this post was submitted on 15 Oct 2024
185 points (91.9% liked)

Technology

59612 readers
3414 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

top 50 comments
sorted by: hot top controversial new old
[–] nevemsenki@lemmy.world 130 points 1 month ago (6 children)

If the passkeys aren't managed by your devices fully offline then you're just deeper into being hostage to a corporation.

[–] unskilled5117 35 points 1 month ago* (last edited 1 month ago) (4 children)

The lock-in effect of passkeys is something that this protocol aims to solve though. The “only managed by your device” is what keeps us locked in, if there is no solution to export and import it on another device.

The protocol aims to make it easy to import and export passkeys so you can switch to a different provider. This way you won’t be stuck if you create passkeys e.g. on an Apple device and want to switch to e.g. Bitwarden or an offline password manager like KeyPassXC

The specifications are significant for a few reasons. CXP was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. […] CXP aims to standardize the technical process for securely transferring them between platforms so users are free […].

[–] nevemsenki@lemmy.world 16 points 1 month ago* (last edited 1 month ago) (1 children)

That's between platforms though. I like my stuff self-managed. Unless it provenly works with full offline solutions I'll remain sceptical.

[–] darklamer@lemmy.dbzer0.com 14 points 1 month ago (3 children)

I like my stuff self-managed.

Bitwarden / Vaultwarden is a popular available working solution for self-hosting and self-managing passkeys (as well as passwords).

load more comments (3 replies)
load more comments (3 replies)
[–] Draconic_NEO@lemmy.world 11 points 1 month ago (5 children)

That's a great way to lose access if your device gets lost, stolen, or destroyed. Which is why I'm against and will continue to be against forcing 2FA and MFA solutions onto people. I don't want this, services don't care if we're locked out which is why they're happy to force this shit onto people.

load more comments (5 replies)
load more comments (4 replies)
[–] Gutless2615@ttrpg.network 62 points 1 month ago* (last edited 1 month ago) (3 children)

Literally just use a password manager and 2/MFA. It’s not a problem. We have a solution.

[–] shortwavesurfer@lemmy.zip 42 points 1 month ago (7 children)

Actually, it is still a problem, because passwords are a shared secret between you and the server, which means the server has that secret in some sort of form. With passkeys, the server never has the secret.

[–] Gutless2615@ttrpg.network 10 points 1 month ago (2 children)

The shared secret with my Vaultwarden server? Add mfa and someone needs to explain to me how passkeys do anything more than saving one single solitary click.

[–] 4am@lemm.ee 23 points 1 month ago (1 children)

When a website gets hacked they only find public keys, which are useless without the private keys.

Private keys stored on a password manager are still more secure, as those services are (hopefully!) designed with security in mind from the beginning.

load more comments (1 replies)
[–] shortwavesurfer@lemmy.zip 11 points 1 month ago

Pass keys are for websites such as Google, Facebook, TikTok, etc. And then they go into what is currently your password manager or if you don't have one, it goes into your device. You still have to prove to that password manager that you are, who you say you are, either by a master password of some sort or biometrics.

[–] programmer_belch@lemmy.dbzer0.com 9 points 1 month ago (6 children)

Best password manager is offline password manager.

KeepassXC makes a file with the passwords that is encrypted, sharing this file with a server is more secure than letting the server manage your passwords

[–] hikaru755@lemmy.world 14 points 1 month ago

This is not at all relevant to the comment you're responding to. Your choice of password manager doesn't change that whatever system you're authenticating against still needs to have at least a hash of your password. That's what passkeys are improving on here

load more comments (5 replies)
load more comments (5 replies)
[–] huginn@feddit.it 27 points 1 month ago (1 children)

Never forget that technologically speaking you're nothing like the average user. Only 1 in 3 users use password managers. Most people just remember 1 password and use it everywhere (or some other similarly weak setup).

Not remembering passwords is a huge boon for most users, and passkeys are a very simple and secure way of handling it.

[–] funkless_eck@sh.itjust.works 20 points 1 month ago (3 children)

I work for multiple organizations. The majority of which have a Google sheet with their passwords in that are

      c0mpanyname2018! 

