I don't think passwords will be replaced. This is more of a demonstration of over complicated password rules, than against passwords itself.
Hardware and biometric keys can be stolen, cloned and lost. And trusting third-parties with keys to harddrive encryption is also not really trustworthy.
1. You can have multiple hardware keys or devices bound to an account as a backup of for ease of use.
2. Passkeys allow you to pick a backup solution of your choosing. Could be your own nextcloud server in the corner. This is no different than giving someone a choice of cloud-synced password manager
Both solutions avoid phishing, password re-use, keylogging, or people picking weak passwords.
There is no excuse for anyone even supporting passwords at this point. Sysadmins have not commonly used passwords for ssh in 20 years, favoring private keys on either hardware or encrypted disks. Keys better than passwords-over-the-wire in every way.
> 1. You can have multiple hardware keys or devices bound to an account as a backup of for ease of use.
How does that help if someone steals your hardware key, login in with it and then puts it back. You don't even know that it was stolen and your account was messed with. With a good password you know if you tell someone. Granted people could film you typing your password, but stealing your hardware key is much easier.
> 2. Passkeys allow you to pick a backup solution of your choosing. Could be your own nextcloud server in the corner. This is no different than giving someone a choice of cloud-synced password manager
This isn't about backup, but trust. Do I trust a third-party to manage the keys to my kingdom? No. And even if, the third-party is a much easier target for 3 letter agencies, governments or other rich/influential bad actors. Also I haven't seen a solution where passkey can be used to decrypt my LUKS partition.
> There is no excuse for anyone even supporting passwords at this point. Sysadmins have not commonly used passwords for ssh in 20 years, favoring private keys on either hardware or encrypted disks. Keys better than passwords-over-the-wire in every way.
The encrypted disks are hopefully protected with a password, and not magically unencrypted, just by booting it with the right TPM configuration. The hardware hopefully requires a pin or password in order to unlock the SSH key, and the SSH key on disk is hopefully encrypted with a password as well.
1. If they have the access to steal your hardware key then they also probably have access to replace your usb charging cable with a malicious one, or install a keylogger on your system, or place a microphone or camera near you for acoustic or optical keylogging. All ways your password could be stolen without you knowing. If your yubikey is stolen at least you find out fast and could warn your IT manager to lock you out. Still, 99.999% of all threats are online, and for the rare few that have physical theft of keys in their threat model, then you have the option to set a pin on your yubikey with a 3 try lockout. Or you can use touchid, or another platform authenticator built into your laptop. If they can steal your unlocked laptop, then neither passwords or passkeys are going to help so this is moot.
2. Fido2 lets you decide who to trust. A non technical user can use google or apple or a hosted nextcloud instance as a backup. A technical user is more likely to enroll the TEEs built into their phones and laptops, with a yubikey in a safety deposit box as a backup.
Passkeys and FIDO2 offer a massive reduction in attack surface and are superior to passwords in every way for every threat model I have ever heard of.
You have all the same options for managing a fido2/passkey/webauthn key as you do an ssh key.
Web passwords should go die in the same fire as SMS 2FA.
> 1. If they have the access to steal your hardware key then they also probably have access to replace your usb charging cable with a malicious one, or install a keylogger on your system, or place a microphone or camera near you for acoustic or optical keylogging. All ways your password could be stolen without you knowing. If your yubikey is stolen at least you find out fast and could warn your IT manager to lock you out. Still, 99.999% of all threats are online, and for the rare few that have physical theft of keys in their threat model, then you have the option to set a pin on your yubikey with a 3 try lockout. Or you can use touchid, or another platform authenticator built into your laptop. If they can steal your unlocked laptop, then neither passwords or passkeys are going to help so this is moot.
You are jumping around various attack scenarios to make your point. If your child steals your hardware token to shop on amazon and then put it back afterwards is a different and much more likely scenario then some targeted attack by some hacker that is prepared and breaks into your home...
Most online threads are about social engineering, where the person that is attacked actually cooperates with the attacker, AFAIK there is no safeguard against that, other than not trusting people with their own stuff.
I would worry more about someone stealing a locked laptop. If there is no password (or other kind of knowleged based protection), then they have everything they need to unlock it.
> Web passwords should go die in the same fire as SMS 2FA.
So since you limited your argument now to just Web passwords. Does that mean you agree with me that you don't think there is a good solution to replace passwords for encryption or local authentication that works offline and doesn't move the trust away from the user?
Web passwords are the primary issue. Secrets that are local on your system with hardware enforced rate limiting, such as a pin on a yubikey, are reasonable. Pins are short and memorable. Passwords generally must be 256 bits of entropy and thus not easily memorable.
You can do FDE with a smart card+pin or smart card+biometrics depending on your threat model.
I consider a pin provided to local hardware or for local decryption different from the concept of a password as is widely deployed on every web service under the sun.
Services should never see your secrets though, only public keys.
I assumed we were talking about web passwords given that is the only scope FIDO2/passkeys cover.
> Web passwords are the primary issue. Secrets that are local on your system with hardware enforced rate limiting, such as a pin on a yubikey, are reasonable. Pins are short and memorable. Passwords generally must be 256 bits of entropy and thus not easily memorable.
I consider PINs, passwords and passphrases as the same thing, just different rules to create/input them. Numerical PINs might be easier to remember, but as with unlock patterns on a phone, it is also easier to casually observe someone entering and memorizing it.
Biometrics I am not a fan of, because they can be stolen without you noticing. With password you have to enter it in an untrusted environment, which takes more effort to setup. Also biometrics cannot easily be changed if they leak. And they also change with time and events involuntary and some people even have identical biometric data.
> I assumed we were talking about web passwords given that is the only scope FIDO2/passkeys cover.
The discussion started with wanting to replace all passwords.
IMO, 2FA via hardware key etc. next to a password/PIN it great, but IMO some kind of proof of knowledge can not be replaced by just a proof of possession.
If using it as a security key (with a password) you don't need to give the device anything but a tap usually.
However, if you use a Yubikey or Trezor for example as a Passkey (No Password), you have to enter a pin on either (Yubikey via OS and Trezor on device) before they will fulfil the request and log you in.
> However, if you use a Yubikey or Trezor for example as a Passkey (No Password), you have to enter a pin on either (Yubikey via OS and Trezor on device) before they will fulfil the request and log you in.
Personally I consider a PIN, password or passphrase the same thing, just different rules. It is security based on knowledge. So If I enter a PIN somewhere it is still a password. IMO this is fine.
