Take your passkey and shove it where the sun don't shine

Uhhh... Can someone ELI18 to me the problem with passkeys? I use them wherever available and find them very convenient.
- Yeah i can sum it up for you

Has this energy...

I have the opposite situation, I bought yubikeys but nobody supports them.
- Indeed. Why so many recommend them I have no idea.
  Honestly, if you have a password manager that supports security keys then buy two cheap keys (one for backup) like the Thetis FIDO U2F Security Key and use those to secure your password vault. For everything else just use TOTP and Passkeys stored in your vault.
  I invested in Yubikeys and yes it was a waste.
  
  I'm getting ready to roll them out at work but it's basically exclusively for the password managers. Having a password manager and every account be unique isn't helpful if everyone's going to just use shit passwords for their password manager

You can store passkeys in your password manager lol

Remember when tap-to-pay was new and didn't work at a lot of places and some people were freaked out over it?
And now most of us use it without a 2nd thought.
I speculate passkeys will be like that.
- I'd use it if it didn't cost extra in my country. Swiping my card really isn't much harder
  
  Interesting, I didn't know it costs extra in some places. TIL.
  
  Wow that's madness

Passkeys are one exception to the familiar pattern of "we give you more SeCuRiTY so we can spy on you more and control your behaviour better". They actually are more secure. Problem is, a lot of technical issues with it still, a ton of stuff not working correctly yet
- I'm still appalled that my Yubikey / FIDO2 still doesnt work on Firefox. I have it as a passkey for GitHub, realized it doesnt work on Firefox, so they just prompt me for my password. That seems backwards to have password as a fallback, too.
  
  I think that's a you specific problem. Mine works fine with Firefox, and has for a good long while. Could anything be blocking it?
  
  I'm also having problems using passkeys (stored in Bitwarden) with Github in Firefox. It keeps prompting me to touch the security key, which I don't have, so I plain can't use a passkey for Github. Works perfectly for Google though

sure, you can use a passkey as a primary authentication, but only "a device" or "system"(keypass/1pass etc) knows the passkey detail. with only passkey, if my passkey provider/ device is compromised then everything is lost. having single factor auth seems like a bad idea.
a password is something that I can know, so is still useful as a protection mechanism. having two factor auth should include password and passkey, which seems entirely reasonable whilst also providing an easier path forward for people used to TOTP.

On the contrary i want more services using passkeys instead of 2fa methods that are less secure (sms).

Unless I've missed something big, passkeys are pretty easy for me if the website supports them imo.
Using KeePassXC, I click register on the website, register the passkey with KeePass, then it just works when I need to authenticate or login. My database is then synced across all my devices.
Passkey support is yet to come to KeePassDX on Android though, so I'll be awaiting that feature
- For me it's just inconvenient to have to type my computer's login, but the fingerprint on the phone is nice
  
  If you live in the USA, don't use fingerprints or any other biometrics. https://arstechnica.com/tech-policy/2024/04/cops-can-force-suspect-to-unlock-phone-with-thumbprint-us-court-rules/

ITT: people who think only SMS, email and TOTP exist as 2FA.
And people who think only your phone can be used as passkey.
- When those are the only options given by some services, yeh it kinda is. I'd love to be able to just use my flipper as a u2f for everything, but unfortunately most websites are all "no" and you have to use a chrome browser instead of Librewolf even when you could use a yubikey, so fine I guess text me, oh whoops I changed my number and I'm now locked out of my acct, cool.

Passkey is "something you own" right?
I have something I own, it's a Yubikey
- And how many sites support Yubikeys/Security Keys? Not many. I doubt we'll see more either now with Passkeys becoming more prominent.
  I have two Yubikeys and other than securing my password manager vault they are rarely used elsewhere.
- I thought passkeys had to be behind biometrics, so “own” + “are”?
  
  I don't think that's true.
  You can store them in keepassxc which can be accessed with a password.
  I think it's "have" + "know" or "are".
  So you have the device with the passkey, and know the unlock pin or are the person with the biometrics.
  
