The big thing missing from the article is how a device that contains many passkeys is any different from a password manager that enforces security settings. I don’t worry about passwords my password manager generates getting compromised because I use at least 24 random characters (assuming my password manager is using a cryptographically secure PRNG that guarantees some level of randomness, giving us more than 128 bits). Assuming I use that to manage the password to my email, I really only have to worry about my password manager key being compromised. I only used my password manager on trusted devices so I really only have to worry about my trusted devices being compromised.
If I use passkeys, I have to worry about my trusted devices being compromised. According to the article, “as long as you can remember your phone password, you can log in to your accounts.” That sounds like my password manager. The other benefits also sound like a combination of my password manager and privacy focus. I’m not saying this is bad; I just don’t see how it’s different from a security-conscious status quo.
Passwords are still leakable, guessable, and can be phished. Passkeys are “second-factor-only”: your device responds to a challenge and acts in a similar capacity to a yubikey. The private keys contain much more entropy than a password, never leave the device, and the challenges and responses are both signed with site-specific keys so they can’t be phished. So from a security perspective, a lot is gained.
From a user perspective, instead of trying to get the dang webform to autofill, I just smile for a second and become authenticated.
Until you lose the device. Or you're given security codes and those are again, leakable and guessable. No normal user is going to accept their phone being stolen and losing access to their bank account. It's bitcoin as unregulated fiat levels of wishful thinking
"Leakable" isn't a purely negative property. It's the same thing you can use to provide access to a trusted spouse, and ensures a trivial solution to the "lost device" problem when traveling.
I was enthused when it first got added to KeypassXC but after a few attempts I couldn't get it working and haven't bothered since. Something fundamentally isn't quite working here and I am not a big fan of the workflow for them its entirely out of my hands and I am not a fan of that.
Okay. Maybe discuss this with whoever develops your password manager. The tone of your reply has me thinking that you’re using an open-source password manager. Maybe they’ll accept a PR from you?
Passkeys are supported by my password manager of choice, in the OSs that I care about.
I wish first and foremost that all my accounts could support passkeys/passwordless sign ins instead of only like 12/60.
My second wish would be that passkeys should be as easy to work with as ssh keys. Somehow, they tend to be more complicated. Asking you if you want to use your phone or security key (when you have neither, you are using a password manager) and often failing to immediately detect your preferred method of storing them, defaulting to Google, Microsoft, or Apple's solutions.
Passkeys are not a panacea. They're an amalgam of multiple standards that half the time aren't implemented right or not fully supported. It's the industry's attempt to design-by-committee a one-size-fits all solution to many, many different problems. News flash: one-size-fits-all fits nobody well.
Passwords are a perfectly fine single factor. Add more factors to get more security, in specific use cases where they make sense. Passkeys don't fill the use case that a single-factor like passwords do.
Password Managers are also perfectly fine when combined with multiple factors and attack mitigations (and are certainly no worse than Passkeys we have now, key access managed by a central piece of software/key control/authorization). They solve many different use cases without breaking others. They're customizable, and not overly-dependent on standards. They are a loosely-coupled interface. They can be synchronized for multiple device/site access. They can be upgraded to support an infinite amount of security mechanisms. They can be changed in backwards-compatible ways, and they don't force one-size-fits-all on anybody. They even support Passkeys without forcing you to use them (though of course lots of Passkey software ignores the fact that you might have a password manager, and forces you to use the browser's Passkey store or nothing).
You want to uniquely identify a device? Fingerprint it on login. Having a separate passkey per device isn't any better, because if the attacker can get the device fingerprint, they can also probably get the passkey, because they have access to the device. And password reset still has to be a thing, because we all lose devices, backup codes, etc, so it's not like there isn't an easier attack anyway.
How is the passkey that much better than client-side certificates from 15 years ago? That was abandoned because of all the problems around key management; and now you want to bring back key management?!
Please stop trying to solve a problem by creating more problems. This is all about use cases. Just let users, and companies, decide what use cases they'll support. Don't force everyone to use a crap solution just because it makes big corporations happy.
The article praises passkeys for not even needing email for login, but omits to mention recovery flow. How do you recover your account if you lost your access to the passkey provider, and you didn't provide an email address?
So, I think "not even needing email" is unlikely for foreseeable future, unless we find other ways to authenticate people reliably.
The article glosses over much more than that. Everything towards the end feels like provided talking points without the same scrutiny that the current situation is given.
