3mo ago

The War on Passwords Is One Step Closer to Being Over

www.wired.com The War on Passwords Is One Step Closer to Being Over

“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

130 comments

If the passkeys aren't managed by your devices fully offline then you're just deeper into being hostage to a corporation.
- The lock-in effect of passkeys is something that this protocol aims to solve though. The “only managed by your device” is what keeps us locked in, if there is no solution to export and import it on another device.
  The protocol aims to make it easy to import and export passkeys so you can switch to a different provider. This way you won’t be stuck if you create passkeys e.g. on an Apple device and want to switch to e.g. Bitwarden or an offline password manager like KeyPassXC
  The specifications are significant for a few reasons. CXP was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. […] CXP aims to standardize the technical process for securely transferring them between platforms so users are free […].
  
  That's between platforms though. I like my stuff self-managed. Unless it provenly works with full offline solutions I'll remain sceptical.
  
  And who forces all the corps to correctly implement that protocol? Getting you locked in is in all of their interests, after all.
  
  not the first time i hear this though. im skeptical until proven otherwise
- That's a great way to lose access if your device gets lost, stolen, or destroyed. Which is why I'm against and will continue to be against forcing 2FA and MFA solutions onto people. I don't want this, services don't care if we're locked out which is why they're happy to force this shit onto people.
  
  Well yeah, that is true. Security and convenience are usually at odds... MFA has place, unless you don't mind some guy from russia access your online bank account ; but I definitely wouldn't use it on all my accounts.
  
  In case the device gets lost/stolen, you should have a backup of the database that contained the passkeys. That's why I would be only using the implementations that allow doing that easily.
- Y'all here talking so smart ignore another thing - the more complex your solutions are, the deeper you are into being hostage to everyone capable of making the effort to own you.
  Don't wanna be hostage - don't use corporate and cloud services for things you need more than a bus ticket.
  You are being gaslighted to think today's problems can be solved by more complexity. In fact the future is in generalizing and simplifying what exists. I'm optimistic over a few projects, some of which already work, and some of which are in alpha.
  
  Thank goodness you didn’t mention any names
- Not to mention Apple let's you SHARE them with airdrop.

Literally just use a password manager and 2/MFA. It’s not a problem. We have a solution.
- Actually, it is still a problem, because passwords are a shared secret between you and the server, which means the server has that secret in some sort of form. With passkeys, the server never has the secret.
  
  The shared secret with my Vaultwarden server? Add mfa and someone needs to explain to me how passkeys do anything more than saving one single solitary click.
  
  Best password manager is offline password manager.
  KeepassXC makes a file with the passwords that is encrypted, sharing this file with a server is more secure than letting the server manage your passwords
  
  You can share passwords without the server seeing them. Many managers don't but there's nothing infeasible there. You just have a password to unlock the manager. Done.
- Never forget that technologically speaking you're nothing like the average user. Only 1 in 3 users use password managers. Most people just remember 1 password and use it everywhere (or some other similarly weak setup).
  Not remembering passwords is a huge boon for most users, and passkeys are a very simple and secure way of handling it.
  
  I work for multiple organizations. The majority of which have a Google sheet with their passwords in that are
  undefined
  
  c0mpanyname2018!
  Those that aren't are
  undefined
  
  pandasar3cute123?

I'll switch when it's fully implemented in open source and only I am the one with the private key. Until then its just more corporate blowjobs with extra steps.
- That’s exactly how passkeys work. The server never has the private key.
- KeePass has passkey support
  
  And we all remember the huge drama about it because they allowed for taking the keys out and backup them up.
- Passkeys are an ancient authentication setup, have always been better than passwords and are finally getting traction.
- What do you means by this? What part do you want to be open source? Passkey are just cryptographic keys, no part of that requires anything unfree. There's aready an open source authentication stack you can use to implement them. You can store them completely locally with KeyPassXC for selfhost Vaultwarden to store them remotely. Both are open source?
- You can add them in vaultwarden.

