“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.
If the passkeys aren’t managed by your devices fully offline then you’re just deeper into being hostage to a corporation.
The lock-in effect of passkeys is something that this protocol aims to solve though. The “only managed by your device” is what keeps us locked in, if there is no solution to export and import it on another device.
The protocol aims to make it easy to import and export passkeys so you can switch to a different provider. This way you won’t be stuck if you create passkeys e.g. on an Apple device and want to switch to e.g. Bitwarden or an offline password manager like KeyPassXC
The specifications are significant for a few reasons. CXP was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. […] CXP aims to standardize the technical process for securely transferring them between platforms so users are free […].
That’s between platforms though. I like my stuff self-managed. Unless it provenly works with full offline solutions I’ll remain sceptical.
I like my stuff self-managed.
Bitwarden / Vaultwarden is a popular available working solution for self-hosting and self-managing passkeys (as well as passwords).
And who forces all the corps to correctly implement that protocol? Getting you locked in is in all of their interests, after all.
I think it‘s fair to remain skeptical but the big organizations were part of the development, so there seems to be some interest. And it‘s not always in their interest to lock users in, when it also prevents users from switching to their platform.
Development of technical standards can often be a fraught bureaucratic process, but the creation of CXP seems to have been positive and collaborative. Researchers from the password managers 1Password, Bitwarden, Dashlane, NordPass, and Enpass all worked on CXP, as did those from the identity providers Okta as well as Apple, Google, Microsoft, Samsung, and SK Telecom.
That’s a great way to lose access if your device gets lost, stolen, or destroyed. Which is why I’m against and will continue to be against forcing 2FA and MFA solutions onto people. I don’t want this, services don’t care if we’re locked out which is why they’re happy to force this shit onto people.
Well yeah, that is true. Security and convenience are usually at odds… MFA has place, unless you don’t mind some guy from russia access your online bank account ; but I definitely wouldn’t use it on all my accounts.
Yeah and since Online bank accounts can also almost always be reset if you lose the 2FA/MFA key by calling customer support, or going to your bank and speaking with themt in person, there’s almost no risk of losing access completely. It’s a service you have access to because you’re you. Something that isn’t the case with Reddit, Github, Lemmy accounts, or Masotodon. I’m not able to regain access after losing those 2FA solutions by virtue of being myself, they treat you just like the attacker in those cases. Really not worth it there, both since what is being protected isn’t worth it, and the risk far outweighs it.
Y’all here talking so smart ignore another thing - the more complex your solutions are, the deeper you are into being hostage to everyone capable of making the effort to own you.
Don’t wanna be hostage - don’t use corporate and cloud services for things you need more than a bus ticket.
You are being gaslighted to think today’s problems can be solved by more complexity. In fact the future is in generalizing and simplifying what exists. I’m optimistic over a few projects, some of which already work, and some of which are in alpha.
Literally just use a password manager and 2/MFA. It’s not a problem. We have a solution.
Actually, it is still a problem, because passwords are a shared secret between you and the server, which means the server has that secret in some sort of form. With passkeys, the server never has the secret.
The shared secret with my Vaultwarden server? Add mfa and someone needs to explain to me how passkeys do anything more than saving one single solitary click.
When a website gets hacked they only find public keys, which are useless without the private keys.
Private keys stored on a password manager are still more secure, as those services are (hopefully!) designed with security in mind from the beginning.
Pass keys are for websites such as Google, Facebook, TikTok, etc. And then they go into what is currently your password manager or if you don’t have one, it goes into your device. You still have to prove to that password manager that you are, who you say you are, either by a master password of some sort or biometrics.
Best password manager is offline password manager.
KeepassXC makes a file with the passwords that is encrypted, sharing this file with a server is more secure than letting the server manage your passwords
I agree, and that’s my method as well. Although I do not ever share the file with a server either. I only transfer it from device to device with flash drives or syncthing.
