Passkeys are a great idea, but everyone involved seems like they want the process to be as much of a pain in the dick as possible. So until the industry pulls it’s collective head out of its collective ass (not going to hold my breath on that one), it’ll be passwords+2FA for me.
It feels like everyone is trying to tie people to their platform. Oh, and also use the opportunity to force shit like “no custom ROMs or bootloader unlocking” on Android at the same time.
I hate 2fa so much, I never thought they would come up with anything more irritating. Little did I know.
I really like 2FA as long as it’s TOTP and I can use an offline app or program for it. It just works and is very easy and secure.
Jesus Christ, dude, that is exactly it.
We’re trying to implement passkeys at work and the testing has been an absolute nightmare. Literally have no control over the onboarding experience because each tech giant is clamoring over each other, interjecting into the process to be the “home” for your passkeys. It’s bananas.
When it’s all set up, it’s kinda great! But getting set up in the first place is an exercise in frustration.
It’s a chance for them to lock you (normies) into their platform forever. They’re not going to give that up.
Silly.
Edit: my bet is the experience was so ridiculously frustrating, Chrome/Google actually saw some attrition - maybe enough people made Yahoo! Mail accounts that Google noticed
What’s wrong with passkeys? I’m in love with passwordless sign-in with yubikey, so much easier and faster than password + totp
It’s shitty user experience when forced to dig out my phone to authenticate myself to a site I barely give half a shit about.
Like I wouldn’t even have an account if it wasn’t forced, and now you assholes want my phone too?
I think you’re describing SMS passcode, totp or other such factors.
Passcode doesn’t require phone necessarily, but you can use it too
A lot of the stuff that has implemented passkeys so far are on mobile. And I mean the apps serving them out, not things you authenticate to.
BitWarden has a desktop extension and it also handles 2FA. No reason to be using a password, which is way less secure and can be extracted from a website DB via a hack.
Doesn’t the 2FA protect users still, if they only got the password?
In practice, yes. IF IMPLEMENTED PROPERLY it would be extremely unlikely for an attacker to get in.
For example with a proper implementation of TOTP it would require an attacker to guess the correct number between 0 and 999999 in less than half a minute. Most services make you wait a little bit (often less than humans notice) between attempts and don’t allow infinite attempts, so an attacker would have to be unimaginably lucky.
There are sadly lots of huge companies that DON’T IMPLEMENT 2FA PROPERLY. Sony Entertainment (account for PlayStation) for example. So a unique and long password is still important.
It does, but not everyone sets up their 2fa, or uses the least secure forms. Then passwords get hacked, and those lists get shared so when the next hack comes along, they have that many more tools to try and break the encryption (assuming there is any) on a bigger site, compromising even more people.
It’s a whole systemic shit bag. Passkeys were meant to solve a lot of these problems, and they would, but Big Tech is botching the execution in favor of yet another thing locking you into their ecosystem.
In store my passkeys in my password manager, which has a desktop app to access passkeys. What are you using that you have to always use your phone?
Yes, extra security for your personal information is so irritating.
Security for who exactly?
If I don’t even want an account, it’s the “security” of the sites ad targeting data that IDGAF.
Until sites start disallowing youbikeys because it doesn’t make it impossible for you to backup your keys…
What is planned to happen.
Shouldn’t you still need 2fa, and use the passkey as the second auth?
The passkey is still protected with another factor, such as pin code or biometrics
Like when I login to my account, I put the yubikey to usb port, then browser asks me to unlock it using pin code, then I’ll touch the yubikey to confirm I’m in physical access to it, and only then it allows the authentication
In practice this takes about 2 seconds
The amount of people in this thread that don’t understand passkeys surprises me. This is Lemmy. Aren’t we the technical Linux nerds of the Internet?
2FA is just dead simple. I contact you, you contact me, handshake achieved. If you call me out of the blue I raise the alarm. If you get a login attempt with a failed handshake you raise the alarm.
Putting it all behind a pop up screen just isn’t trustworthy to the human brain.
SMS 2FA is notoriously compromised by various means.
I’m not debating that.
2FA is great, right up until you’re also the victim of a sim swap attack.
Text has always been insecure. An authenticator app is better.
2FA is not SMS. SMS is the least secure, shittiest, and simplest form of 2FA, designed as the bare minimum for the average chucklefuck. Everywhere implemented it hastily because the average idiot still uses the same password for everything. It should be illegal as the only form of 2FA, but our governments are run by criminally corrupt dinosaurs.
