If I install all my private-passkeys onto my phone, then I have a new problem of Lost, Stolen, Broken to deal with. I’m device agnostic, I want to get to my account from my phone, tablet, laptop, desktop, all I’m doing is spreading the exposure out by needing to install passkeys everywhere.
Microsoft will probably tell you that the Microsoft Authenticator supports syncing, so you should set it up on a backup device.
This has several problems though, one of them being that they assume you have at least two mobile devices (let's say a phone and a tablet) and another that they assume the OS you run on both your devices is the same. They do not support migrating you passwords between Android and iOS for example!
I love that the "big guys" get to support syncing passkeys between devices... but others don't (wasn't it KeePas who had issues where they were threatened by being blocked from supporting that - https://github.com/keepassxreboot/keepassxc/issues/10407#iss... )
Microsoft's interesting approach here with Authenticator is that they don't expect you to trust one cloud with all your credentials, they are hoping that you can trust two clouds with partial information. They've (allegedly) got some variant of Shamir's Sharing where some of the data is encrypted in OneDrive and some of it is encrypted in iCloud or Google Drive depending on which phone you use. That's (supposed to be) why there is that "phone-type lock-in" on the automatic backups/transfers because the cloud with the most phone-native/device-specific encryption is phone-vendor dependent today.
Do you trust VPNs? Because they are the same idea with a slight twist. VPNs encrypt data before it leaves your computer and decrypts it when it arrives at the destination.
1Password and the like encrypt data before it leaves your computer, stores it for however long you want, and then decrypts it when it the data is copied to your computer.
Another option is to use a password manager that supports passkeys, such as BitWarden. You can even host it locally, behind a VPN, if you don't trust the threat modelling of their hosted version.
Then, it's a case of installing BitWarden on any devices you want to use to login, protected with a strong password and 2FA.
With a password manager storing unique passwords, your password is still being sent over the network to that website each time you log in.
With a password manager storing passkeys, your private passkey is not transmitted as part of the website request. It can't be intercepted or accidentally/negligently stored in plaintext in a database or server logs.
You still have to trust the secure syncing of your passkeys, just like you do with passwords, but there are still fewer threat vectors than with passwords.
It’s more than you think: if I can convince you to type in your Google password at g00gl3.com I can turn around and use that password for the real server. Passkeys block that attack.
So they couldn't convince everyone to give up their privacy and use Facebook or Google to track our logins to other websites via "Login With", and this is a new way?
If by new you mean a completely different mechanism which does not share the privacy considerations of a single sign on service, yes. If you care about privacy, passkeys are a much better option.
1. Passkeys are unique, so no more password stuffing attacks.
2. Passkeys can't be to short, in contrast to passwords
Passkeys essentially remove almost all risks for websites and moves them to the user (lost passkey, attacks on their password managers). It is not perfect, but it removes a lot of problems that we have right now (like more than a billion leaked passwords in the wild)
So it adds no value over the long, randomly generated passwords from a password manager besides making a new standard and giving Microsoft a reason to push a new dark pattern on users to force higher uptake rates of this new, bespoke standard with limited support?
When you log into a site with a password, you're needing to transmit your actual password over the wire. Sure, you'll hopefully have encryption when sending that credential over, but in the end you'll be exchanging your actual password with some remote service. That remote service might be misconfigured, it might be misdesigned, it might be under attacker control. Now they have your whole credential.
A passkey doesn't transmit your actual, full, repeatable credential over the wire. It's a challenge-response protocol, so only that one authenticated session would be intercepted. Kill all questionable sessions and you're good, they're not reusing it.
> randomly generated passwords from a password manager
are impossible to enforce. If you present users with password field, a sizable percentage of them will just manually type in the same weak, compromised password that they've used on every other site they've ever created an account on in their life. Passkeys are much harder to misuse. That's where 99% of their value is.
Yes there are also other advantages, like the fact that passkeys use public key cryptography, but those are tiny compared to the human factors improvements.
Passkeys include a key that the website you're logging in to holds, if a site can't present that key then the passkey doesn't work, meaning phishing attacks no longer work because 0utlook.com doesn't have the key that outlook.com holds.
It's a standard supported by multiple parties, not just Microsoft, including multiple open source password managers.
And it does provide some benefits: phishing protection (no shared secret that can be intercepted or given to the wrong party) and the service does not need to store as much sensitive information (don't need password hashes that could be leaked and cracked, just a public key).
Device attestation to allow blocking "undesirable" devices from authenticating and lock in purposes.
*keypass was working on an export feature and there were already threats to use the attestation club to ban them from the landscape for not falling in line
I found this out in October when trying to figure out this complaint.
timcappalli from FIDO Alliance mentioned in that above thread that plain text exports shouldn't be allowed, and that password managers/providers should be blocked if they implement plain text export.
Since that thread, there's a new spec that allows users to securely migrate passkeys from one provider to another, but no way to export to plain text (for debug purposes, or if there's a bug in the export/import and you need to troubleshoot, etc).
For me, threatening to block providers for implementing a feature that I desire is a great way for me to lose all interest in passkeys completely. I don't trust FIDO Alliance to make the right call nor do I trust big tech companies to produce bug-free software.