Those that aren't are

       pandasar3cute123? 
load more comments (3 replies)
load more comments (1 replies)
[–] aniki@lemmings.world 50 points 1 month ago (5 children)

I'll switch when it's fully implemented in open source and only I am the one with the private key. Until then its just more corporate blowjobs with extra steps.

[–] 4am@lemm.ee 22 points 1 month ago

That’s exactly how passkeys work. The server never has the private key.

[–] AsudoxDev@programming.dev 20 points 1 month ago (1 children)

KeePass has passkey support

[–] devfuuu@lemmy.world 6 points 1 month ago (1 children)

And we all remember the huge drama about it because they allowed for taking the keys out and backup them up.

load more comments (1 replies)
[–] huginn@feddit.it 10 points 1 month ago

Passkeys are an ancient authentication setup, have always been better than passwords and are finally getting traction.

[–] priapus@sh.itjust.works 9 points 1 month ago

What do you means by this? What part do you want to be open source? Passkey are just cryptographic keys, no part of that requires anything unfree. There's aready an open source authentication stack you can use to implement them. You can store them completely locally with KeyPassXC for selfhost Vaultwarden to store them remotely. Both are open source?

[–] AbidanYre@lemmy.world 8 points 1 month ago

You can add them in vaultwarden.

[–] rickdg@lemmy.world 42 points 1 month ago (1 children)

If you tell corporations there’s a way to increase lock-in and decrease account sharing, they’re gonna make it work.

[–] umami_wasbi@lemmy.ml 23 points 1 month ago (4 children)

One is a new technical specification called Credential Exchange Protocol (CXP) that will make passkeys portable between digital ecosystems, a feature that users have increasingly demanded.

I.e. I can copy my key to my friends' device.

[–] rickdg@lemmy.world 11 points 1 month ago (3 children)

I believe that’s Apple talking to Google, not anything local you can own.

[–] 4am@lemm.ee 8 points 1 month ago

Read the article, it’s literally about replacing Import/Export CSV plaintext unencrypted files with something more secure.

I.e. moving your passwords/passkeys between password managers. This is not about replacing stuff like OAuth where one service securely authorizes a user for another.

load more comments (2 replies)
load more comments (3 replies)
[–] Dasnap@lemmy.world 25 points 1 month ago (4 children)

I always feel like an old granny when I read about passkeys because I've never used one, and I'm worried I'll just lock myself out of an account. I know I probably wouldn't, but new things are scary.

Are they normally used as a login option or do they completely replace MFA codes? I know how those work; I'm covered with that.

[–] narc0tic_bird@lemm.ee 10 points 1 month ago (1 children)

Usually just an option in addition to a password + MFA. Or they just replace the MFA option and still require a password. I even saw some variants where it replaced the password but still required a MFA code. It's all over the place. Some providers artificially limit passkeys to certain (usually mobile) platforms.

load more comments (1 replies)
load more comments (2 replies)
[–] EncryptKeeper@lemmy.world 23 points 1 month ago* (last edited 1 month ago) (1 children)

ITT: Incredibly non-technical people who don’t have the first clue how Passkeys work but are convinced they’re bad due to imaginary problems that were addressed in this very article.

[–] priapus@sh.itjust.works 10 points 1 month ago (2 children)

This is a weird thread. Lots of complaints about lock in and companies managing your keys, both of which are easily avoidable, the exact same way you'd do so with your passwords.

load more comments (2 replies)
[–] 2xsaiko@discuss.tchncs.de 19 points 1 month ago (1 children)

I'm not convinced this is a good idea. Resident keys as the primary mechanism were already a big mistake, syncing keys between devices was questionable at best (the original concept, which hardware keys still have, is the key can never be extracted), and now you've got this. One of the great parts about security keys (the original ones!) is that you authenticate devices instead of having a single secret shared between every device. This just seems like going further away from that in trying to engineer themselves out of the corner they got themselves into with bullshit decisions.

Let me link this post again (written by the Kanidm developer). Passkeys: A Shattered Dream. I think it still holds up.

