- Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security
- Passkeys were developed to replace passwords for better account security, but their rollout by Apple and Google has limited their potential
- Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
Yeah I’ve avoided passkeys. Anything that Google is pushing to me is always in their interests.
That is not the takeaway here.
The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.
Are we talking in circles here? “I avoid passkeys because of Google” “Passkeys implemented by Google have problems”
The way out of the circle that you’ve put yourself in is realizing Google isn’t the only company implementing passkeys.
And that most people are in multiple ecosystems…e.g. Android/iOS + Windows. So they can’t use a solution that’s not interoperable.
Fortunately there are several interoperable solutions now. There weren’t as recently as last year though.
Are we talking in circles here?
No. “I avoid passkeys because of Google” is avoiding an entire technology because of a bad implementation. “Passkeys implemented by Google have problems” is only avoiding passkeys implemented by Google, leaving using passkeys still on the table.
People not getting phished is in their interests. That doesn’t mean it’s not in yours.
A lot of my hesitation is that not only are passkeys being pushed by the big vendors AND they seem to have a less than portable implementation BUT ALSO they don’t seem to give enough details. Everything is dumbed down for the less technical until it means nothing
I like that this thread already has more actual information than all the outreach of the big vendors over months
The spec behind it is solid, it creates per-domain cryptographic keyspairs which allows your device to prove you’re you in a standardized and secure way while avoiding adding a new way to track you across sites, and by using the device’s TPM chip to hold the key it’s also resistant to most types of manipulation.
Google pushed email accounts to you, do you not have an email address either?
I’m not locked into Gmail: I know it implements standards and I choose it as long as it is most convenient.
A lot of what comes into my gmail account is actually addressed to various aliases from various providers, and I can point those aliases anywhere
In particular, all my recent online accounts use unique generated email addresses that I can disable at will, and that forward to my actual email
Well that’s great news, then you’ll like passkeys because you can use them without being locked into anything.
Email was already ubiquitous and generally standardized by the time Gmail released in 2004.
Asymmetric cryptography has been ubiquitous and generally standardized by the time Google began letting you store Passkeys, so what’s your point?
Is Google supporting a particular service or system a dealbreaker for you or not? Because Google has far more fingers in the public operation of email than it does passkeys. So if you’re still ok with having an email account, then you should be just as ok with using passkeys.
Could someone ELI5 (if possible) what passkeys actually are?
Not ELI5 level but…
If you understand SSH keys, it’s basically the same thing made more general.
Whatever website (e.g. lemmy.world) has a copy of the public key, they encrypt something with the public key, you decrypt it, reencrypt it with your private key and send it back (where they can then decrypt it and verify what they got back is what they expected). By performing that round trip, you’ve verified you have the correct key, and the “door opens.”
The net effect is you can prove who you are, without actually giving someone the ability to impersonate you. It’s authentication via “secret steps only you would know” instead of authentication by a fixed “password” (that anyone who hears it can store and potentially use for their own purposes).
That’s all wrapped up in an open protocol anyone can implement and use to provide a variety of (hopefully) user friendly implementations (like the one Proton made) 🙂
Basically hardware keys (like YubiKey) without hardware
So…. Software keys…
I guess it’s a bit like a bank card with a PIN. You go to pay for something and your card stores your credentials on it. To allow those credentials to be read you need to unlock them using the PIN.
I’m very excited for the concept of passkeys, but indeed it is a bit of a mess right now. Android password managers can’t use passkey inside other apps, basically limited to just the browser. I hope it all gets sorted soon and everyone sticks to an open standard compatibility.
I want to be able to export my passkeys and take them with me to any other chosen passkey manager.
Same; I hope the EU does something before it’s a total mess
I have hopes for a normal implementation because KeepassXC does have passkeys now.
If I can’t add your passkey to my Bitwarden vault, I’m not using your passkey.
Bitwarden proper wants $40/year to have two users sharing passwords. You might try Vaultwarden?
I pay $10/year for my wife and I, total. The $40 is if you want 3-6 people. AFAIK, you still need to pay if you self-host and use the premium features, but you can self host on the free plan as well.
