure. From a security perspective, I agree that passkeys are good. But I only use a physical key as a secondary factor. Never a primary.

The courts have ruled that you can't be forced to give up a password or passcode. (We'll have to see if the current court will keep this precedent.)

Until we get better privacy protections, I'm not trusting passkeys whole cloth.

[–] alvvayson 21 points 1 year ago (11 children)

You can protect your passkeys with a knowledge element.

But I don't see your use case. Passkeys are about logging in to webservices, not about protecting devices.

Web service providers can always be ordered to surrender your data by a court. Very few of them even try to encrypt your data. And for those that do, a court order could still force them to intercept your password and decrypt the data.

load more comments (11 replies)
[–] mystik 15 points 1 year ago (2 children)

There is no implementation right now that enables you to own and manage your own passkey backups without Google it icloud.

Additionally, the attestation feature is one step away from banks and other sites mandating specific implementations, preventing people from using software tokens or OSS managers.

Passkeys is great, and I am eager to recommend it to everyone, but without those items addressed, it's a trap door, and one bitflip away from very strong lock in.

load more comments (2 replies)
[–] Rehwyn 8 points 1 year ago* (last edited 1 year ago) (1 children)

My understanding is that, currently, a PIN or password is protected. So if you secure your phone with one of those, access to it is under 4th amendment protection. Given this, I'm curious how passkey legality would work out since it's a physical key, but access to use it would still require a knowledge element.

load more comments (1 replies)
[–] sebinspace 18 points 1 year ago

Google is a lot of things for a lot of reasons. This isn’t one of them. There’s plenty of reasons to bash them without needing to pull shit out of one’s ass

[–] [email protected] 57 points 1 year ago* (last edited 1 year ago) (5 children)

While I would agree this sounds more secure, I'm always worried about people getting further locked in to Google's products.

Hopefully this system won't take accounts "hostage" by requiring you use Chrome to log in to them, but it's Google, so...

EDIT: I'm wrong, passkeys are stored per-device and can be shared between devices using an open standard. Here's a video explaining the basics. It addresses my concern at around the 2:50 mark.

[–] [email protected] 42 points 1 year ago (2 children)

Passkey is an open standard. It's not Google specific.

load more comments (2 replies)
[–] [email protected] 14 points 1 year ago

it's passkeys. they are getting integrated in a lot of stuff right now, including password managers like bitwarden

[–] [email protected] 8 points 1 year ago (10 children)

Use a yubikey, that doesn’t vendor-lock you to an OS ecosystem. They make one with nfc so it’s not a pain to use with your phone.

load more comments (10 replies)
load more comments (1 replies)
[–] alvvayson 33 points 1 year ago (23 children)

It's definitely more secure, since stealing someone's phone is much more difficult to scale up compared to stealing passwords.

[–] [email protected] 30 points 1 year ago (32 children)

I don't think that access to your personal data/email/files being dependent on a battery-powered electronic device is a great idea, to be honest.

load more comments (32 replies)
[–] [email protected] 9 points 1 year ago (1 children)

It's not quite unique to a specific device. You can store your private key in a password manager or something similar, and then access it from other devices

load more comments (1 replies)
load more comments (21 replies)
[–] TheBananaKing 33 points 1 year ago (3 children)

Nope. Not going to have my entire digital everything depend on me not losing or breaking a single electronic device.

[–] [email protected] 21 points 1 year ago (4 children)

From Ricky Mondello, who works on passkeys at Apple: “If it’s device-bound, it’s not a passkey”:

https://hachyderm.io/@rmondello/111188643228872151

load more comments (4 replies)
[–] [email protected] 12 points 1 year ago* (last edited 1 year ago) (2 children)

You won't need to?

The key is for a single device. Logging in on another one is going to generate another key.