You can share passwords without the server seeing them. Many managers don’t but there’s nothing infeasible there. You just have a password to unlock the manager. Done.
What I’m getting at is that a web server has a password, in some form. And so if that site gets breached, your password itself may not get leaked, but the hash will. And if the hash is a common hash, then it can be easily cracked or guessed.
Never forget that technologically speaking you’re nothing like the average user. Only 1 in 3 users use password managers. Most people just remember 1 password and use it everywhere (or some other similarly weak setup).
Not remembering passwords is a huge boon for most users, and passkeys are a very simple and secure way of handling it.
I work for multiple organizations. The majority of which have a Google sheet with their passwords in that are
c0mpanyname2018!
Those that aren’t are
pandasar3cute123?
I had to start hashing passwords and sending it to the haveibeenpwned API.
I also fight with my users over data normalization because any time I add some rule (like don’t put “SO#” as part of the value of the “SO#” field), they’re too stupid to realize the point and find some other “hack” around it.
I’ll switch when it’s fully implemented in open source and only I am the one with the private key. Until then its just more corporate blowjobs with extra steps.
And we all remember the huge drama about it because they allowed for taking the keys out and backup them up.
What do you means by this? What part do you want to be open source? Passkey are just cryptographic keys, no part of that requires anything unfree. There’s aready an open source authentication stack you can use to implement them. You can store them completely locally with KeyPassXC for selfhost Vaultwarden to store them remotely. Both are open source?
If you tell corporations there’s a way to increase lock-in and decrease account sharing, they’re gonna make it work.
One is a new technical specification called Credential Exchange Protocol (CXP) that will make passkeys portable between digital ecosystems, a feature that users have increasingly demanded.
I.e. I can copy my key to my friends’ device.
I believe that’s Apple talking to Google, not anything local you can own.
Read the article, it’s literally about replacing Import/Export CSV plaintext unencrypted files with something more secure.
I.e. moving your passwords/passkeys between password managers. This is not about replacing stuff like OAuth where one service securely authorizes a user for another.
That’s not how Passkey, and the underlying WebAuthn works.
(Highly simplifies but still a bit technical) During registration, your key and the service provider website interacts. Your key generated a private key locally that don’t get sent out, and it is the password you hold. The service provider instead get a puclic key which can be used to verifiy you hold the private key. When you login in, instead of sending the private key like passwords, the website sent something to your key, which needs to be signed with the private key, and they can verify the signature with the public key.
The CXP allows you export the private key from a keystore to another securely. Service providers (Netflix) can’t do anything to stop that as it doesn’t hold anything meaningful, let alone a key (what key?), to stop the exchange.
I always feel like an old granny when I read about passkeys because I’ve never used one, and I’m worried I’ll just lock myself out of an account. I know I probably wouldn’t, but new things are scary.
Are they normally used as a login option or do they completely replace MFA codes? I know how those work; I’m covered with that.
Usually just an option in addition to a password + MFA. Or they just replace the MFA option and still require a password. I even saw some variants where it replaced the password but still required a MFA code. It’s all over the place. Some providers artificially limit passkeys to certain (usually mobile) platforms.
All of those options are to NIST-spec. MFA means multi-factor. It doesnt matter what they are as long as they are in different categories (something you know, something you have, something you are, etc: password, passkey, auth token, auth app, physical location, the network you are connected to). Two or more of these and you are set (though, location might be a weak factor).
I have passkeys setup for almost everything and on most sites I just enter my username then I get a request on my phone to sign in. Scan my thumbprint and it’s good to go. It’s actually so much simpler than passwords / MFA, but admittedly I haven’t had to migrate devices or platforms.
I have everything setup through protonpass right now
Hey good for you, unlike everyone else in this thread making up reasons why the tech is bad, you are mature enough to recognize the fear is from ignorance. I am in the same boat. I’m currently using a manager with MFA on everything which works well for me. Might look into this tech once it’s baked longer. I don’t like the idea of early adoption to a tech when it’s security related.