  How i interpretted it is that the biometrics provide access to the tpm which is like a built in yubikey you "own".

I'll use banks as an example
If they cared about your security there would not be a mobile app or website.
Hell, credit cards would still require a signature.
It's about cost first and foremost and then convenience.
Has nothing about you as a consumer. They don't give 2 shits about you as a consumer.
- I mean you're right about banks but your examples make no sense.
  Banks generally don't support 2fa, which is bad. Some banks (fidelity) still have character limits on passwords because they stores it in plaintext until recently so you could use it through the telephone system. They could implement a secure tap to pay system on your phones with enhanced security, rather than relying on Google to handle their job. And for credit cards themselves, switch to chip and pin.
  "Banks don't have mobile apps"?? "Signatures are secure"?????🤡
  
  How easy is it to fake a signature for a normal person who has not practiced a person's signature for the intent purpose of faking it? Have you ever tried faking your parents signature to get out of school? I have.
  Now the infrastructure required to adequately check signatures is not practical hence it doesn't exist. It's why we moved to pins. Pins are small and 2fa doesn't exist for banks because again it's about the bare minimum and they are out to make money and don't care about customers plus there's government safeguards in place specific to banking.
  I will continue to argue that going back in time signatures are infinitely more secure than a 4 digit pin let alone tap but we have traded security for convenience.
  Anyways full admit that I'm batshit crazy.
- Do you think signatures were at all secure? If they cared about security they'd do chip+pin like most civilized countries.
  
  With proper infrastructure yes signatures are extremely secure. But that proper infrastructure doesn't exist.

There's been a lot of pain in the attempt to portray it as "Just click the passkey button, and that's it! Your login is secured for life!"
No - Buddy. It is secured for this one specific device that I have biometric authentication for. What about my computer? What about my other computer that isn't on the same operating system? I have a password manager that stores these things, why didn't you save to that when I registered? Why is it trying to take this shit from my Apple Keychain when it's in Bitwarden?
And, the next ultra-big step: How would a non-techie figure this shit out?
- And, the next ultra-big step: How would a non-techie figure this shit out?
  They don't have a computer, another computer with a different OS, or bitwarden.
- For some people it is that easy.
  When it is saved to a cross-platform password manager, it is secured on all devices that password manager runs on including your computer on other operating systems. You can also choose other in the OS prompt & redirect to a device with your passkey or use a hardware security key (I don't). If your preferred password manager isn't the primary one on all your devices, then fix that or use the other option mentioned before.
  How would a non-techie figure this shit out?
  The same way they figure out passwords & multifactor. Their pain isn't ours for those who've figured this out & have a smooth experience.
  
  I mentioned Bitwarden in my comment, and my frustration specifically comes from occasions that I had Account X ready in Bitwarden, started up an app that relied on Account X, but loaded an HTML login page that had no discernable controls to use that Bitwarden passkey; expecting entirely for it to exist in my Apple keychain, which I never use.
  I think it's very easy to claim this specific app / account was not implementing passkeys well. But if that's the case, how can I guarantee any other accounts I move over won't fuck it up somewhere? I haven't seen anyone get the concept of passwords wrong, and even if they don't understand how managers work, I have control of the copy-paste function and can even type a password myself if needed.
- I use both Bitwarden and Apple's native Passwords.app and just save a passkey for each app. Usually you can name the passkey on the website/in the app as well.
  This is also the system I use when saving 2FA TOTP codes as well so I guess I'm used to it, but it makes good sense to me to have reduncancy in my password apps. Also I lock up the apps themselves with passkeys in the respective app for ease of use.
  :mastozany:
- And, the next ultra-big step: How would a non-techie figure this shit out?
  They wouldn't, because the people calling the shots in the tech world create UX with a focus on it sucking for everyone
- No - Buddy. It is secured for this one specific device that I have biometric authentication for. What about my computer? What about my other computer that isn't on the same operating system?
  Then use a Yubikey.
  