If you tell corporations there’s a way to increase lock-in and decrease account sharing, they’re gonna make it work.
- One is a new technical specification called Credential Exchange Protocol (CXP) that will make passkeys portable between digital ecosystems, a feature that users have increasingly demanded.
  I.e. I can copy my key to my friends' device.
  
  I believe that’s Apple talking to Google, not anything local you can own.

I always feel like an old granny when I read about passkeys because I've never used one, and I'm worried I'll just lock myself out of an account. I know I probably wouldn't, but new things are scary.
Are they normally used as a login option or do they completely replace MFA codes? I know how those work; I'm covered with that.
- Usually just an option in addition to a password + MFA. Or they just replace the MFA option and still require a password. I even saw some variants where it replaced the password but still required a MFA code. It's all over the place. Some providers artificially limit passkeys to certain (usually mobile) platforms.
  
  All of those options are to NIST-spec. MFA means multi-factor. It doesnt matter what they are as long as they are in different categories (something you know, something you have, something you are, etc: password, passkey, auth token, auth app, physical location, the network you are connected to). Two or more of these and you are set (though, location might be a weak factor).
- I have passkeys setup for almost everything and on most sites I just enter my username then I get a request on my phone to sign in. Scan my thumbprint and it's good to go. It's actually so much simpler than passwords / MFA, but admittedly I haven't had to migrate devices or platforms.
  I have everything setup through protonpass right now
- Hey good for you, unlike everyone else in this thread making up reasons why the tech is bad, you are mature enough to recognize the fear is from ignorance. I am in the same boat. I'm currently using a manager with MFA on everything which works well for me. Might look into this tech once it's baked longer. I don't like the idea of early adoption to a tech when it's security related.

ITT: Incredibly non-technical people who don’t have the first clue how Passkeys work but are convinced they’re bad due to imaginary problems that were addressed in this very article.
- This is a weird thread. Lots of complaints about lock in and companies managing your keys, both of which are easily avoidable, the exact same way you'd do so with your passwords.
  
  Also the people talking about added complexity? I'm convinced all the complaints are from people who haven't set one up or used one and are immediately writing it off. Adding one is a single click of a button.
  Then to sign in I literally just get a thumbprint request on my phone after entering my username. It's far far simpler than passwords and MFA.

I still have no idea how to use passkeys. It doesn't seem obvious to the average user.
I tried adding a passkey to an account, and all it does is cause a Firefox notification that says "touch your security key to continue with [website URL]". It is not clear what to do next.
- After my password manager auto filled a password and logged me in the website said "Tired of remembering passwords? Want to add a passkey?" I didn't know what it meant so I said no lol.
  
  Me too, I don't trust the system and I don't want to be locked into a specific browser and/or device.
- I think you actually have to buy a passkey device. Then configure it to work with a particular account.
  You plug the passkey into your computer and then whenever it asks for a password you literally touch it and it does its thing. I think there are options like biometrics that you can add on top but you don't have to have that.
  
  Devices themselves can act as passkeys too - I.e. your phone, laptop etc...
  
  If that's what's needed, I can say with some certainty that adoption isn't going to be picking up any time this decade.

I'm not convinced this is a good idea. Resident keys as the primary mechanism were already a big mistake, syncing keys between devices was questionable at best (the original concept, which hardware keys still have, is the key can never be extracted), and now you've got this. One of the great parts about security keys (the original ones!) is that you authenticate devices instead of having a single secret shared between every device. This just seems like going further away from that in trying to engineer themselves out of the corner they got themselves into with bullshit decisions.
Let me link this post again (written by the Kanidm developer). Passkeys: A Shattered Dream. I think it still holds up.
- The author of your blog post comes to this conclusion:
  So do yourself a favour. Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your passwords and manage them. If you really want passkeys, put them in a password manager you control. But don't use a platform controlled passkey store, and be very careful with security keys.
  The protocol (CXP) which the article is about, would allow you to export the passkeys from the “platform controlled passkey store” and import them into e.g. Bitwarden. So i would imagine the author being in favor of the protocol.