Fun story! Back in 2017 I tried to remove SMS 2FA entirely, and switch to a data only mobile service. I use 2FA everywhere it’s available, but was able replace SMS with TOTP everywhere except banks, even on big tech platforms where you could only activate TOTP after adding a mobile number and enabling SMS 2FA (you could then remove the mobile number). I ultimately had to keep the voice service because banks required SMS 2FA, with no alternatives beyond their own custom 2FA apps, that can only be registered by SMS. Almost a decade later I have more SMS 2FA than ever before.
The moral of the story is we live in a clown world capitalist dictatorship.
You understand that technical people often are the least likely to trust new technology and are often stuck in the mud when it comes to technology? Doubly so if you are anti-corporation. It seems anything that isn’t the Unix way of doing things can be questioned.
There is a good meme about people who love technology vs people who actually work with the stuff. The former using IoT devices to turn their lights on while the latter uses a light switch and has a gun in case the printer starts making weird noises.
Good point, and I love that meme.
brb opening and feature request for passkeys in Lemmy
edit: nevermind
Passkeys are light years ahead of 2fA in user experience. Why do you dislike them?
Security based on devices is one of the positive innovations of smartphones and perhaps the only area where they’ve improved over the desktop experience.
I very specifically don’t want my security tied to my device. Trying to migrate to new phones, and keeping things synced between a phone, desktop, and laptop is why I long ago moved to a password manager. Now, especially in the phone space, getting passkeys to function fully with a password manager ranges from “pain in the ass” to “not actually possible”.
I had a botched phone battery replacement once resulting in the phone getting replaced very unexpectedly. It was a nightmare trying to get everything back together because I stupidly used google authenticator, which is tied to the specific phone it’s on. Not tying it to the device is the way to go.
I didn’t consider the friction of integrating it into your existing process because I use a manual password manager. But who is saying you should replace a password manager with passkeys? It was always meant to be a parallel system.
Edit: I just wanted to add that people like you and I who have “solved” our credentials problems are a tiny minority. Passwords are shit. Just because we’ve grown accustomed to them doesn’t change that.
You’ll find that nobody has a problem with passkeys specifically. They have a problem with the implementation, and companies forcing passkeys onto users who don’t want or need them.
I don’t need passkeys because I use a password manager. My threat model requires that I can restore my password manager, all 2FA, and regain full access to all my accounts from anywhere in the world, even if a natural disaster occurs and all my devices are destroyed.
Passkeys and SMS 2FA are a direct threat to my threat model, and I can’t help but feel they’re designed to further entrench surveillance capitalism, and the invasion of privacy as a prerequisite for security.
Bitwarden: “I’m literally right here”
Bitwarden+Firefox+Android. That combo doesn’t support passkey creation.
I’m using Bitwarden, Firefox, and Android and passkeys have been working fine for me.
What am I doing wrong?
It just doesn’t work for apps on Android, which is a bummer. For example the Playstation app login with passkey stored in Bitwarden simply doesn’t work for me.
Heard of so many people losing their phone. Then they try to log into something and the company (quite often google) says “I don’t give a fuck if you know your passwords I’m never letting you log into your account get fucked, don’t call I won’t answer”
Why would I want security based on a device? What security this offers greater than a 64 chars password + 2FA?
There’s been a lot of pain in the attempt to portray it as “Just click the passkey button, and that’s it! Your login is secured for life!”
No - Buddy. It is secured for this one specific device that I have biometric authentication for. What about my computer? What about my other computer that isn’t on the same operating system? I have a password manager that stores these things, why didn’t you save to that when I registered? Why is it trying to take this shit from my Apple Keychain when it’s in Bitwarden?
And, the next ultra-big step: How would a non-techie figure this shit out?
And, the next ultra-big step: How would a non-techie figure this shit out?
They don’t have a computer, another computer with a different OS, or bitwarden.
This was roughly the state of affairs before but the state of things have relented where software password managers are now allowed to serve the purpose.
So if a hardened security guy wants to only use his dedicated hardware token with registering backups, that’s possible.
If a layman wants to use Google password manager to just take care of it, that’s fine too.
Also much in between, using a phone instead of a yubikey like, using an offline password manager, etc.
I have my passkeys saved in 1password. (With a yubikey as backup for important things).