  I tried a yubikey but most websites want you to use the pin for that which requires windows hello, and if you reset windows you lose that.
  
  OnlyKey seems to be a better choice than Yubikey, from what I can see. The only reason I haven't switched is that I have a few accounts that I share with my partner, and I want to be sure that I can have two different keys work for the same account.
- This was roughly the state of affairs before but the state of things have relented where software password managers are now allowed to serve the purpose.
  So if a hardened security guy wants to only use his dedicated hardware token with registering backups, that's possible.
  If a layman wants to use Google password manager to just take care of it, that's fine too.
  Also much in between, using a phone instead of a yubikey like, using an offline password manager, etc.
- I have my passkeys saved in 1password. (With a yubikey as backup for important things).

The amount of people in this thread that don't understand passkeys surprises me. This is Lemmy. Aren't we the technical Linux nerds of the Internet?
- You understand that technical people often are the least likely to trust new technology and are often stuck in the mud when it comes to technology? Doubly so if you are anti-corporation. It seems anything that isn't the Unix way of doing things can be questioned.
  There is a good meme about people who love technology vs people who actually work with the stuff. The former using IoT devices to turn their lights on while the latter uses a light switch and has a gun in case the printer starts making weird noises.
  
  Good point, and I love that meme.
  
  It seems anything that isn’t the Unix way of doing things can be questioned.
  I think Unix is the thing that indirectly gets questioned most often, because everyone wants to be on the "right" side of how to unix things (see latest rust in kernel for a very recent example). When I think about it, unix alone feels like a recurring xkcd standards comic
- 2FA is just dead simple. I contact you, you contact me, handshake achieved. If you call me out of the blue I raise the alarm. If you get a login attempt with a failed handshake you raise the alarm.
  Putting it all behind a pop up screen just isn't trustworthy to the human brain.
  
  SMS 2FA is notoriously compromised by various means.
  
  TOTP 2FA is less secure than passkeys. 2FA TOTP keys can be phished. Passkey authentication cannot be phished. This is a security improvement which can make people completely immune to phishing attacks. That's huge. And it doesn't have any privacy risks, no loss of anonymity. It's an open standard.
  This is, objectively, a rare example of new technology which will make the world better and safer for us.
  
  Passkey is multifactor: something the user has (key), something the user is (biometric) or knowns (password) to unlock the key. Yes, dead simple.
  
  2FA is great, right up until you're also the victim of a sim swap attack.
- brb opening and feature request for passkeys in Lemmy
  edit: nevermind
- The synchronization part is the annoying part. And when you have multiple accounts on one site you can end up with multiple passkeys for it.

Passkeys are a great idea, but everyone involved seems like they want the process to be as much of a pain in the dick as possible. So until the industry pulls it's collective head out of its collective ass (not going to hold my breath on that one), it'll be passwords+2FA for me.
- It feels like everyone is trying to tie people to their platform. Oh, and also use the opportunity to force shit like "no custom ROMs or bootloader unlocking" on Android at the same time.
  
  Are custom ROMs or bootloader unlocking an issue for the passkey ecosystem? Not something I'd seen commented on yet.
- Jesus Christ, dude, that is exactly it.
  We're trying to implement passkeys at work and the testing has been an absolute nightmare. Literally have no control over the onboarding experience because each tech giant is clamoring over each other, interjecting into the process to be the "home" for your passkeys. It's bananas.
  When it's all set up, it's kinda great! But getting set up in the first place is an exercise in frustration.
  
  It's a chance for them to lock you (normies) into their platform forever. They're not going to give that up.
  
  Silly.
  Are they learning?
  Edit: my bet is the experience was so ridiculously frustrating, Chrome/Google actually saw some attrition - maybe enough people made Yahoo! Mail accounts that Google noticed
- I hate 2fa so much, I never thought they would come up with anything more irritating. Little did I know.
  