They key is secured with the pin of the device, so when you try to log in, you can use the pin to log in, and not the password.

https://youtu.be/6lBixL_qpro?si=wFFQwrfjQBKDHs5B

[–] [email protected] 9 points 1 year ago (2 children)

Would you have to set up multiple devices when making your account then, if you wanted more than just your phone?

load more comments (2 replies)
load more comments (1 replies)
[–] killeronthecorner 9 points 1 year ago (10 children)

Do you not use MFA at all then?

load more comments (10 replies)
[–] [email protected] 27 points 1 year ago* (last edited 1 year ago) (12 children)

I have a long list of questions about PassKeys and none of this articles explains them well enough.

  1. Does Android have it build in AOSP or Google Play Services?
  2. Would it be possible to actually see your private key on Android? Like export them to a file?
  3. Does they work without third party service? Can it be just me and the service I am logging in, or does it require my servers from PassKey provider (like Google, Bitwarden, 1Password) to work?
  4. Can it be used offline? For example, can an offline device create token that second online device could use for login? (Like TOTP codes).
  5. Does they work on other Internet services than the Web? In other words, does they work purely over HTTP and webviews or can they be in future used to login in for ex. SSH servers?
[–] Asudox 12 points 1 year ago (2 children)
  1. Since passkeys are basically asymmetric keys, SSH technically had "passkeys" for years.
[–] alvvayson 13 points 1 year ago (3 children)

Yes, but that's missing the important part.

Passkeys is not primarily about asymmetric keys. It's about applying asymmetric keys to the Web as an open standard.

The W3C Web-Authn standard is what makes it important and revolutionary.

This is just as important as HTML, CSS and ActivityPub.

Finally we have an open standard that integrates in the web and offers a high level of security.

load more comments (3 replies)
load more comments (1 replies)
load more comments (11 replies)
[–] devfuuu 18 points 1 year ago (2 children)

Fuck google.

passkeys sounds good on paper and for most users on day to day stuff should improve their security. But the failure path is horrible and it happens at the worst case most of the time. If I have the keychain on the phone and lose it or is out of battery and usually happens that I need to access some service like email, then if the email provider starts forcing people to use passkeys or you only have that method on, then I'm locked out of the account and can't use email. This will happen for all other services that one may need to use on an emergency. Personally I don't like it.

load more comments (2 replies)
[–] a_fancy_kiwi 18 points 1 year ago* (last edited 1 year ago) (2 children)

Someone else correct me if I’m wrong but it works similar to PGP.

Background info:

  • Your device generates two keys, a private key and a public key
  • The public key can be given to anyone and the private key stays with you
  • The public key is used to encrypt data and the private key is used to decrypt it

Usage:

  1. You sign up for a service with all the normal info minus a password and click submit
  2. In the background, a private key is generated and stored in iCloud Keychain, Google Passwords, or a 3rd party password manager (so all your devices can access it). A public key is also generated and given to the service
  3. Now you try and login. You enter your username and click login
  4. In the background, the server encrypts a challenge, token, or some piece of data and sends it to your device
  5. Your device decrypts that piece of data with the private key associated with the website
  6. At this point, your device either sends the decrypted data back to the server in exchange for an access token or maybe you decrypted the access token (not sure exactly how that will work. If it’s the former, the data would still be encrypted via ssl so only you and the server would see it)
  7. Now you are logged in

Closing:

So, it’s supposed to be more secure because every time you login, you never type in a password that gets transferred to the server for verification. The server is sending your device data to verify so that it can then verify you. This mainly prevents phishing and the reuse of passwords but I suppose if someone hacks into your iCloud account or whatever, they have the keys to the kingdom 🤷‍♂️

[–] [email protected] 12 points 1 year ago (4 children)

As you point out, the single point of failure is access to the passkey repository. Of course, this will usually be 2FA, so much more secure than simple passwords which people usually employ.

One major issue, IMHO, is vendor lock-in. I’ve no doubt Apple is going to make migration away from iCloud a huge pain in the ass. It’s just another way they’re going to make it difficult to leave their ecosystem.

