- cross-posted to:
- [email protected]
- [email protected]
- cross-posted to:
- [email protected]
- [email protected]
You must log in or register to comment.
All the major password managers store passkeys now. I have every passkey I’ve been able to make stored in Bitwarden, and they’re accessible on all my devices.
Article is behind the times, and this dude was wrong to “rip out” passkeys as an option.
That’s a typical DHH article, essentially. He has some interesting insights, but everything else is borderline cult-leader opinions, and some people follow it as gospel
I just wish that companies enabling passkeys would still allow password+MFA. There are several sites that, when you enable passkeys, lock you out of MFA for devices that lack a biometric second factor of authentication. I’d love to use passkeys + biometrics otherwise, since I’ve often felt that the auth problem would be best solved with asymmetric cryptography.
Yeah I didn’t understand passkeys. I’m like why is my browser asking to store them? What if I’m using another browser? Why is my password manager fighting with my browser on where to store this passkey?
I felt so uneasy.
So I decided not to use passkeys for now until I understood what’s going on.
Passkeys are unique cert pairs for each site. The site gets the public key, you keep the private to login under your account. The site never stores your private key.
To store them simply, turn off your browsers password/passkey storage. Store them in your password manager along with other sites passwords.
Sounds similar to the SSL stuff, like for GitHub and stuff. I guess the preference in that case would be my password manager as it stores my password already.
Perhaps it’s best I pay for Bitwarden premium now and use those hardware keys people are recommending.
Also thanks!
I am very shitty on security (I would not write this reply on a post on the cybersecurity community), and I resisted MFA for several years as being too annoying having to login to mail/SMS. After finding open source apps supporting TOTP, I feel better about it and I manually do the syncing by just transferring the secrets between my devices offline.
Passkeys are another foreign thing that I think I will get used to eventually, but for now there are too many holes in support, too much vendor lock-in (which was my main distaste for MFA, I didn’t want MS or Google Authenticator), and cumbersome (when email and SMS were the only options for MFA, difficulty of portability for passkeys).
Whenever I read an article about security (and read the comments, even here on Lemmy) I’m constantly frustrated and depressed by a couple of things.
-
Corporations making things shittier with the intention of locking customers in to their stupid proprietary ecosystem. And of course, they are always seeking more data harvesting. Security itself is way down the list of their priories, if it’s even there at all.
-
Users being lazy trend-followers who quickly sacrifice their security on the altar of convenience and whatever shiny new FOMO thing is offered up for “better security”.
It’s a very bad combination. Doing security right is a bit inconvenient (which users hate) and expensive (which corporations hate).
-
Passkeys are only good if they aren’t in a online password manager. They are better than TOTP 2FA in terms of security and phishing resistance. I see 2FA as a last resort when someone even gets into my password manager. Storing passkeys completely makes this useless, as I’m sure anyone that can log into my accounts would’ve done so by getting a hold of my unencrypted password manager database. Unless android provides a real offline way of storing passkeys in the device, I am not interested alot.
Actual zero knowledge encrypted password managers with 2FA?
Keepass?
Or Bitwarden (supposedly)
Bitwarden is an online password manager and no I don’t consider self hosting it offline.
I wish all sites using 2FA would just support hardware keys instead of authenticator apps. It’s so much easier to login to a site by just plugging in my hardware key and tapping its button, than going to my authenticator app and typing over some code within a certain time.
It’s even sinpler than email 2fa or sms 2fa or vendor app 2fa.
For authenticator app you also can’t easily add more devices unless you share the database which is bad for security. For hardware security key you can just add the key as an additional 2fa, if the site allows it.
His “just use email” like that isn’t very obviously worse in every respect kind of undermines his whole premise.
His whole premise is undermined by him not doing any research on the topic before deciding to write a blog post. Proton passkeys for instance, are cross platform, and the ability to transfer passkeys between devices is one of the features being worked on by the other providers.
I always thought of passkeys as a convenient way to authenticate.
I am password-less on multiple services.
I have an authentication app on my phone that authenticate me when I am away of my computers. I have passkeys on my personal computer and another set of passkeys on my work laptop.
If I have to authenticate from your computer I simply use my auth app, click on “it’s a public computer” and I am good to go.
The dude discovered a butter knife and he tries to replace his spoon with it just to realize it doesn’t work well for eating a soup.
I thought passkeys were supposed to be a hardware device?
This is typical embrace/extend/extinguish behavior from the large platforms that don’t want their web-SSO hegemony challenged because it would mean less data collection and less vendor lock-in.
