“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.
If the passkeys aren’t managed by your devices fully offline then you’re just deeper into being hostage to a corporation.
The lock-in effect of passkeys is something that this protocol aims to solve though. The “only managed by your device” is what keeps us locked in, if there is no solution to export and import it on another device.
The protocol aims to make it easy to import and export passkeys so you can switch to a different provider. This way you won’t be stuck if you create passkeys e.g. on an Apple device and want to switch to e.g. Bitwarden or an offline password manager like KeyPassXC
The specifications are significant for a few reasons. CXP was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. […] CXP aims to standardize the technical process for securely transferring them between platforms so users are free […].
That’s between platforms though. I like my stuff self-managed. Unless it provenly works with full offline solutions I’ll remain sceptical.
I like my stuff self-managed.
Bitwarden / Vaultwarden is a popular available working solution for self-hosting and self-managing passkeys (as well as passwords).
Literally just use a password manager and 2/MFA. It’s not a problem. We have a solution.
Actually, it is still a problem, because passwords are a shared secret between you and the server, which means the server has that secret in some sort of form. With passkeys, the server never has the secret.
Best password manager is offline password manager.
KeepassXC makes a file with the passwords that is encrypted, sharing this file with a server is more secure than letting the server manage your passwords
I agree, and that’s my method as well. Although I do not ever share the file with a server either. I only transfer it from device to device with flash drives or syncthing.
I do that too, I have my own server in my basement for storage
Look at us. A bunch of people who don’t trust society. LOL.
The shared secret with my Vaultwarden server? Add mfa and someone needs to explain to me how passkeys do anything more than saving one single solitary click.
When a website gets hacked they only find public keys, which are useless without the private keys.
Private keys stored on a password manager are still more secure, as those services are (hopefully!) designed with security in mind from the beginning.
Pass keys are for websites such as Google, Facebook, TikTok, etc. And then they go into what is currently your password manager or if you don’t have one, it goes into your device. You still have to prove to that password manager that you are, who you say you are, either by a master password of some sort or biometrics.
You can share passwords without the server seeing them. Many managers don’t but there’s nothing infeasible there. You just have a password to unlock the manager. Done.
What I’m getting at is that a web server has a password, in some form. And so if that site gets breached, your password itself may not get leaked, but the hash will. And if the hash is a common hash, then it can be easily cracked or guessed.
Ultimately I’m pro passkey but when it comes to password managers: if the hash of your vault is easy to crack you’ve fucked up big time. There shouldn’t be any way to crack that key with current tech before the sun explodes because you should be using a high entropy passphrase.
Oh, you absolutely should. And if you are not, that is nobody’s fault except your own.
Not anything sufficiently modern. Salted passwords should be exceedingly difficult to reverse.
Never forget that technologically speaking you’re nothing like the average user. Only 1 in 3 users use password managers. Most people just remember 1 password and use it everywhere (or some other similarly weak setup).
Not remembering passwords is a huge boon for most users, and passkeys are a very simple and secure way of handling it.
I work for multiple organizations. The majority of which have a Google sheet with their passwords in that are
c0mpanyname2018!Those that aren’t are
pandasar3cute123?Exactly.
I mean, it is. Aside from an additional associated cost, it’s still much less convenient.
I’ll switch when it’s fully implemented in open source and only I am the one with the private key. Until then its just more corporate blowjobs with extra steps.
KeePass has passkey support
And we all remember the huge drama about it because they allowed for taking the keys out and backup them up.
That’s exactly how passkeys work. The server never has the private key.
You can add them in vaultwarden.
Passkeys are an ancient authentication setup, have always been better than passwords and are finally getting traction.
If you tell corporations there’s a way to increase lock-in and decrease account sharing, they’re gonna make it work.
I always feel like an old granny when I read about passkeys because I’ve never used one, and I’m worried I’ll just lock myself out of an account. I know I probably wouldn’t, but new things are scary.
Are they normally used as a login option or do they completely replace MFA codes? I know how those work; I’m covered with that.
Usually just an option in addition to a password + MFA. Or they just replace the MFA option and still require a password. I even saw some variants where it replaced the password but still required a MFA code. It’s all over the place. Some providers artificially limit passkeys to certain (usually mobile) platforms.