$10/year for my wife and I is completely reasonable, and I’d pay the $40/year if my kids needed their own accounts. It’s a fantastic service.
That doesn’t seem unreasonable at all for not having to host your own server.
That’s with hosting your own server. Unfortunately I only discovered this paywall after sending them $10 out of good will.
Of course it’s open source, so it’s certainly possible to break their DRM, and if it were something less sensitive I would.
I still might, but VaultWarden looks like a better alternative.
Nowhere on their pricing page does it say you need to host your own server.
Yeah or if they only offer 2FA via SMS. Like 1) it’s not even that much more secure and 2) it’s just more awkward.
But I also hate how Steam and Blizzard only allow you to verify logins in their mobile app. Fucking ridiculous.
It is stupid that they not only require the app to be present, but to verify each and every trade. Even those for items that drop to everyone for free. Good thing it does work in an Android VM but still - very annoying.
If I can’t add your passkey to my local KeepassXC database, I am not using your passkey.
You can also host it yourself.
https://bitwarden.com/blog/host-your-own-open-source-password-manager/
Why are us nerds like this? No one asked, please dont.
Yea, I know. But my preference is for my password manager to not be cloud at all.
I don’t mean to be pedantic but self hosted isn’t cloud.
Doesn’t it require cloud activation?
It requires a key and id they generate.
https://bitwarden.com/help/install-on-premise-linux/
Though from the instructions, I’m not sure if the install needs continuing communication outbound to function.
Yea, I understand, and it’s a perfectly valid choice. But does that disregard people’s preference to not bother with this at all?
I don’t think I understand the question.
To be clear, the alternatives are valid choices.
Passkeys sound great. Where’s the support for Firefox, Proton Pass? Bitwarden has it.
Better yet: use a hardware 2FA token that supports passkeys
The issue is that most of them are limited in the amount of passkeys they can manage.
In the case of the Yubikey 5
Currently, YubiKeys can store a maximum of 25 passkeys.
How is 25 bad? Do you need a passkey for each service /app/website? Can’t you use the same key for many services? (trying to understand how they work)
/aparté: being downvoted for trying to understand gives me reddit vibes well done
Being down-voted for asking questions is bullshit. Your questions are valid and those people suck.
You only need one per website if you want it to autofill the username, because resident keys held on the security token can be recognized and suggested automatically but otherwise you must first enter your username on the website and let the website send its challenge value for the corresponding domain and account pair so that your security token can respond correctly.
Ideally yes, they’re supposed to eventually replace all passwords. Of which I have hundreds. And yes not 100% of them will do that on the near future but a lot more than 25 will.
Yes, you need a passkey per service, so you would quickly end up with your 25 slots full.
Eh… That’s not exactly a silver bullet or necessarily “way better”; it’s got a lot of usability issues.
You really only want to do that for your most important sites and then you want to use multiple passkeys to make sure you retain access.
Jokes on them: If they allowed passkeys on iOS 16 or have let the iPhone X update to iOS 17, I most likely fell for it, now I have only some 2FA keys that I need to pull from keychain (have no macOS)
It seems no matter what new advancements we make in technology the big tech companies seek nothing more to implement it in a way that benefits themselves. Regardless if it means fucking over the consumer.
I really hate what the internet has become over the last couple of years.
That’s capitalism for you. They’re not interested in making things better, they’re interested in making more profit.
Correct. But often that only happens if they make things better for you.
On the contrary, companies making a profit by making things better for you as a concept is pretty close to extinct. See corporations realized they don’t have to make better products if they just box out the competition so that you no longer have a choice. Theres even a term for it now, because practically every company across every industry is doing it, enshittification. Charging more for inferior projects is the new goal.
A company that grows itself by making a better product is an objective rarity in the modern world.
Any example of websites where I can try passkeys? I have both bitwarden and Proton pass to test out
Test site: https://webauthn.io/
Known sites: https://passkeys.directory/
Github, Bitwarden itself, Cloudflare, Microsoft
I personally like the demo at https://www.passkeys.io/.
Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
I wonder if there could be any bias in Proton claiming their product is the best
Do you typically just take people’s word for their claims or do you do cursory research?
