“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

  • nevemsenki@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 months ago

    If the passkeys aren’t managed by your devices fully offline then you’re just deeper into being hostage to a corporation.

    • unskilled5117@feddit.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      2 months ago

      The lock-in effect of passkeys is something that this protocol aims to solve though. The “only managed by your device” is what keeps us locked in, if there is no solution to export and import it on another device.

      The protocol aims to make it easy to import and export passkeys so you can switch to a different provider. This way you won’t be stuck if you create passkeys e.g. on an Apple device and want to switch to e.g. Bitwarden or an offline password manager like KeyPassXC

      The specifications are significant for a few reasons. CXP was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. […] CXP aims to standardize the technical process for securely transferring them between platforms so users are free […].

      • nevemsenki@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        2 months ago

        That’s between platforms though. I like my stuff self-managed. Unless it provenly works with full offline solutions I’ll remain sceptical.

        • darklamer@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          I like my stuff self-managed.

          Bitwarden / Vaultwarden is a popular available working solution for self-hosting and self-managing passkeys (as well as passwords).

          • EngineerGaming@feddit.nl
            link
            fedilink
            English
            arrow-up
            0
            ·
            2 months ago

            TBH I don’t see a reason why something as simple as a password manager needs a server, selfhosted or not. I don’t get the obsession with syncing everything, so would rather stick with normal KeepassXC.

            • Synestine@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              2
              ·
              2 months ago

              Have you never lost your password device (phone, laptop, etc) suddenly and unexpectedly? That’s when you really want that file synced somewhere else. But then it’s too late. Bonus on many password vault servers is shared folders, so one can share their garage door code with the family but keep the bank account details to oneself.

              • EngineerGaming@feddit.nl
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                2 months ago

                No, but this is very unlikely because I do keep regular backups manually. I just don’t feel the need for it to be a constantly-online server.

    • SirEDCaLot@lemmy.today
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      No it’s actually pretty simple. No containers. Your passkeys can be managed in the browser (Google Passwords), by a plug-in like BitWarden, or in a third party hardware device like YubiKey.

  • Aniki 🌱🌿@lemmings.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    I’ll switch when it’s fully implemented in open source and only I am the one with the private key. Until then its just more corporate blowjobs with extra steps.

  • NateNate60@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    I still have no idea how to use passkeys. It doesn’t seem obvious to the average user.

    I tried adding a passkey to an account, and all it does is cause a Firefox notification that says “touch your security key to continue with [website URL]”. It is not clear what to do next.

    • JackbyDev@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      After my password manager auto filled a password and logged me in the website said “Tired of remembering passwords? Want to add a passkey?” I didn’t know what it meant so I said no lol.

  • rickdg@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    If you tell corporations there’s a way to increase lock-in and decrease account sharing, they’re gonna make it work.

    • umami_wasabi@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      One is a new technical specification called Credential Exchange Protocol (CXP) that will make passkeys portable between digital ecosystems, a feature that users have increasingly demanded.

      I.e. I can copy my key to my friends’ device.

        • umami_wasabi@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          2 months ago

          That’s not how Passkey, and the underlying WebAuthn works.

          (Highly simplifies but still a bit technical) During registration, your key and the service provider website interacts. Your key generated a private key locally that don’t get sent out, and it is the password you hold. The service provider instead get a puclic key which can be used to verifiy you hold the private key. When you login in, instead of sending the private key like passwords, the website sent something to your key, which needs to be signed with the private key, and they can verify the signature with the public key.

          The CXP allows you export the private key from a keystore to another securely. Service providers (Netflix) can’t do anything to stop that as it doesn’t hold anything meaningful, let alone a key (what key?), to stop the exchange.

      • rickdg@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        1
        ·
        2 months ago

        I believe that’s Apple talking to Google, not anything local you can own.

        • 4am@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          Read the article, it’s literally about replacing Import/Export CSV plaintext unencrypted files with something more secure.

