• Badabinski@kbin.earth
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    I just wish that companies enabling passkeys would still allow password+MFA. There are several sites that, when you enable passkeys, lock you out of MFA for devices that lack a biometric second factor of authentication. I’d love to use passkeys + biometrics otherwise, since I’ve often felt that the auth problem would be best solved with asymmetric cryptography.

  • darkstar@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    I’m sorry but I seriously do not see any benefits to using passkeys.

    I use 24 character passwords in Bitwarden with 2fa on all accounts, how is a passkey better than that?

  • MoogleMaestro@lemmy.zip
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    The problem with PassKey is simply that they made it way more complicated.

    Anyone who has worked with SSH keys knows how this should work, but instead companies like Google wanted to ensure they had control of the process so they proceeded to make it 50x more complicated and require a network connection. I mean, ok, but I’m not going to do that lmao.

    • interdimensionalmeme@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      Private keys on an anonymous, untraceable smartcard. PIN or Matching-on-card fingerprint for the second factor Everything else can go directly into the garbage bin

    • Sl00k@programming.dev
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      Would love for you to describe exactly how it’s more complicated. From my perspective I click a single button and it’s set up. To log in I get a notification on my device, I click a button and I’m logged in.

      • WhyJiffie@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        they must have meant technically complicated, which is also meaningful in consumer technology.
        like if it’s true that it requires an internet connection, that’s quite bad, partly because of yet another avenue for possible tracking, and what if the service you want to access is not on the internet, but the passkey doesn’t work without it still

      • corsicanguppy@lemmy.ca
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        Would love for you to describe exactly how it’s more complicated.

        YOU JUST DID, below

        From my perspective

        neat.

        I click a single button

        … on your device tethered to a single app by a single vendor and their closed data store

        and it’s set up.

        … and tethered to prevent you from churning.

        To log in I

        … wait online to …

        get a notification on my device,

        … or send it again. Or again. Try again. Maybe mail it?

        I click a button and I’m logged in.

        Yeah. Just click (tap) a button (enter a code).

        Using a big-brand MFA setup at one job that requires ‘one button’ and ‘get a notification’ and ‘click a button’, I know you’re glossing over the network issues HEAV-I-LY.

        Now do it in airplane mode. Do it when the token organization is offline. Do it when there’s no power because the hurricane hit and there’s no cell, no data, no phones, and your DC is on its last hour of battery and you have to log in because the failover didn’t run.

        Do it when your phone fell on its face in the rain into a puddle and it’s not nokia.

        Do it when you either have cell service and 5% battery, or 100% battery from inside the DC and no cell service.

        Do it when you’re tired, hungry, drunk, lost your glasses in the car accident.

        The D in DR means DISASTER. Consider it.

  • azalty@jlai.lu
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    I have never understood the goal of passkeys. Skipping 2FA seems like a security issue and storing passkeys in my password manager is like storing 2FA keys on it: the whole point is that I should check on 2 devices, and my phone is probably the most secure of them all.

    • ByteOnBikes@slrpnk.net
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      That was my take too.

      Security training was something you know, and something you have.

      You know your password, and you have a device that can receive another way to authorize. So you can lose one and not be compromised.

      Passkeys just skip that “something you have”. So you lose your password manager, and they have both?

  • jagged_circle@feddit.nl
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    Dunno, we rolled it out without issue. But of course they also had keepass. You want password AND (TOTP token or hardware token)

  • infeeeee@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    There was a related news recently, that bitwarden and other pw managers will be able to sync passkeys between devices. Won’t that solve these issues?

    • uiiiq@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      My thoughts exactly. I use Bitwarden and passkeys sync flawlessly between my devices. Password managers tied to a a device or ecosystem are stupid and people shouldn’t use them. This is true whether you use passwords or passkeys.

      That said, we cannot blame users for bad UX that some platforms and some devs provide.

      • Tetsuo@jlai.lu
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        Isn’t your password manager tied to an ecosystem with Bitwarden ?

        I’m surprised people trust third parties to hold their passwords.

        Wasn’t there multiple password managers that got powned over the years ?

        If you can sync Passwords you are also more exposed than some unhandy secure local password storage.

        • 4am@lemm.ee
          link
          fedilink
          English
          arrow-up
          0
          ·
          2 months ago

          Wasn’t there multiple password managers that got powned over the years ?

          Pretty much only LastPass

        • uiiiq@lemm.ee
          link
          fedilink
          English
          arrow-up
          0
          ·
          2 months ago

          I can use bitwarden on Windows, Linux, Mac, iOS, Android, on desktop app or using CLI. That’s a stark difference in comparison with built in Microsoft or Apple keychains. And yes, I trust Bitwarden.

    • exu@feditown.comOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      I remain hopeful. Initially, when Keypass wanted to include a simple export option there was talk of banning them from using Passkeys.

  • umbrella@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    2 months ago

    thats close to what i have been fucking saying and getting hate for.

    so im glad someone has written it on a damn blog to legitimize it?

    • XNX@slrpnk.net
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      It’s because he has an email company he wants you to use for $100 a year lol

  • realitista@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    2 months ago

    For me, I’d prefer that everyone just adds biometric authentication techniques. A couple websites do this already and it’s great. Many devices have biometrics built in already and if this was widespread I’d certainly have no problem buying a fingerprint reader for my desktop computer.

  • asudox@programming.dev
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    2 months ago

    Passkeys are only good if they aren’t in a online password manager. They are better than TOTP 2FA in terms of security and phishing resistance. I see 2FA as a last resort when someone even gets into my password manager. Storing passkeys completely make this useless, as I’m sure anyone that can log into my accounts would’ve done so by getting a hold of my unencrypted password manager database. Unless android provides a real offline way of storing passkeys in the device, I am not interested alot.

  • Petter1@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    I disagree with most of those arguments in the article… Additionally, there is nearly no passkey using service that does require you to still have PW and 2FA login active even if you use passkeys

    We are right now in the learning/testing phase. It is not a flip and suddenly only passkey work. Transition to passkey only will be a very long time, like it was for 2FA, like, my girlfriend has it on, only at about 2 services, lol.

    The main problem I have is, that people without knowledge get grabbed into walled gardens using passkeys. People with knowledge know that you can use alternative apps for passkeys, like proton or strongbox (keepass).

  • Rentlar@lemmy.ca
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    I am very shitty on security (I would not write this reply on a post on the cybersecurity community), and I resisted MFA for several years as being too annoying having to login to mail/SMS. After finding open source apps supporting TOTP, I feel better about it and I manually do the syncing by just transferring the secrets between my devices offline.

    Passkeys are another foreign thing that I think I will get used to eventually, but for now there are too many holes in support, too much vendor lock-in (which was my main distaste for MFA, I didn’t want MS or Google Authenticator), and cumbersome (when email and SMS were the only options for MFA, difficulty of portability for passkeys).

  • egerlach@lemmy.ca
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    I wish FIDO had paid more attention to SQRL. It’s long in the tooth now, but with some attention it could have been a better solution than passkeys, IMO.

  • drspod@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    I thought passkeys were supposed to be a hardware device?

    This is typical embrace/extend/extinguish behavior from the large platforms that don’t want their web-SSO hegemony challenged because it would mean less data collection and less vendor lock-in.

    The whole idea of passkeys provided by an online platform should have been ruled out by the specification. It completely defeats the purpose of passkeys which is that the user has everything they need to authenticate themself.