I spent the morning switching as many accounts as I could to #Passkeys, and it was the most pleasant, simple, and straightforward process. I am disappointed that many sites are only using it as a 2FA option instead of the main sign in tool (including #Mastodon).
It's extremely intuitive, and I can't wait for all of my passwords to be gone.
#Passkeys truly are the new lock in for password managers. I'm trying to be a good citizen and use passkeys wherever I can, but now I can't properly try other password managers without needing to create dozens of new keys. I'm trying Proton Pass now, and it's a major pain.
Extrapolate this out to a world where passkeys are the norm and effectively all of my accounts authenticate this way, and moving your data becomes impossible. :dumpster:
I know the FIDO Alliance and passkey enthusiasts will say that the passkey standard isn't built to lock users in, and migrating them should be possible.
That's well and good, but we're several years into this and zero of the major players support this. Whether you use Apple, Google, 1Password, or anything else, your passkeys are locked to those accounts today. maybe you can move in a few years, but you can't now. Yay.
Something something, don't get a product today based on hopes and dreams of future software updates…
As an aside, Apple is the only place I've been that makes it impossible to use anything besides their password manager for setting up a passkey. It's maddening.
Bist du es leid, dir unzählige #Passwörter zu merken? Die neueste Technologie der #Passkeys verspricht eine einfache Lösung.
Aber wie nah sind wir wirklich an dieser Zukunft? In meinem neuesten Blogbeitrag werfe ich einen kritischen Blick auf die aktuellen Herausforderungen von Passkeys.
Erfahre mehr über die Zukunft der digitalen Authentifizierung. 🚀💻
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
Structural security trumps computational security ... or ...
Diffuse structural security trumps amalgamated computational security ...
All your big, strong passkeys in one basket is less secure than your passwords in many individual baskets ...
Trying to explain this to tech bros can resemble pushing a wagon uphill ...
Because they want to sell something, logic is not paramount.
"A password in my brain is generally safer than an app or SMS stream that can be compromised. Although a passphrase may in some cases not be computationally more secure than a token mechanism or two-factor sytem, the simple passphrase is often structurally more secure because that passphrase only links to and exposes one service target."
"I like to compare it to having one basket of eggs in one spot, and many baskets of eggs in many places. If your one basket of eggs has the master key to all the other stronger keys, is it easier to get the one basket, or the many baskets with weaker keys? So in this scenario cipher strength is not the most important factor for security. With a single basket one fox or pick-pocket or one search warrant can own all of your eggs for all your services."
Am I the only one confused by #passkeys? They feel clunky, it's not at all clear what is going on, and honestly doesn't feel any different than a password manager (but somehow worse)
I really don't even understand what is going on under the hood. Are there any good explainers out there? #ux#passkey
@scottjenson The main problem for me is that browser vendors have intentionally made passkeys difficult to use without hardware keys. There are clunky ways to emulate Bluetooth hardware keys purely in software but that just adds to the confusion.
I would've preferred tight integration with something we know, like GPG/PGP, though that stack has its own set of issues (mainly that there are not good secondary implementations, but they might be resolved.)
I recently implemented Passkey support in one of my apps, and ran into some limitations of the spec. I had no idea it was this bad.
I had assumed I’d be able to get my passkeys out of my Apple devices, but hadn’t put any real thought into that.
“Since then Passkeys are now seen as a way to capture users and audiences into a platform. What better way to encourage long term entrapment of users then by locking all their credentials into your platform, and even better, credentials that can't be extracted or exported in any capacity.”
@firstyear , the author of webauthn-rs, on #passkeys (I don't agree with everything in the article):
»starting to agree - a password manager gives a better experience than passkeys.[…]
Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your #passwords and manage them. If you really want passkeys, put them in a password #manager you control. But don't use a platform controlled passkey store, and be very careful with security keys.«
What account should I use as my first experimental login to convert to using passkeys?
PayPal?
I know you don't know what systems I use, so this is a bit of a meaningless question. But do you know of any popular systems that a lot of people use that now support passkeys?
Preferably ones that can be stored and used by 1Password 8. Maybe I should do 1Password first if they support passkeys.
This new and easy way to secure your accounts removes the need for passwords by authenticating you with your device. Passkeys also provide a higher protection against #phishing attacks.
@bru We are fans of Firefox as well, and look forward to the submission to the extension store getting approved.
There are few services that actually replace the the password completely with a passkey, so you can log in as normal on Firefox until the new submission is approved.
Les #passkeys sont enfin désormais supportées par #ProtonPass de @protonprivacy sur tous les appareils compatibles et les types de comptes (autant gratuits que payants). Ne manque plus que la possibilité de classer les données par dossiers ou étiquettes (labels).
#ProtonPass, le gestionnaire de #MotDePasse de @protonprivacy, prend désormais en charge les #PassKeys. Peu de sites utilisent déjà cette technologie, mais le nombre augmente de plus en plus. Une nouvelle couche de #sécurité pour vos connections, plus performante et sûr que la #2FA
@error_500@Belganon Proton's encryption provides privacy by default - the content of your emails, files on Proton Drive, calendar, passwords on Proton Pass etc. remains inaccessible to us, and therefore we cannot share it with any third-parties, including law enforcement included. As any legally operating company, we have to comply to the local legislation, but no legal request can bypass the encryption we provide, which has been proved multiple times in court.
#Passkeys: reinventing TLS client certificate authentication that is proxyable and all private keys stored in the cloud and then of course the connection is only on one side TLS authenticated and therefore MITM-able from the other (aka proxyable, yes yes CAs and stuff but ya' know). Does this sound about right?
@floyd Pretty much. The idea is that this might actually be usable enough to replace phishable bearer tokens, which nothing else succeeded at replacing so far. Usability has value.