Passkeys are one exception to the familiar pattern of “we give you more SeCuRiTY so we can spy on you more and control your behaviour better”. They actually are more secure. Problem is, a lot of technical issues with it still, a ton of stuff not working correctly yet
I’m still appalled that my Yubikey / FIDO2 still doesnt work on Firefox. I have it as a passkey for GitHub, realized it doesnt work on Firefox, so they just prompt me for my password. That seems backwards to have password as a fallback, too.
I’m also having problems using passkeys (stored in Bitwarden) with Github in Firefox. It keeps prompting me to touch the security key, which I don’t have, so I plain can’t use a passkey for Github. Works perfectly for Google though
You can store passkeys in your password manager lol
I use passkeys through 1Password and it’s vastly less irritating to me than anything involving passwords, especially 2fa. I really don’t like having to wait for email to arrive or copying down digits from a text message, which seems to be how 2fa typically works 90% of the time.
Unless I’ve missed something big, passkeys are pretty easy for me if the website supports them imo.
Using KeePassXC, I click register on the website, register the passkey with KeePass, then it just works when I need to authenticate or login. My database is then synced across all my devices.
Passkey support is yet to come to KeePassDX on Android though, so I’ll be awaiting that feature
For me it’s just inconvenient to have to type my computer’s login, but the fingerprint on the phone is nice
It’s not for your security, it’s for the company’s. People suuuuuuuuck when it comes to credentials.
My company insists on expiring passwords every 28 days, and prevents reuse of the last 24 passwords. Passwords must be 14+ characters long, with forced minimum complexity requirements. All systems automatically lock or logout after 10 minutes of inactivity, so users are forced to type in their credentials frequently throughout the day.
Yes people suck with creating decent credentials, but it’s the company’s security policies breeding that behavior.
I don’t get why people get upset at frequently expiring passwords. It’s not hard: just write it on a postit note and stick it on your monitor.
Tell them the NIST recommendations for password frequency changes have been really reduced in recent times because it pushes people into other bad password practices. Among all factors, changing the password frequently is the least important.
Same. They also don’t allow password managers and I have multiple systems that don’t use my main password, so I have at least 5-6 work passwords for different systems.
Nobody can remember all that.
So everyone makes the simplest password they can (since it has to be regularly typed in) and writes it down somewhere so they don’t forget it.
And yet admin, 1234, test, etc. remain the most commonly ‘hacked’ passwords. Your company’s policies may be annoying, but they certainly don’t make you use unsafe passwords.
Remember when tap-to-pay was new and didn’t work at a lot of places and some people were freaked out over it?
And now most of us use it without a 2nd thought.
I speculate passkeys will be like that.
I’d use it if it didn’t cost extra in my country. Swiping my card really isn’t much harder
Interesting, I didn’t know it costs extra in some places. TIL.
I thought passkeys were supposed to be more secure?
sure, you can use a passkey as a primary authentication, but only “a device” or “system”(keypass/1pass etc) knows the passkey detail. with only passkey, if my passkey provider/ device is compromised then everything is lost. having single factor auth seems like a bad idea.
a password is something that I can know, so is still useful as a protection mechanism. having two factor auth should include password and passkey, which seems entirely reasonable whilst also providing an easier path forward for people used to TOTP.
Passkey is “something you own” right?
I have something I own, it’s a Yubikey
And how many sites support Yubikeys/Security Keys? Not many. I doubt we’ll see more either now with Passkeys becoming more prominent.
I have two Yubikeys and other than securing my password manager vault they are rarely used elsewhere.
I thought passkeys had to be behind biometrics, so “own” + “are”?
I don’t think that’s true.
You can store them in keepassxc which can be accessed with a password.
I think it’s “have” + “know” or “are”.
So you have the device with the passkey, and know the unlock pin or are the person with the biometrics.
How i interpretted it is that the biometrics provide access to the tpm which is like a built in yubikey you “own”.
I’ll use banks as an example
If they cared about your security there would not be a mobile app or website.
Hell, credit cards would still require a signature.
It’s about cost first and foremost and then convenience.
Has nothing about you as a consumer. They don’t give 2 shits about you as a consumer.
Do you think signatures were at all secure? If they cared about security they’d do chip+pin like most civilized countries.
With proper infrastructure yes signatures are extremely secure. But that proper infrastructure doesn’t exist.
I struggle to think of what that extremely secure infrastructure would look like. Are you imagining signing on an electric terminal and having a computer compare signatures at the time of sale? That seems like the most secure and still wildly insecure compared to a pin.