  I really like 2FA as long as it's TOTP and I can use an offline app or program for it. It just works and is very easy and secure.

My primary and backup yubikeys: "Am I a joke to you?"
- Of course, yubikeys implement passkey... Passkey is the new buzzword after lackluster success with the words used, webauthn...
  
  25 passkey limit on my Yubikey. I have to buy a new one, with the exact same hardware, just to get the latest firmware that allows 100 passkeys. No thanks.
  
  and thank god for that, i'd been saying for years, webauthn is great tech which will never be adopted by normal people, because it had an awful name. luckily we were able to just call OATH TOTP "two factor authentication" or that would have been totally DOA too. I got big hopes for passkeys!

Bitches don't know bout my awesome passkeys. It's like ssh key authentication for web apps. Just save the passkeys to my password manager & presto: use same keys on all my devices.
It replaces opening a TOTP app to copy a token with a click to select the passkey in a prompt from my password manager.
- Ancient meme

What's wrong with passkeys? I'm in love with passwordless sign-in with yubikey, so much easier and faster than password + totp
- It’s shitty user experience when forced to dig out my phone to authenticate myself to a site I barely give half a shit about.
  Like I wouldn’t even have an account if it wasn’t forced, and now you assholes want my phone too?
  
  I think you're describing SMS passcode, totp or other such factors.
  Passcode doesn't require phone necessarily, but you can use it too
  
  In store my passkeys in my password manager, which has a desktop app to access passkeys. What are you using that you have to always use your phone?
  
  Yes, extra security for your personal information is so irritating.
- I don't like how there isn't a nice, cross-platform and secure way to sync my keys. Not all services allow multiple keys to exist at once.
  
  Bitwarden syncs passkeys.
  
  The syncing of keys allows for much greater attack surface.
  Its being worked on right now but the standard hasn't been finalized yet.
  
  I mean I'm just using my yubikey for the keys, it's traveling in my pocket everywhere and use it on any platform
- Until sites start disallowing youbikeys because it doesn't make it impossible for you to backup your keys...
  What is planned to happen.
- Shouldn't you still need 2fa, and use the passkey as the second auth?
  
  The passkey is still protected with another factor, such as pin code or biometrics
  Like when I login to my account, I put the yubikey to usb port, then browser asks me to unlock it using pin code, then I'll touch the yubikey to confirm I'm in physical access to it, and only then it allows the authentication
  In practice this takes about 2 seconds

I use passkeys through 1Password and it’s vastly less irritating to me than anything involving passwords, especially 2fa. I really don’t like having to wait for email to arrive or copying down digits from a text message, which seems to be how 2fa typically works 90% of the time.

Passkeys are light years ahead of 2fA in user experience. Why do you dislike them?
Security based on devices is one of the positive innovations of smartphones and perhaps the only area where they've improved over the desktop experience.
- I very specifically don't want my security tied to my device. Trying to migrate to new phones, and keeping things synced between a phone, desktop, and laptop is why I long ago moved to a password manager. Now, especially in the phone space, getting passkeys to function fully with a password manager ranges from "pain in the ass" to "not actually possible".
  
  I had a botched phone battery replacement once resulting in the phone getting replaced very unexpectedly. It was a nightmare trying to get everything back together because I stupidly used google authenticator, which is tied to the specific phone it’s on. Not tying it to the device is the way to go.
  
  Bitwarden: “I’m literally right here”
  
  Heard of so many people losing their phone. Then they try to log into something and the company (quite often google) says "I don't give a fuck if you know your passwords I'm never letting you log into your account get fucked, don't call I won't answer"
- Why would I want security based on a device? What security this offers greater than a 64 chars password + 2FA?
  
  TOTP codes can be phished, hardware security keys and passkey can't
- Passkeys make plausible deniability more difficult. “This user name isn’t necessarily associated with my real world identity” permits some important good things.
  
