this post was submitted on 16 Oct 2024

202 points (85.8% liked)

Technology

58698 readers

3969 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS

[email protected]

202

Passwords have problems, but passkeys have more (world.hey.com)

submitted 1 day ago by [email protected] to c/[email protected]

146 comments fedilink hide all child comments

(page 2) 50 comments

sorted by: hot top controversial new old

[–] [email protected] 77 points 1 day ago* (last edited 18 hours ago) (8 children)

The problem with passkeys is that they're essentially a halfway house to a password manager, but tied to a specific platform in ways that aren't obvious to a user at all, and liable to easily leave them unable to access of their accounts.

Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.

If you're going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager

Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.

The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though (Edit: Might be my specific setup‘s fault).

[–] [email protected] 21 points 22 hours ago (1 children)

people will pick the corporate options that are shoved on their faces, not the sensible open source user-respecting ones.

vendor lockin will happen if we adopt passkeys as they are right now.

[–] [email protected] 10 points 20 hours ago (5 children)

Bitwarden just announced a consortium with Apple, Google, 1Password, etc to create a secure import/export format for credentials; spurred by the need for passkeys to be portable between password managers (but also works for passwords/other credential types)

[–] [email protected] 7 points 17 hours ago* (last edited 17 hours ago)

I'm definitely holding off on passkeys until that project is finished. I also don't want vendor lock in and while that seems like the solution, it seems like they just started working on it.

load more comments (4 replies)

load more comments (7 replies)

[–] [email protected] 10 points 18 hours ago* (last edited 18 hours ago)

I do think that we need more standard procedures around what a reset/authorize new device looks like in a passkey world. There's a lot about that process that just seems like it's up to the implementer. But I don't think that invalidates passkeys as a whole, and most people are going to have access to their mobile device for 2 factor no matter where they are.

Incidentally I have no idea who this is or whether his opinion should be lent more weight.

[–] conciselyverbose 35 points 23 hours ago (2 children)

His "just use email" like that isn't very obviously worse in every respect kind of undermines his whole premise.

[–] [email protected] 13 points 20 hours ago (1 children)

His whole premise is undermined by him not doing any research on the topic before deciding to write a blog post. Proton passkeys for instance, are cross platform, and the ability to transfer passkeys between devices is one of the features being worked on by the other providers.

[–] [email protected] 3 points 16 hours ago (1 children)

Yeah... Why are articles like this being upvoted... I expected better from lemmy

[–] [email protected] 2 points 14 hours ago

This is the “Technology” community which isn’t for people who are actually tech-savvy in any functional way, it’s just for gadget-head laymen.

load more comments (1 replies)

[–] [email protected] 13 points 20 hours ago* (last edited 20 hours ago) (2 children)

Whenever I read an article about security (and read the comments, even here on Lemmy) I'm constantly frustrated and depressed by a couple of things.

Corporations making things shittier with the intention of locking customers in to their stupid proprietary ecosystem. And of course, they are always seeking more data harvesting. Security itself is way down the list of their priories, if it's even there at all.
Users being lazy trend-followers who quickly sacrifice their security on the altar of convenience and whatever shiny new FOMO thing is offered up for "better security".

It's a very bad combination. Doing security right is a bit inconvenient (which users hate) and expensive (which corporations hate).

load more comments (2 replies)

[–] [email protected] 18 points 22 hours ago (1 children)

I wish all sites using 2FA would just support hardware keys instead of authenticator apps. It's so much easier to login to a site by just plugging in my hardware key and tapping its button, than going to my authenticator app and typing over some code within a certain time.

It's even sinpler than email 2fa or sms 2fa or vendor app 2fa.

For authenticator app you also can't easily add more devices unless you share the database which is bad for security. For hardware security key you can just add the key as an additional 2fa, if the site allows it.

[–] [email protected] 3 points 15 hours ago (1 children)

Agreed, my main issues with hardware keys are that so few sites support them, and the OS support is kinda bad like in Windows the window pops up underneath everything and sometimes requires a pin entered.

I also hate that when I last looked nobody made a key that supports USB-C, USB-A, and NFC. So now I've got an awkward adapter I need to carry on my keychain.

[–] [email protected] 1 points 11 hours ago (1 children)

Yeah it's truly a shame almost no site other than google and github support hardware security keys.

For your case you would probably want a yubikey 5c and then a usb c to usb a adapter yeah. I wish for a usb a and c and nfc as well.

load more comments (1 replies)

[–] [email protected] 26 points 1 day ago (10 children)

There was a related news recently, that bitwarden and other pw managers will be able to sync passkeys between devices. Won't that solve these issues?

[–] [email protected] 30 points 1 day ago (9 children)

My thoughts exactly. I use Bitwarden and passkeys sync flawlessly between my devices. Password managers tied to a a device or ecosystem are stupid and people shouldn’t use them. This is true whether you use passwords or passkeys.

That said, we cannot blame users for bad UX that some platforms and some devs provide.

load more comments (9 replies)

[–] [email protected] 14 points 23 hours ago (5 children)

I thought passkeys were supposed to be a hardware device?

This is typical embrace/extend/extinguish behavior from the large platforms that don't want their web-SSO hegemony challenged because it would mean less data collection and less vendor lock-in.

The whole idea of passkeys provided by an online platform should have been ruled out by the specification. It completely defeats the purpose of passkeys which is that the user has everything they need to authenticate themself.

load more comments (5 replies)

load more comments