[–] unskilled5117 18 points 1 month ago* (last edited 1 month ago)

The author of your blog post comes to this conclusion:

So do yourself a favour. Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your passwords and manage them. If you really want passkeys, put them in a password manager you control. But don't use a platform controlled passkey store, and be very careful with security keys.

The protocol (CXP) which the article is about, would allow you to export the passkeys from the “platform controlled passkey store” and import them into e.g. Bitwarden. So i would imagine the author being in favor of the protocol.

[–] NateNate60@lemmy.world 19 points 1 month ago (3 children)

I still have no idea how to use passkeys. It doesn't seem obvious to the average user.

I tried adding a passkey to an account, and all it does is cause a Firefox notification that says "touch your security key to continue with [website URL]". It is not clear what to do next.

[–] JackbyDev@programming.dev 10 points 1 month ago (1 children)

After my password manager auto filled a password and logged me in the website said "Tired of remembering passwords? Want to add a passkey?" I didn't know what it meant so I said no lol.

load more comments (1 replies)
[–] echodot@feddit.uk 5 points 1 month ago (2 children)

I think you actually have to buy a passkey device. Then configure it to work with a particular account.

You plug the passkey into your computer and then whenever it asks for a password you literally touch it and it does its thing. I think there are options like biometrics that you can add on top but you don't have to have that.

[–] NateNate60@lemmy.world 8 points 1 month ago (1 children)

If that's what's needed, I can say with some certainty that adoption isn't going to be picking up any time this decade.

load more comments (1 replies)
[–] el_abuelo@programming.dev 8 points 1 month ago (7 children)

Devices themselves can act as passkeys too - I.e. your phone, laptop etc...

load more comments (7 replies)
load more comments (1 replies)
[–] DudeImMacGyver@sh.itjust.works 19 points 1 month ago* (last edited 1 month ago)

Am skeptical

[–] HubertManne@moist.catsweat.com 16 points 1 month ago (5 children)

The real problem is not passwords so much as trusted sources. Governments should have an email account that citizens have a right to and will not go away and have local offices to verify access issues.

[–] Kuvwert@lemm.ee 8 points 1 month ago (8 children)
load more comments (8 replies)
[–] echodot@feddit.uk 7 points 1 month ago* (last edited 1 month ago) (2 children)

I don't want my government hosting my email.

The last time they had to do anything important they stoled all the sensitive data in plain text in an Excel spreadsheet and then the spreadsheet got corrupted so they lost everything. Of course they didn't have backups.

load more comments (2 replies)
load more comments (2 replies)
[–] corsicanguppy@lemmy.ca 11 points 1 month ago (1 children)

Does it require an array of fucking containers and a flurry of webAPI calls? Then no.

load more comments (1 replies)
[–] narc0tic_bird@lemm.ee 9 points 1 month ago (1 children)

My password manager supports passkeys just fine, across Windows, macOS, Linux and iOS (and probably Android but I haven't tried). Surprisingly, iOS integrates with the password manager so it's usable just like their own solution and it works across the system (not just in the browser).

This seems to be more about finding a standard way to export/import between different password managers/platforms?

[–] trevor@lemmy.blahaj.zone 6 points 1 month ago

Correct. The spec is about making it easier and more secure to export your passwords and passkeys when you move from one password manager to another. People are misunderstanding this as some sort of federated authentication system to share your credentials between multiple password managers at the same time, which it is not.

[–] mlg@lemmy.world 7 points 1 month ago (1 children)

I remember when Microsoft made a big deal about this on Windows and then their "implementation" was making the local signon a number PIN.

And not a proper separate auth operation lol. You either set up almost everything with the PIN or use a regular password, not both. Makes it useless on enterprise.

Realistically we should all be using a key/pass vault since that would make using passkeys much easier, but that's too complicated for the internet in ~~2004~~ 2024.

If it were me, I'd just issue everyone a yubikey.

load more comments (1 replies)
[–] lemmeBe@sh.itjust.works 7 points 1 month ago

It's enough to read the title. The rest of the article doesn't provide much else other than being one step closer. 😄

load more comments
view more: next ›