Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
While the lock-in issue is annoying and a good reason not to adopt these, the device failure issue is a tech killer. Especially when I can use a password manager. This means I can remember two passwords (email and password manager), make them secure, and then always recover all my accounts.
Passkeys are a technology that were surpassed 10 years before their introduction and I believe the only reason they are being pushed is because security people think they are cool and tech companies would be delighted to lock you into their system.
This is the only accurate take in the whole thread.
Passkeys solve “well, can’t be fished” by introducing 2 new problems and never resolving super prevalent session hijacking. Even as a basic cost-benefit analysis, it’s a net loss to literally everyone.
That’s what I worried, and then especially to computers that age out of updates (2 older MacBooks).
We end up having to reauthenticate on some other device at some point anyway and that means there’s still going to be a weak point.
Like with 2 auth sim jacking.
Cops also love them because they make getting access to your entire phone including all accounts simple as cake if you use fingerprint/faceID to unlock your device.
Password managers store passkeys. They’re portable and not device-locked. Been using them on Bitwarden for like 2 years now.
It is not portable in the sense that you need bitwarden installed on the device you are trying to connect from.
Passwords can be plain text, which means I can copy, paste, and dictate them to a device that does not have additional software installed.
its being pushed because corporations want to control your passwords with lock-in.
no way i’m using that garbage over my own manager with recallable plaintext passwords.
You can transfer passkeys between platforms? This is a non-issue
all at once? i don’t think so.
even then, corporate apps will always remove convenient features later for lock-in. i don’t fall for this shit anymore.
You can store Passkeys in open source password managers.
I don’t know most of my passwords, so the step to passkeys doesn’t feel like a big one. I also really like the flow of pressing Login; Bitwarden pops up a prompt without me initiating it; I press confirm. Done, logged in, and arguably more secure due to the surrounding phishing and shared secrets benefits.
Sure, they probably work great when you have your *passkey manager on the device, but that’s not when I need to have backup routes into my accounts. When using a new device, or someone else’s, having even a complicated password that can be typed or copied-pasted has way more functionality.
As far a I can tell, using passkeys would only risk locking me out of my accounts. Everyone else is already effectively locked out.
You could also use dedicated hardware to store your keys. Any FIDO USB key will do. I have a Yubikey that cost me less than 30 bucks.
It’s really handy, because I frequently use someone else’s device for work. All I have to do is plug it in, press the button on the key and enter the master password for the passkey storage. It’s like having a password manager on a USB stick.
I can access my password manager via the browser from any device.
Can’t you access your password manager from a web browser? Or your phone?
Oops, meant passkey manager, fixed it.
Isn’t that the same thing? All my credentials & passkeys are in the cross-platform password manager available from all my devices & any web browser. Passkeys even have a cross-device flow, so we can just scan a QR code & use a phone to sign into anything.
Manually keying in a password just feels so boomer.
Not at all the same. I can type or dictate my passwords on any device with a keyboard. I am not reliant on an individual device continuing to work. In fact I could get all new devices tomorrow, with no access to any previous device, and log into all my accounts within minutes.
Passkeys do not allow, and specifically prevent, that.
Exactly the same with a password manager which stores passkeys. Are you reading before responding?
I was never prompted to do such a thing. It always just told me to plug in my phone (and even that didn’t work).
Yeah the moods in this thread, like
“[I don’t understand this]!”
“[I don’t trust this]!”
“[It doesn’t fix everything]!”
“[This doesn’t benefit me]!”
“[What’s wrong with old way]!?”
And like, all valid feelings… just the reactions are a bit… intense? Especially considering it’s a beta stage auth option that amounts to a fancy version of the old sec key industry standard, not the mark of the beast.
Because we all know it will eventually go from a “neat” to mandatory with vendor lock-in for no other reason than “fuck you”.
We’ve all seen it a few hundred times now with X, and Y.
I get a few daily pop-ups for “Want to use a pass key”. One from my bank. No I don’t want to link my fingerprint to my bank account especially in a way that will lock me out when I replace my phone.
Remember folks: Biometrics (What you are) is not constitutionally protected but what you know is (for now at least).
If we cut and run every time a big corporation “embraces” a new standard, just to lessen the pain of the day it’s inevitably “extinguished,“ we’d miss out on quite a lot.
This standard was open from the start. It was ours. Big corps sprinted ahead with commercial development, as they do, but just because they’re first to implement doesn’t mean we throw in the towel.
Also:
This is a fundamental misunderstanding of how the FIDO2 standard works. It is not designed to be vendor specific and as other people in this thread point out, plenty of open-source secrets managers and hardware implement passkeys.
What we’ve seen is the typical Silicon Valley model of “embrace, extend, extinguish” so you’re right to be wary of any implementation by Google or Microsoft.
Same goes for biometrics - how you unlock the passkey isn’t specified in the standard. It is left up to the implementation. If you don’t want to use biometrics, you don’t have to.
