What I don't understand with the push for passkeys, is that for years we have been told we need at least two factors for secure authentication, something we have and something we know.
Now with passkeys, it seems we are just throwing all those arguments overboard and are saying 1 factor (something you have, e.g. hardware device) is enough. I've not read anywhere a good argument why.
Sometimes people have been arguing that the passkey should still be locked into e.g. another password manager with password, but that doesn't seem to be the case with most implementations, am I missing something?
Passkeys are basically just asymmetric encryption. When you create a passkey, you upload the public key to the website, and the private key stays on your device.
That greatly reduces your risk if/when credentials gets leaked from the site in question. Public keys are meant to be public, and worthless by themselves.
As for your private key, that usually ends up in a secure enclave or similar HSM, which in turn is protected by a pin code and face or fingerprints.
The private key then becomes "something you know", and your biometrics are "something you have".
Client certificates have existed for basically as long as encryption. Passkeys are more than that, and that is a crucial point. They allow to verify the identity of the signing device, and allow access only if the device is "legitimate" from the point of view of the remote service. That is a very big encroachment on the user's privacy and freedoms and a new very big step in the process of tying everything even more tightly to accounts and devices controlled by the big service providers and making it more difficult to get out or to enter the market for new actors.
Think Trusted Computing. Soon it will be impossible to log in to some media streaming platform, for example, if you don't have a passkey sanctioned by an OS with a TPM. Then everything will be locked in and the only flaw will be our eyes and our ears.
Absolutely, passkeys couple a trusted device (typically a phone with HSM) with asymmetric encryption.
HSM ensures that the device is actually the device it claims to be, as the key cannot leave the device, and by coupling it with biometrics, which is authentication, you prove to the device you are who you claim to be.
So by the device authenticating you, the device by extension can authenticate you against the remote site using a cryptographic challenge.
There is no vendor lock in however. You can use a password manager like 1Password to store passkeys, or even Apples keychain supports synchronizing the passkey across devices (including windows). KeepassX also supports passkeys, so it’s not limited to official vendors like TPM.
As for HSM, you can also use something like a Yubikey.
I was wondering why I couldn't just use a client cert (or better yet my ssh keys) and figured it would be something like that. It turns out I was right to invest zero time or energy figuring it out.
If this weren't hackernews I'd call you a bad name for wasting my time like that. Until and unless I can just give you my ssh key I won't touch this with a ten foot pole.
Actually, all three factors are things you know: Your password is something you know. The private key on the security processor is something you know. And your scan of your fingerprint is something you know.
Well, biometrics usually act as a proxy for PIN codes, so the PIN code is something you know, the private key is something you have, and biometrics is authentication.
You are a human, and humans have permanent fingerprints. The difference between "something you have" and "something you are" is that you can regenerate the former, but not the latter.
I believe they were referring to the fact that you can't hit a button and generate new fingerprints for yourself. The ones you have are with you forever, generally.
There’s a slight improvement in that the passkey will only transmit to the correct website. Cannot select and fill it to the wrong domain.
But other than that I agree. Especially now that these synchronise with iCloud, BitWarden, etc seems a no brainer you can just steal these and access everyone’s accounts in many cases with no extra 2nd factor.
> Now with passkeys, it seems we are just throwing all those arguments overboard and are saying 1 factor (something you have, e.g. hardware device) is enough.
That was my initial reaction too. I think the assumption is that the second factor is what-ever you use to unlock your device (a “something you know” if that is a password/pasphrase or “something you are” if that is biometrics).
I'm not convinced any of it is as more secure than user+pass as is being claimed. passkeys being device/AU dependent adds a bit of hardship to someone trying to hack your account, but people seem to be suggesting sharing passkeys between devices/AUs using their pasword managers which nullifies that effect?
My view with passkeys was basically that they force the use of a password manager (even if that manager is mostly invisible to the user). The password manager is something you have and you unlock it with something you know or something you are (biometrics).
That said, I don’t like them. I don’t really understand what happens when I run into edge cases, and that makes me nervous. That’s also true for 2FA in many cases.
So far my only passkey is for Amazon, I felt tricked into it, which I’m not happy about, though my password also still works. I’m opposed to this about as much as forced 2FA. I understand the security aspect, it Gmail randomly started to use their mobile app for 2FA, and now I’m afraid if I delete the app from my phone I’ll be locked out of my account, with the potential for excessive hoop jumping to get it back.
I read an article a while ago with the ultimately conclusion that passkeys don’t offer a major benefit to people who already use long, complex, unique passwords in a password manager. If this is the case, it seems this whole push is designed for people with terrible password habits, who definitely don’t understand what’s going on with passkeys, and I expect will find out once they hit an edge case and end up in a bad spot.
The article is wrong: users copy passwords from their password manager into the website if the autofill doesn't work => phishing. Can't do this with passkeys.
Agree with your other points, the whole passkey story is undeveloped and unclear yet.
There are many non-phishing times my password manager fails to autofill. That’s a problem, as it does lead people to get lazy. However, it will show the login, that I’m on the right site, it just won’t fill it. In these situations, I do end up copy/pasting it in. It’s my only option. If passkeys break in this way, for whatever reason, you’re just screwed.
There are also times when companies change their URL. Or their app using a different URL for their auth API than the website URL. If it’s obvious, the new URL can be added to the password manager to fix this. If it’s an API the user can’t see, this is much more difficult, especially if using a 3rd party password manager, it’s basically impossible. The only thing that made me aware of this, was when Apple introduced their password management and I could see all the login data if saved from various app. All kinds of URLs that were otherwise invisible to me.
What happens to a passkey in this case? Make a new account, start over?
Passkeys are quite disappointing in practice. I feel like they were described as ssh keys for website logins but they seem to be half-baked. Accessibility concerns and vendor lock-in are certainly an issue.
Definitely stick to keeping passwords and passkeys in a password manager for portability. KeepassXC and Bitwarden (which can be self-hosted) work best for this in my opinion.
I’m now not sure if there was an edit or if my brain inserted a word. When I replied, I thought I read that they were saying to keep passwords and passkeys in separate password managers, but maybe I’m just going crazy.
Now with passkeys, it seems we are just throwing all those arguments overboard and are saying 1 factor (something you have, e.g. hardware device) is enough. I've not read anywhere a good argument why.
Sometimes people have been arguing that the passkey should still be locked into e.g. another password manager with password, but that doesn't seem to be the case with most implementations, am I missing something?