  The kicker is this used to be solved with passwordless webauthn, the same standard, until some morons decided that resident keys were the way to go (they aren't)
  
  Passkeys use unique keys per site for that reason

I thought passkeys were supposed to be more secure?
- They're using the same standard as FIDO2 / WebAuthn hardware security keys. The protocol is phishing resistant, unlike TOTP and similar one time code solutions.
  I prefer the physical ones, because they're easy to organize. Passkey synchronization can be annoying.

I have no idea what a passkey is and I will probably only learn what it is when they become mandatory
I will just use passwords + 2FA for the moment
- Here is a demo you can try if you're so inclined
  
  I see, thanks. It mentions biometrics on that page. Maybe if my next laptop has a fingerprint reader then I should look into passkeys more.
- Passkey is essentially a branding of webauthn. Instead of typing some code that changes, you just do something with some sort of device or key manager.
  Plug in a yubikey and touch the button to authenticate. Easier.
  
  Interesting thanks. I will probably just stick with passwords + 2FA for the moment because I'm lazy. It would be cool to have something like a hardware key though.

It's not for your security, it's for the company's. People suuuuuuuuck when it comes to credentials.
- My company insists on expiring passwords every 28 days, and prevents reuse of the last 24 passwords. Passwords must be 14+ characters long, with forced minimum complexity requirements. All systems automatically lock or logout after 10 minutes of inactivity, so users are forced to type in their credentials frequently throughout the day.
  Yes people suck with creating decent credentials, but it's the company's security policies breeding that behavior.
  
  I don't get why people get upset at frequently expiring passwords. It's not hard: just write it on a postit note and stick it on your monitor.
  
  Tell them the NIST recommendations for password frequency changes have been really reduced in recent times because it pushes people into other bad password practices. Among all factors, changing the password frequently is the least important.
  
  My company insists on expiring passwords every 28 days, and prevents reuse of the last 24 passwords. Passwords must be 14+ characters long, with forced minimum complexity requirements.
  Outdated security practices & cargo culture. Someone should roll up a copy of NIST SP 800-63 to smack them over the head until they read it:
  The following requirements apply to passwords:
  Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
  Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
  Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
  Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
  Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
  Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
  Maybe ask them their security qualifications & whether they follow the latest security research & industry standards.
  
  Same. They also don't allow password managers and I have multiple systems that don't use my main password, so I have at least 5-6 work passwords for different systems.
  Nobody can remember all that.
  So everyone makes the simplest password they can (since it has to be regularly typed in) and writes it down somewhere so they don't forget it.
  
  And yet admin, 1234, test, etc. remain the most commonly 'hacked' passwords. Your company's policies may be annoying, but they certainly don't make you use unsafe passwords.

Passkeys are phishing resistant, or so they say... but the web app still needs to let you in with password + 2FA... So I'm not sure how much that's really worth.
I guess if the users are typically never seeing a 2FA prompt then it should be more suspicious when they see one?
- Passkeys are a replacement for passwords. Passwords don’t solve the problem of a lost password, and passkeys don’t solve the problem of a lost passkey. How a site deals with lost credentials is up to them. It doesn’t need to be password + 2FA.

I briefly looked into passkeys a while ago, but I think I remember really disliking them because they just seemed like another excuse for companies to lock you in.
Has this changed? With Bitwarden + passwords, I can change to any platform, any device, at any time, and instantly get all my creds moved over securely.
I don't want to be in a situation where I'm locked into using Android, Chrome, iOS, or whatever because I can't move my creds.
- Bitwarden has passkey support! Syncs too!
  
  Except for passkey login on Android app. For example Playstation app login with passkey won't work.
  
  Yeah I don’t think it’s the only password manager that allows PassKeys either. Plus, they’re more secure by design; the website never has to store anything that can be reversed to allow access. Bitwarden even lets you store multiple passkeys per site.
  I do hate how it’s promoted as “locked to your device” though but i imagine that’s because (unfortunately) password managers aren’t used by a majority of users.