          I.e. moving your passwords/passkeys between password managers. This is not about replacing stuff like OAuth where one service securely authorizes a user for another.

  • Encrypt-Keeper@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    edit-2
    2 months ago

    ITT: Incredibly non-technical people who don’t have the first clue how Passkeys work but are convinced they’re bad due to imaginary problems that were addressed in this very article.

    • priapus@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      This is a weird thread. Lots of complaints about lock in and companies managing your keys, both of which are easily avoidable, the exact same way you’d do so with your passwords.

  • narc0tic_bird@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    My password manager supports passkeys just fine, across Windows, macOS, Linux and iOS (and probably Android but I haven’t tried). Surprisingly, iOS integrates with the password manager so it’s usable just like their own solution and it works across the system (not just in the browser).

    This seems to be more about finding a standard way to export/import between different password managers/platforms?

    • trevor@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Correct. The spec is about making it easier and more secure to export your passwords and passkeys when you move from one password manager to another. People are misunderstanding this as some sort of federated authentication system to share your credentials between multiple password managers at the same time, which it is not.

  • Gutless2615@ttrpg.network
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    1
    ·
    edit-2
    2 months ago

    Literally just use a password manager and 2/MFA. It’s not a problem. We have a solution.

    • shortwavesurfer@lemmy.zip
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Actually, it is still a problem, because passwords are a shared secret between you and the server, which means the server has that secret in some sort of form. With passkeys, the server never has the secret.

      • Programmer Belch@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        Best password manager is offline password manager.

        KeepassXC makes a file with the passwords that is encrypted, sharing this file with a server is more secure than letting the server manage your passwords

        • hikaru755@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          This is not at all relevant to the comment you’re responding to. Your choice of password manager doesn’t change that whatever system you’re authenticating against still needs to have at least a hash of your password. That’s what passkeys are improving on here

      • Gutless2615@ttrpg.network
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        The shared secret with my Vaultwarden server? Add mfa and someone needs to explain to me how passkeys do anything more than saving one single solitary click.

        • 4am@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          When a website gets hacked they only find public keys, which are useless without the private keys.

          Private keys stored on a password manager are still more secure, as those services are (hopefully!) designed with security in mind from the beginning.

    • huginn@feddit.it
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      Never forget that technologically speaking you’re nothing like the average user. Only 1 in 3 users use password managers. Most people just remember 1 password and use it everywhere (or some other similarly weak setup).

      Not remembering passwords is a huge boon for most users, and passkeys are a very simple and secure way of handling it.

      • funkless_eck@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        I work for multiple organizations. The majority of which have a Google sheet with their passwords in that are

              c0mpanyname2018! 
        

        Those that aren’t are

               pandasar3cute123? 
        
        • Echo Dot@feddit.uk
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          2 months ago

          At one point the organization I work for had a password that was literally Password-022!, guess what it was the following month?

  • 2xsaiko@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    1
    ·
    2 months ago

    I’m not convinced this is a good idea. Resident keys as the primary mechanism were already a big mistake, syncing keys between devices was questionable at best (the original concept, which hardware keys still have, is the key can never be extracted), and now you’ve got this. One of the great parts about security keys (the original ones!) is that you authenticate devices instead of having a single secret shared between every device. This just seems like going further away from that in trying to engineer themselves out of the corner they got themselves into with bullshit decisions.

    Let me link this post again (written by the Kanidm developer). Passkeys: A Shattered Dream. I think it still holds up.

    • unskilled5117@feddit.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      2 months ago

      The author of your blog post comes to this conclusion:

      So do yourself a favour. Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your passwords and manage them. If you really want passkeys, put them in a password manager you control. But don’t use a platform controlled passkey store, and be very careful with security keys.

      The protocol (CXP) which the article is about, would allow you to export the passkeys from the “platform controlled passkey store” and import them into e.g. Bitwarden. So i would imagine the author being in favor of the protocol.