You do not need your fingerprint or any other biometric to use a passkey.
You do not lose access to passkeys when you lose your device.
I think they are being pushed because cool technology on paper. Whenever I read an article about them, I can’t help but think about the human factors. How are passkeys created, often by a password or email. okay… that looks a lot like a password. Oh you lost the passkey, here lets send you one again. It stinks of a second factor without a first. Sure, the passkey itself is hard to compromise, but how about its creation. If your email is compromised I see no difference from passwords or passkeys.
They don’t email you a passkey, what are you even talking about?
There are quite a few uninformed takes here & the number of upvotes they got for it is stunning. Lemmy. 😞
Lemmy has been very anti passkey at least since it’s rise in 2023, it’s very interesting how tech forward Lemmy generally is and how anti passkey and not even anti, just generally uninformed on them they are.
I for one love them. I always read everyones opinions here and just think nobody has even attempted to use them. It’s very simple.
The flow I hear about when people talk about passkeys is sign up with email. Code gets sent to email. Code is entered, passkey gets generated. There always seems to be some similar step that looks like that, and often you have new device or reset that looks the same. Sure the passkey itself is secure, but how do you get it, how do you generate it, how do you validate the first time?
None of that is remotely true lol. You don’t get a passkey, you generate. Nothing is “sent” to you at any point in time, it has nothing to do with email.
Instead of saying how it doesn’t work, it’d be more constructive to explain how it does.
Seems a little redundant when the article we’re all commenting on does precisely that.
You mean like… the article you’re commenting on does?
I came to sorta say this. Regardless of the system if it can fail and if people have to recover an account then phishing will always be a thing. In person options to deal with an account like with bank branches or government offices are the only true way of making things more secure. I sometimes think it would make sense for this. One rare thing I have seen that gives me a bit of hope is the use of in person at the post office for us government accounts. Thats exactly how it should be done. Secretary of state for state and usps for federal. They are the only agencies with enough physical locations.
Question is by what? I could see an argument that it is an overcomplication of some ill-defined application of x509 certificates or ssh user keys, but roughly they all are comparable fundamental technologies.
The biggest gripe to me is that they are too fussy about when they are allowed and how they are stored rather than leaving it up to the user. You want to use a passkey to a site that you manually trusted? Tough, not allowed. You want to use against an IP address, even if that IP address has a valid certificate? Tough, not allowed.
They were surpassed by password managers and 2fa.
Technically they are the 2fa. The second factor is something you have. I store all my passkeys in my password manager too, so I’m not faulting you, but technically that’s just undoing the second factor, because now my two factors are “two things that are both unlocked by the same one thing I know”. Which is one complicated factor spread across two form fields.
Password managers are a workaround, and broadly speaking the general system is still weak because password managers have relatively low adoption and plenty of people are walking around with poorly managed credentials. Also doesn’t do anything to mitigate a phishing attack, should the user get fooled they will leak a password they care about.
2FA is broad, but I’m wagering you specifically mean TOTP, numbers that change based on a shared secret. Problems there are: -Transcribing the code is a pain -Password managers mitigate that, but the most commonly ‘default’ password managers (e.g. built into the browser) do nothing for them -Still susceptible to phishing, albeit on a shorter time scale
Pub/priv key based tech is the right approach, but passkey does wrap it up with some obnoxious stuff.
All of the modern browsers have built in password managers so I doubt that very much.
Are they as secure as your self-hosted bit warden that is not accessible via the Internet? No.
But it does still keep track of your usernames and even alerts you if you have a breach.
Ok, I’ll concede that Chrome makes Google a relatively more popular password manager than I considered, and it tries to steer users toward generated passwords that are credible. Further by being browser integrated, it mitigates some phishing by declining to autofill with the DNS or TLS situation is inconsistent. However I definitely see people discard the suggestions and choose a word and think ‘leet-speak’ makes it hard (“I could never remember that, I need to pick something I remember”). Using it for passwords still means the weak point is human behavior (in selecting the password, in opting not to reuse the password, and in terms of divulging it to phishing attempt).
If you ascribe to Google password manager being a good solution, it also handles passkeys. That removes the ‘human can divulge the fundamental secret that can be reused’ while taking full advantage of the password manager convenience.
Lack of adoption doesn’t really make password managers a workaround. What’s being worked around? People’s laziness?
Password managers actually do solve the phishing problem to an extent, since if you’re using it properly, you’ll have a unique password for every service, limiting the scope of the problem.
Putting TOTP 2fa codes in your password manager behind the same password as everything else actually destroys any additional security added by 2fa, since it puts you back to a single auth factor.
Well yes, that is a huge one. I know people who when faced with Google’s credible password suggestion say “hell no, I could never remember that”, then proceed to use a leet-speak thinking computers can’t guess those because of years of ‘use a special character to make your password secure’. People at work giving their password to someone else to take care of someething because everything else is a pain and the stakes are low to them. People being told their bank is using a new authentication provider and so they log dutifully into the cited ‘auth provider’, because this is the sort of thing that (generally not banks) do to people.