I’d trust them miles before Google or Apple. Hell, they dropped the prices on some of their products when they found ways to provide them cheaper. Proton is a good company.
That doesn’t mean they will be around forever. Economic realities care little about whether a company is good or not.
Well of course. It’s still right - the ecosystem lock-in is insane. There needs to be a standard for cloud to cloud transfer between providers.
Or you know, use Proton Pass or 1Password.
I am not using passkeys until it’s possible to easily migrate them between providers (not just devices / browsers). If I used Proton Pass, and then later decided to use another password manager, could I export my passkey data?
Proton Pass allow you to export your passwords in various formats (both plain and encrypted). That you are able to import somewhere else is not something Proton Pass can guarantee but you have your data.
We’ve also given passkeys and passwords equal priority so that you can use them interchangeably in our apps. This means you can store, share, and export passkeys just like you can with passwords.
That’s excellent. Thanks for pointing that out!
The next question is does anyone actually let you import passkeys? I don’t think there is ☹️
I have a few keys in Bitwarden but before I go adding more I am going to play with Proton Pass. A lot of users were understandably annoyed when Bitwarden released passkey support but in such a limited manner.
told ya so, i got downvoted for being skeptical of this shit.
if google or similar is pushing it, is should NOT be trusted!
That is not the takeaway here.
The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.
This isn’t some “owned by the billionaire class”. It’s an open standard that’s why Bitwarden and Proton both have implementations. Big tech of course provided implementations that are not as portable as possible, that’s all that’s going on here.
There’s really not some big conspiracy to kill kittens or whatever. Passkeys are far more secure (and for most people far more usable) than passwords.
The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.
then get them implemented by someone else useably. that open authentication login garbage they pushed years ago was also supposed to be an open standard, but you can only use it if you lock yourself in to facebook/google to this day. i still have to use a different password for each damn website still.
id like to see its opennes at work in the real world, in practice, first.
Proton, Bitwarden, 1Password, Yubico (via the Yubikey), and others (including big tech) already have their own independent implementations(?)
Even Keypass has at least a partial implementation https://github.com/keepassxreboot/keepassxc/pull/8825
i’m sure they do, but can i login to most websites using them?
99/100 i get the option to use facebook, google or just bite the bullet and make an account. i’m talking about this by the way:
Yes. Any website that has implemented passkey authentication can be logged into by any Passkey provider. There are no websites that “Only accept Apple passkeys”
I think you better understood their question; thanks for jumping in.
You still deserve those downvotes. There’s nothing to not trust about passkeys.
nah, give me an alternative not exclusively controlled by oligarchs and i will consider it.
Not sure what Google has to do with passkeys besides the fact that they’ve implemented them. Google implemented passwords too but I’m guessing you’re fine with those?
Passkeys are not exclusively controlled by oligarchs so I guess by your own admission you should consider them.
i will, when i see these claims of openness estabilished and working in practice.
Well you’re in luck, they’re currently established and working in practice.
The way Apple or companies like Paypal implement two-factor authentication, let alone passkeys, drive me up the wall. This all could have been so much better.
I’m not even going to mention all the platforms that rolled out passkey creation support, but not passkey login support, for whichever damn reason
I’m well versed in IT security, and even with (or because of) my knowledge, I still haven’t looked deep into setting up passkeys on my services. Just because it’s such a clusterfuck of weird implementations.
I can’t imagine being a normal consumer and wanting to set them up. The poor support teams having to support this…
And I’m managing at least one service at work that could totally benefit from passkey integration. The headache of looking into how to properly implement them is just way too much
I can’t imagine being a normal consumer and wanting to set them up.
It’s quite simple on iOS. IIRC, when logging into the paypal website you get a prompt asking if you’d like to use passkeys. Accept that, then you get a keychain prompt asking if you’d like to make/use a passkey. Click continue and pass FaceID authentication, then you’re in with a passkey. For future logins you click the login with passkey and it faceIDs you in. It’s easy.
Then you are totally locked in with Apple devices and cannot switch to Android and take your passkeys with you
I’m not saying it’s good, I’m saying it’s easy. It is not hard for normal consumers to setup.