The whole idea of passkeys provided by an online platform should have been ruled out by the specification. It completely defeats the purpose of passkeys which is that the user has everything they need to authenticate themself.
The problem with passkeys is that they’re essentially a halfway house to a password manager, but tied to a specific platform in ways that aren’t obvious to a user at all, and liable to easily leave them unable to access of their accounts.
Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.
If you’re going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager
Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.
The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though.
It could be your browser / system that is struggling to show it. When I use my work computer and Microsoft edge, I don’t think I’ve ever had a situation where the QR code didn’t work. When I use flatpak’d Firefox on my Linux laptop, I experience more trouble, probably because of the sandboxing.
According to the device support page i should be ok, but yeah there might be something weird going on.
people will pick the corporate options that are shoved on their faces, not the sensible open source user-respecting ones.
vendor lockin will happen if we adopt passkeys as they are right now.
Bitwarden just announced a consortium with Apple, Google, 1Password, etc to create a secure import/export format for credentials; spurred by the need for passkeys to be portable between password managers (but also works for passwords/other credential types)
QR codes are good 50% of the time; when you’re trying to log in on a pc.
The reverse case is extremely annoyingCould you elaborate? I am assuming that everbody would have the password manager on their mobile phone with them, which is used to scan the qr code. I think that’s a reasonable assumption.
I agree that if you wanted the pc to act as the authenticator (device that has the passkey) it wouldn’t work with qr codes. But is that a usecase that happens at all for average people? Does anyone login to a mobile device that you don’t own, and you only have your pc nearby and not your own mobile phone?
I’m thinking of phone recovery, where you’re trying to get all your stuff back on a new device.
With a password manager, simply logging in will get you there and until passkeys can be synced automatically just like passwords this will need to be handled somehow.I hope I am not misunderstanding you. What you are worried about is passkeys in the password manager not syncing to new devices? They are though, with password managers that support passkeys like Bitwarden, ProtonPass, 1Password etc…
Currently using it on Bitwarden, if I log in to a new device, the passkeys are there.
There was a related news recently, that bitwarden and other pw managers will be able to sync passkeys between devices. Won’t that solve these issues?
It does*.
However when I’m trying to login with a passkey in my mobile browser, Bitwarden prompt isn’t showing up. I don’t know what’s wrong.
That’s weird, it works for me. Is there something you need to click on the mobile site?
What’s your browser-Bitwarden setup?
The same flow works for me on desktop (firefox+bw plugin).
My thoughts exactly. I use Bitwarden and passkeys sync flawlessly between my devices. Password managers tied to a a device or ecosystem are stupid and people shouldn’t use them. This is true whether you use passwords or passkeys.
That said, we cannot blame users for bad UX that some platforms and some devs provide.
Isn’t your password manager tied to an ecosystem with Bitwarden ?
I’m surprised people trust third parties to hold their passwords.
Wasn’t there multiple password managers that got powned over the years ?
If you can sync Passwords you are also more exposed than some unhandy secure local password storage.
Wasn’t there multiple password managers that got powned over the years ?
Pretty much only LastPass
Bitwarden is not usable on Linux desktop, keeps asking for password. The password can’t be too short, so it takes some time to type it in. I turn off my computer when it’s not needed, so I would just need to type in the password when I turn it on again.
Anyone have a better solution?
Is “keeps asking for the password” the definition of “unusable on Linux”?
I have zero issue using this on Linux fwiw; yes, I am asked for password again on BW when I reboot/start my system. That is not inconvenient to me.
A better solution is to disable vault lock. It is very much usable (mostly talking about browser extension).
Not in all situations. And in a way a user will not be aware of. The service or website can define what type of passkey is allowed (based in attestation). You may not be able to acutally use your “movable” keys because someone else decided so. You will not notice this until you actually face such a service. And when that happens, you can be sure that the average user will not understand what ia going on. Not all passkeys are equal, but that fact is hidden from the user.
I remain hopeful. Initially, when Keypass wanted to include a simple export option there was talk of banning them from using Passkeys.
Why not just passkeys with a “magic link” fallback though?
This is the same as forgotten password so ytf not
thats close to what i have been fucking saying and getting hate for.
so im glad someone has written it on a damn blog to legitimize it?
For me, I’d prefer that everyone just adds biometric authentication techniques. A couple websites do this already and it’s great. Many devices have biometrics built in already and if this was widespread I’d certainly have no problem buying a fingerprint reader for my desktop computer.
Question - what do you do when the site is hacked and your biometrics are compromised? Issue new ones?
You don’t have interchangeable fingerprints? Keep up with the times /s
The password still works.
That’s literally a passkey.