This very much falls into the same box as “not your keys, not your crypto”: if you’re forced to trust someone else to manage the keys for you then they have them - necessarily, in order to permit “transfer” (under this scheme, not everything) to another party - in plaintext, while you’re not allowed to “for your own good”, then you’ve lost it all.
They can:
1. Impersonate you, gaining access to anything your keys unlock
1.a. Impersonate you, claiming to be you in a violation of “key use enables non-repudiation”
2. Deny you the ability to use your keys
2.a. Change any of your keys, locking you out of things
3. Deny you the ability to transfer your keys to anyone they “don’t like”
3. Provide your keys to anyone else, e.g. “with a court order”
3.a. Anyone “benefitting” under (3) can then do (1(a))
…and surely more Bad Things.
Every single time “passkeys” seems to like “okay, maybe”… some fucktards pull another one of these.
Then I go, “okay, ssh keys, PIV, or whatever else is Just Fine, and these people who are either state agents, idiots, or power hungry idiots working to advance total control over humans with lack of freedom and no way back can go die, or as an alternative be sentenced to serious computer-things-reeducation”. …and I kinda mean it. There are certain things you just don’t come back from, as a society, etc. and I just won’t support it. You only get one chance not to.
Passwords are also a standard supported by pretty much everyone, and password managers (including those built into browsers) already generate long, unique, phishing resistant (it only prompts on the matching domain) passwords.
The main difference I see with passkeys from a usability standpoint is that Firefox doesn't have built-in support for a software implementation, making them literally unusable for me.
Firefox does support passkeys but their native implementation is behind a feature flag. Beyond that Firefox add-ons (such as those for password managers) can enable support for their own purposes.
For example 1Password can be used for passkeys in Firefox.
I can't find that option's documentation. Do you have a link? The only documentation I've seen indicates that they only support hardware devices, and I don't own one.
~90% of people who are presented with a password input field are not and never will be "password manager users". 100% of people presented with a passkey prompt are, because the very nature of passkeys is that they're stored in what is effectively a password manager.
Ah, I think I misunderstood that comment. From a global perspective "the benefit" compared to using passwords in a password manager is indeed exactly what I said, but I guess that user was asking more about the personal benefit on an individual level.
From that perspective it just makes the UX slightly smoother and makes it impossible for the site to screw up and leak your plaintext creds. Other than that yeah there's not a big difference compared to using an autofilled, unique, randomly generated password. Which is good, because eventually sites are going to start phasing out that latter option for the exact reasons I outlined in my previous comment.
>> Passkeys are unique, so no more password stuffing attacks.
> Just like passwords. What is the difference ?
>> Passkeys can't be to short, in contrast to passwords
> So a "long password" is a "passkey" ?
Of course not.
Passkeys are effectively just key pairs defined by a FIDO standard. It’s much more productive to think of passkeys as mutual certificate authentication designed for use by the masses.
If you’ve ever used a Yubikey for primary authentication, you’ve already used a passkey.
I really don't know how you're able to come up with the idea, that passwords are unique. They are in no aspect whatsoever unique. You as a user can try to use passwords, that are unique to you. That doesn't (can't and shouldn't) mean, that those passwords are unique against the database of a website, or other services.
Yes, the problem exists in multiple "places" and all schemes are
different balances.
There are many different kinds of "security". Each suits different
needs, or addresses different threats. Not all are based upon
"identity" as a central concept. Not all are based on secrets. For
those that are, changing your secret from something you know to
something you own merely shifts a locus of trust and mode of use.
Passkeys (and ssh keys with passphrase) are a good solution in some
cases, where you use multiple end points which may be compromised. But
they are no better (and less flexible) than challenge response and one
time passwords and other elaborate password schemes that are a
superior access control secret in other situations [0].
The problem is that most people don't understand the quite subtle
interplay of factors. This is one area of cybersecurity education I'm
spending more time on because regulations are going to place more
emphasis on making good security choices (and not just accepting
vendor defaults).
Microsoft unilaterally deciding it thinks it knows what is "best " for
you accords with its clumsy patrician over-reach, and cover for a
pitiful security record in its products.
Perhaps one of the most important meta-security factors is that you be
able to select products that allow you to choose your security
parameters and how they interact as your situation and access habits
change. But that responsibility requires understanding.
I mean, same with passwords, right? If you enter your password on a compromised device or you forget it, you are screwed. Which is what password managers (or passkey managers, or perhaps we could use a new term like "credential managers") help you with. Syncing, preventing unauthorised access (for example requiring your biometrics, main password or similar), backing up...
You can write down your password anywhere and copy it to any other piece of paper at any time. You don’t need certain brands of paper blessed by a consortium, or have restrictions even when copying to a blessed brand of paper.
The only reason you care about copying your password is because it's usually (always?) the only credentials you have for a service.
This isn't true of webauthn/passkeys. The number of use cases where you need to "make a copy of " or "backup" your passkeys is zero. I get that some providers let you do this for some level of convenience, but you can opt out of this and just enrol multiple distinct credentials with each service.
Unless you want to re-log into and re-enroll every service you ever signed up for when you get a new device (which is when lots of people get rid of their old device, it’s even what device manufacturers recommend, see trade-in prompts when you buy a new phone), you do need to migrate credentials.
> The number of use cases where you need to "make a copy of " or "backup" your passkeys is zero.
That just tells me you haven’t thought about the problem at all.