Am skeptical

The real problem is not passwords so much as trusted sources. Governments should have an email account that citizens have a right to and will not go away and have local offices to verify access issues.
- No. Wtf no.
  
  well they deliver your mail. I am envisioning the same protections but also you don't have to use it in general. but it would be how the government would send things to you.
- I don't want my government hosting my email.
  The last time they had to do anything important they stoled all the sensitive data in plain text in an Excel spreadsheet and then the spreadsheet got corrupted so they lost everything. Of course they didn't have backups.
  
  But at least since it was stolen, the backup was hosted for free on the hacker forums /s
  
  well they deliver your mail. I am envisioning the same protections but also you don't have to use it in general. but it would be how the government would send things to you. Also I have had corps almost constantly have a breach of my information but not once yet from the feds or my state.
- Whatever you're smoking, do less of that
  
  well they deliver your mail. I am envisioning the same protections but also you don't have to use it in general. but it would be how the government would send things to you.

Does it require an array of fucking containers and a flurry of webAPI calls? Then no.
- No it's actually pretty simple. No containers. Your passkeys can be managed in the browser (Google Passwords), by a plug-in like BitWarden, or in a third party hardware device like YubiKey.

My password manager supports passkeys just fine, across Windows, macOS, Linux and iOS (and probably Android but I haven't tried). Surprisingly, iOS integrates with the password manager so it's usable just like their own solution and it works across the system (not just in the browser).
This seems to be more about finding a standard way to export/import between different password managers/platforms?
- Correct. The spec is about making it easier and more secure to export your passwords and passkeys when you move from one password manager to another. People are misunderstanding this as some sort of federated authentication system to share your credentials between multiple password managers at the same time, which it is not.

I remember when Microsoft made a big deal about this on Windows and then their "implementation" was making the local signon a number PIN.
And not a proper separate auth operation lol. You either set up almost everything with the PIN or use a regular password, not both. Makes it useless on enterprise.
Realistically we should all be using a key/pass vault since that would make using passkeys much easier, but that's too complicated for the internet in ~~2004~~ 2024.
If it were me, I'd just issue everyone a yubikey.
- What separate auth operation is needed besides authenticating with the local device to unlock a passkey?

It's enough to read the title. The rest of the article doesn't provide much else other than being one step closer. 😄

Meanwhile mobile Firefox doesn't even support YubiKey / FIDO2 for some godforsaken reason.

I'm lost on this - is this better than GPG?
- More usable for the average user and more supported by actual sites and services, so yes.
  
  Does this require any 3rd party to work? I remember reading a blog, something about attesting the client, which was some big corpo like Google/Apple/Microsoft... that's not for this, right?

Whenever I read stuff like this, my mind goes a bit hazy. Because I'm just finding myself asking 'Why and when did the simple mechanic of passwords get this difficult?'
Maybe if password requirements weren't stingingly stupid, companies cared more about actual security and not an obstacle course they've gotta send people through to do one thing. We wouldn't ever know or need to know systems like this.
- With passkeys you never need to worry about the storage method used by the site. Some sites STILL store passwords in plaintext. When that database gets hacked, it’s game over.
  A public passkey, even stored in plaintext, is useless to an attacker.
  Maybe that doesn’t matter for you or me, with our 64-character randomly generated passwords unique to each service, but the bigger picture is that most people just use the same password everywhere. This is how identity theft happens.
- Passkeys are much simpler to use than passwords, password managers, 2FA etc. if simplicity is your goal, Passkeys are your personal wet dream.
  
  That one site - what was it, Mozilla's/Gnome's git? - that needed Aegis for login. Which is unlocked by pasword btw.

They are really satisfying when they work. I have been impressed by how well they work cross platform in the new bitwarden. It even worked from Android one time with a key made on windows! However, I dread when my mom tells me she needs help with an account and I can't do anything because the key is on her iOS Keychain I don't have access to

What is the difference between a crypto wallet and a passkey?
Is it just that a passkey has less functionality (and therfore better usability)?
- Passkeys are for logging into websites.
  
  Passkeys seem to be equivalent to public addresses of blockchain wallets.
  I think the main difference is that passkey are recoverable but blockchain wallet keys are private

130 comments