I’m also worried about backups. People lose access to their Google and Apple accounts routinely for any and no reason at all. Will these keys be stored in the cloud? If so, access to EVERYTHING is just a capricious random algorithm away from being lost.

I wouldn’t touch any passkey system which doesn’t provide a seamless way to migrate away especially if I’ve lost access to my Apple/Google account.

load more comments (4 replies)
[–] Nolegjoe 10 points 1 year ago (5 children)

How does this work with checking my emails on a public computer in a library, for example? Somehow my private key needs to be shared with the library pc?

load more comments (5 replies)
[–] NeoNachtwaechter 17 points 1 year ago* (last edited 1 year ago) (3 children)

people have really unsecure pins.

Ok but what's unsecure with '1111' as long as I'm not telling the order of the digits to anybody?

load more comments (3 replies)
[–] MeanEYE 13 points 1 year ago (9 children)

Am not buying the idea. It sounds great on paper but in reality it doesn't feel better. So idea is you have private and public keys, like many other forms of encryption out there. Private is stored on your device, and public is stored on account holder, like Google. Since keys are mathematically linked anything signed with private key can be verified by public key and vice-versa.

This is great technology and has been proven for decades now. It essentially means your device and account holder can exchange data without anyone ever finding out your private key since it never leaves your device.

However, issues. Keys are backed up somewhere and still depend on password, be it pin or regular old password. Recovering lost key means using password still. That means attack vector has just shifted and they won't try to steal your key but social engineer their way into phishing your original password, making the whole thing a bit pointless.

Another things that worries me is the possibility each device will have its own key, although they claim transferable. Depending on what data is used to authenticate and prove device is owned properly this can be used to fingerprint users. For example IMEI or some other unique id, etc. Something that's not easily done with passwords.

Biggest one is the fact it will negate two factor authentication. Verifying code on your phone and knowing password is difficult to exploit since it requires a lot of effort... possession of the device and knowledge of password. But with passkeys, there's no password to remember and everything boils down to owning a device. They are then relying on the OS and device itself not to leak sensitive information. Not something I'd rely on.

Also, private key being backed up on Google means should they ever leak data someone can get everything they need to access your account. Private keys being protected by simple pin or password means nothing and would probably be easily broken due to simple nature of the protection.

Am not convinced this will see such high adoption as so many are claiming it will have.

[–] surewhynotlem 8 points 1 year ago (1 children)

Most hardware today has what's called a TPM. It's a physical hardware chip that can store certificates in a way that can't be extracted.

It's way more secure than someone stealing a cer file.

[–] MeanEYE 7 points 1 year ago

I know what TPM is, am not talking out of my ass here. But chain is only as strong as its weakest link, which is backup certificates somewhere protected by a pin or simple password. If it still requires password to access certificate, than you have moved issues from one place to another. What good is iron front door when you leave your windows open.

load more comments (8 replies)
[–] [email protected] 7 points 1 year ago

This is the best summary I could come up with:


Google is taking a big step toward making passkeys the default login option for its users.

Starting today, users logging in to personal Google accounts will be prompted to create and use passkeys instead of passwords when possible.

They’re both easier to use and more secure than passwords, so users no longer need to rely on the names of pets, birthdays or the infamous “password123.” Instead, passkeys let users sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan or a screen lock PIN.

And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.

Google has been experimenting with passkeys across numerous products, including Chrome, over the past year.

Users who want to forgo passkeys can uncheck the "skip password when possible" option in their accounts.


The original article contains 289 words, the summary contains 146 words. Saved 49%. I'm a bot and I'm open source!

[–] [email protected] 7 points 1 year ago (1 children)

This video about passkeys is fascinating. They are very secure even if your pin is 1234. The only way for someone to hack your account is if they have your device.

load more comments (1 replies)
[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (6 children)

How long do you think this will last until they kill it?

load more comments (6 replies)
load more comments
view more: next ›