It’s not unreasonable at all. I locked myself out of several accounts after everyone recommended keypass for TOTP and then I lost all the keys. Getting those accounts back was a fucking nightmare.
I’m not convinced this is a good idea. Resident keys as the primary mechanism were already a big mistake, syncing keys between devices was questionable at best (the original concept, which hardware keys still have, is the key can never be extracted), and now you’ve got this. One of the great parts about security keys (the original ones!) is that you authenticate devices instead of having a single secret shared between every device. This just seems like going further away from that in trying to engineer themselves out of the corner they got themselves into with bullshit decisions.
Let me link this post again (written by the Kanidm developer). Passkeys: A Shattered Dream. I think it still holds up.
The author of your blog post comes to this conclusion:
So do yourself a favour. Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your passwords and manage them. If you really want passkeys, put them in a password manager you control. But don’t use a platform controlled passkey store, and be very careful with security keys.
The protocol (CXP) which the article is about, would allow you to export the passkeys from the “platform controlled passkey store” and import them into e.g. Bitwarden. So i would imagine the author being in favor of the protocol.
Am skeptical
The real problem is not passwords so much as trusted sources. Governments should have an email account that citizens have a right to and will not go away and have local offices to verify access issues.
My password manager supports passkeys just fine, across Windows, macOS, Linux and iOS (and probably Android but I haven’t tried). Surprisingly, iOS integrates with the password manager so it’s usable just like their own solution and it works across the system (not just in the browser).
This seems to be more about finding a standard way to export/import between different password managers/platforms?
Correct. The spec is about making it easier and more secure to export your passwords and passkeys when you move from one password manager to another. People are misunderstanding this as some sort of federated authentication system to share your credentials between multiple password managers at the same time, which it is not.
It’s enough to read the title. The rest of the article doesn’t provide much else other than being one step closer. 😄
Whenever I read stuff like this, my mind goes a bit hazy. Because I’m just finding myself asking ‘Why and when did the simple mechanic of passwords get this difficult?’
Maybe if password requirements weren’t stingingly stupid, companies cared more about actual security and not an obstacle course they’ve gotta send people through to do one thing. We wouldn’t ever know or need to know systems like this.
With passkeys you never need to worry about the storage method used by the site. Some sites STILL store passwords in plaintext. When that database gets hacked, it’s game over.
A public passkey, even stored in plaintext, is useless to an attacker.
Maybe that doesn’t matter for you or me, with our 64-character randomly generated passwords unique to each service, but the bigger picture is that most people just use the same password everywhere. This is how identity theft happens.
‘Why and when did the simple mechanic of passwords get this difficult?’
When and because people started storing all their intimate personal details on the internet and hackers sought to exploit those details.
Maybe if password requirements weren’t stingingly stupid, companies cared more about actual security and not an obstacle course they’ve gotta send people through to do one thing.
The obstacle course is the security, unfortunately. That’s the problem this aims to solve.
Meanwhile mobile Firefox doesn’t even support YubiKey / FIDO2 for some godforsaken reason.
~~This is straight-up wrong.~~I use FIDO2 and Yubico OTP auth in Firefox desktop on a weekly basis.
Are you sure you’re not using a hardened fork or tinkered with yourabout:config?The main thing that Firefox frustratingly does not support is PRF, which is needed for encrypting data with FIDO-compatible devices, but they are working on that.
Edit: OP said mobile Firefox and I missed that. Added clarification.
Ah. If we’re talking mobile, all bets are off. FIDO prompts require Apple and Google to provide the necessary APIs for third-party devs to use, and are still somewhat new. It’s likely that since iOS browsers are still just re-skinned WebKit (until the EU stuff settles and Mozilla implements Gecko on iOS), FF on iOS can leverage the OS APIs, but making it work with Gecko on Android requires more work.
I was referring to desktop, where those limitations aren’t a hindrance.
Yep, I had said
mobile Firefox
Just saying it’s sad that FF mobile on Android is basically the only time it doesn’t work.
ITT: Incredibly non-technical people who don’t have the first clue how Passkeys work but are convinced they’re bad due to imaginary problems that were addressed in this very article.