A password, and extra secret information on things like my bank account have always worked well for me. I simply cannot stand 2FA using a smartphone. Why? Because I don't have or want one. Luckily, my bank allows use of a landline for 2FA, which works perfectly, but I dread the day they stop supporting it.
Also, the whole bloody thing with passwords is noxious. I don't want to login to your site, I just want to read some stuff.
They're screwed, but that already happens. You have no idea how many people lose their phone or forget some password and just get a new phone/account, without trying to recover the old one.
Parents who lost their child's photos and are like oh well.
Assuming a normal user doesn't use the same password everywhere (which means everyone already knows their password), the alternative is saving them. Lost password or lost passkey doesn't make much difference.
Computing literacy is low so people will just suffer the consequences.
All of the major implementations sync across all of your devices and use recovery codes as part of the setup process. Apple’s implementation is designed to cover loss of all devices, and I’d assume the others are similar:
The key thing to understand is that passkeys are not intended to be as secure as hardware tokens but to be more secure than traditional passwords with phishing-friendly MFA. That allows them to offer better recovery options but might not be good enough if you are the target of a serious actor.
Readit News
If I use passkeys, I have to worry about my trusted devices being compromised. According to the article, “as long as you can remember your phone password, you can log in to your accounts.” That sounds like my password manager. The other benefits also sound like a combination of my password manager and privacy focus. I’m not saying this is bad; I just don’t see how it’s different from a security-conscious status quo.
From a user perspective, instead of trying to get the dang webform to autofill, I just smile for a second and become authenticated.
for now phone hacked = say goodbye to work,banking etc is not ideal yes but in the future where you can implant chips under skin??? now we talking
Dead Comment
Passkeys are supported by my password manager of choice, in the OSs that I care about.
My second wish would be that passkeys should be as easy to work with as ssh keys. Somehow, they tend to be more complicated. Asking you if you want to use your phone or security key (when you have neither, you are using a password manager) and often failing to immediately detect your preferred method of storing them, defaulting to Google, Microsoft, or Apple's solutions.
Passwords are a perfectly fine single factor. Add more factors to get more security, in specific use cases where they make sense. Passkeys don't fill the use case that a single-factor like passwords do.
Password Managers are also perfectly fine when combined with multiple factors and attack mitigations (and are certainly no worse than Passkeys we have now, key access managed by a central piece of software/key control/authorization). They solve many different use cases without breaking others. They're customizable, and not overly-dependent on standards. They are a loosely-coupled interface. They can be synchronized for multiple device/site access. They can be upgraded to support an infinite amount of security mechanisms. They can be changed in backwards-compatible ways, and they don't force one-size-fits-all on anybody. They even support Passkeys without forcing you to use them (though of course lots of Passkey software ignores the fact that you might have a password manager, and forces you to use the browser's Passkey store or nothing).
You want to uniquely identify a device? Fingerprint it on login. Having a separate passkey per device isn't any better, because if the attacker can get the device fingerprint, they can also probably get the passkey, because they have access to the device. And password reset still has to be a thing, because we all lose devices, backup codes, etc, so it's not like there isn't an easier attack anyway.
How is the passkey that much better than client-side certificates from 15 years ago? That was abandoned because of all the problems around key management; and now you want to bring back key management?!
Please stop trying to solve a problem by creating more problems. This is all about use cases. Just let users, and companies, decide what use cases they'll support. Don't force everyone to use a crap solution just because it makes big corporations happy.
So, I think "not even needing email" is unlikely for foreseeable future, unless we find other ways to authenticate people reliably.
Also, the whole bloody thing with passwords is noxious. I don't want to login to your site, I just want to read some stuff.
https://www.grc.com/sqrl/sqrl.htm
I'm talking about normal users, without backups.
Parents who lost their child's photos and are like oh well.
Assuming a normal user doesn't use the same password everywhere (which means everyone already knows their password), the alternative is saving them. Lost password or lost passkey doesn't make much difference.
Computing literacy is low so people will just suffer the consequences.
For this reason, at the huge providers, when you enable 2FA (or Passkeys) you usually have to set up a recovery buddy account or something like it.
Getting a new sim card with the same number is easy, you just go to your mobile provider with your ID card, and you're done in five minutes.
I mean still... the article mentions a "single point of failure" as a bad thing with other methods, but forgets about it here.
https://support.apple.com/guide/security/escrow-security-for...
The key thing to understand is that passkeys are not intended to be as secure as hardware tokens but to be more secure than traditional passwords with phishing-friendly MFA. That allows them to offer better recovery options but might not be good enough if you are the target of a serious actor.
Deleted Comment