Exactly, it mitigates, but still a gap. If they phish for your bank credential, you give them your real bank password. It’s unique, great, but the only thing the attacker wanted was the bank password anyway. If they phish a TOTP, then they have to make sure they use it within a minute, but it can be used.
From the user perspective that knows they are using machine generated passwords, yes, that setup is redundant. However from the service provider perspective, that has no way of enforcing good password hygiene, then at least gives the service provider control over generating the secret. Sure a ‘we pick the password for the user’ would get to the same end, but no one accepts that.
But this proves that if you are fanatical about MFA, then TOTP doesn’t guarantee it anyway, since the secret can be stuffed into a password manager. Passkey has an ecosystem more affirmatively trying to enforce those MFA principles, even if it is, ultimately, generally in the power of the user to overcome them if they were so empowered (you can restrict to certain vendor keys, but that’s not practical for most scenarios).
My perspective is that MFA is overblown and mostly fixes some specific weaknesses: -“Thing you know” largely sucks as a factor, if I human can know it, then a machine can guess it, and on the service provider there’s so much risk that such a factor can be guessed at a faster rate than you want, despite mitigations. Especially since you generally let a human select the factor in the first place. It helps mitigate the risk of a lost/stolen badge on a door by also requiring a paired code in terms of physical security, but that’s a context where the building operator can reasonably audit attempts at the secret, which is generally not the case for online services as well. So broadly speaking, the additional factor is just trying to mitigate the crappy nature of “thing you know” -“Thing you have” used to be easier to lose track of or get cloned. A magstripe badge gets run through a skimmer, and that gets replicated. A single-purpose security card gets lost and you don’t think about it because you don’t need it for anything else. The “thing you have” nowadays is likely to lock itself and require local unlocking, essentially being the ‘second factor’ enforced client side. Generally Passkey implementations require just that, locally managed ‘second factor’.
So broadly ‘2fa is important’ is mostly ‘passwords are bad’ and to the extent it is important, Passkeys are more likely to enforce it than other approaches anyway.
I use them with bitwarden and a self hosted vaultwarden. If my phone breaks, no issue. If my server breaks, I got local backups… Keys are stored encrypted in a postgres database for which I have access, if I need to restore it. No lock-in issue or risk of loosing access when one or two devices break.
That sounds great, but also isn’t a solution for most people.
True. But most good stuff isn’t a solution for everyone. It takes real effort to escape vendor-lockin. Bigtech made sure of that.
If something is too simple to set up or requires no set up, or comes from a for-profit company, but doesn’t cost anything, then it always suspicious.
I am just saying that the issue is not with passkey itself, but the individual implementations and that google/twitter/etc. is pushed towards regular users.
Critiquing passkey because vendor-lockin is like critiquing HTML for allowing ads.
Even if you are really careful, your details can always be leaked from a company server during a breach. If the companies adopt passkeys, that issue isn’t there. Because there isn’t a password anyone can randomly use. That’s why I feel big tech companies are moving towards it.
Yes, you have to trust the company storing the passwords.
A good company can store passwords in ways that are secure to most hacking attempts. It isn’t impossible to break the encryption typically used, but it is difficult enough that most thieves will not have the resources or time to make use of the data. They want the low effort password databases, not the difficult and expensive ones.
Companies should already be storing password hashes, so the risk of leaking a hash vs a public key is roughly the same. It’s just that private keys are generally longer than passwords and therefore harder to bruitforce.
Any company storing passwords in a recoverable format deserves to be hacked.
I’ve found a pretty good use for a passkey. Docusign. About every 3 months I need to docusign something at work. The process involves logging in, changing your password, logging in again, opening the document, logging in to sign, logging in to finish. The only steps you get to skip if there’s more than one document is the initial log on, and changing password. So with a passkey I just touch it a bunch of times and there’s no password change.
Sounds like a password manager would make that way easier. Changing your password would involve a few extra clicks. Also, you might want to check with your IT folks. Asking people to constantly change their password is a good way to weaken password strength. I don’t use docusign, but there is probably a setting that they can change.
Oh, I agree, but I have to argue enough with professionals who know better as it is. I have to do it every day with recent PhDs as a BA who’s been doing the job for 15 years. At this point it’s not my problem if something happens. I have other things that affect me every day to fight about. I’ll just continue cycling through my no repeats after 10 changes, 12 character passwords and using my yubikey for docusign for my own sanity.
sounds like a better solution is don’t use docusign
K, I’ll go tell the CEO that they need to come up with something different.
There’s like a million other free/libre digital document signing platforms out there. Try one that doesn’t suck.
Unfortunately, per the comment you replied to, that isnt under my control.