Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won’t work on another device.
Now I don’t know if that key can be stolen or not, or if it’s really more secure or not, as people have really unsecure pins.
Man, the amount of fearmongering and anti-Google rhetoric in this thread makes me sad. Passkeys are almost entirely a good thing and are supported by many big and small companies.
No, it won’t lock you into Google, it’s an open web standard. Google will have an Authenticator, Apple will, and third parties will spring up to support it as well. And there’s no lock in, you can get a new passkey when you want to switch devices or providers.
No, someone who gets access to your device can’t get access to everything if you have basic security hygeine. Secure your passkeys with a secondary password or use biometric authentication.
Yes, it’s almost a straight upgrade to text passwords. They are immune to phishing attacks and other social engineering tricks, and you don’t need to remember long strings of numbers and letters anymore.
Do your research people, sheesh.
This is starting to really get on my nerves, and I feel like discourse on the fediverse is worse; basically the attitude is that if it’s not FOSS and self-hosted, it’s shite. That attitude is fucking grating for the rest of us.
The irony is that it’s an open standard. There are FOSS implementations you can self-host. Server side, client side, soft token, hard token. Everything.
https://github.com/herrjemand/awesome-webauthn
People on this thread are just really ignorant, even self-proclaimed security experts.
This and if any business anywhere manages to reache a significant level of success — and has the nerve to charge money for their service — it’s a sign that capitalism doesn’t work and corporations are inherently evil.
I just assume it’s an age thing.
Big tech have done this to themselves
An online authentication system is quite literally the one central thing your whole digital life depends up on. If it’s broken, it can completely f’up your life and remove you from existence in the digital space. So there is extremely good reason to be skeptical when big-company tries to force you into a new thing. Especially when said big-companies have a history of f’n things up on purpose (remember G+ forcing real names on everybody and bundling previously unrelated accounts into one monolithic one?). Or take HTTPS, which was sold us with “bringing more security”, when what it actually did was kill large chunks of the open and self-hosted Web.
Are you seriously arguing against HTTPS?
Yes. It’s one of the major reasons why the Web turned into a cooperate controlled hellscape. Note, I am not arguing against encryption, just against HTTPS crappy implementation of it. It’s also going to get even worse with QUIC.
HTTPS is definitely not a major reason the web turned corporate. It has its problems for sure though.
Look at Gemini if you want an example of a decent web ecosystem that has HTTPS as a requirement for the protocol.
Gemini benefits from two things that the web has lost:
- small size: just like the web was once small, Gemini is still too small for any copos to consider it as an option to push their content or services although I believe there has been some small examples of this being tried.
- simple browser spec: Gemini benefits from having a number of browsers, none of which implement anything as interactive or insecure as JS(mime types other than gem text tend to be opened by other applications) and no one browser is influencing the spec for their own goals. This means all Gemini content is static once loaded by the client. No injected ads, no scraping of data and no hijacking of the tech by private companies.
It’s definitely more secure, since stealing someone’s phone is much more difficult to scale up compared to stealing passwords.
I don’t think that access to your personal data/email/files being dependent on a battery-powered electronic device is a great idea, to be honest.
My understanding of Apple Keychain is that every credential is useable from every device, and can be backed up and restored to a new device. Most importantly Apple doesn’t have access, although we have to trust them on that
That’s why they invented chargers, eh.
But more seriously, there are recovery procedures if you lose a phone with or without a backup and if you are willing to share the keys with a cloud provider, you can also store them there and use them on any of your devices.
Or you can get something like a yubikey if the battery aspect is really that problematic for you.
The fact is that I fail to see something obviously wrong with outrageously long/complicated passwords managed by e.g. Bitwarden or the likes.
Long passwords can still be phished. Passkeys cannot. It’s a huge upgrade.
I don’t think so, but whatever.
What do you mean? Do you not believe the anti-phishing features will work as described for a reason?
It’s not quite unique to a specific device. You can store your private key in a password manager or something similar, and then access it from other devices
Depends on your personal choice. You can definitely limit them to a single, hardeneddevice if you want the highest level of security.
For most users and most situations, a synced solution will be preferable.
Me, at the bank:
Robbers, as they enter the bank: everybody freeze
Me: ah shit
Robbers: everyone give me your phones
Me: aw hell naw
mission impossible style shootout
While I would agree this sounds more secure, I’m always worried about people getting further locked in to Google’s products.
Hopefully this system won’t take accounts “hostage” by requiring you use Chrome to log in to them, but it’s Google, so…
Passkey is an open standard. It’s not Google specific.
That’s good to hear. I don’t know much about passkeys, and I should really spend some time learning about them. Didn’t mean to fear-monger, but I guess I’m getting more cynical these days.
Updated my root comment to reflect this.
We’re sorry, Firefox cannot access your IMEI to fingerprint your device. Please use a modern web browser like Chrome, Chrome, or maybe try Chrome.
Yet another anti-consumer, anti-privacy, “for the sake of children!” Type tactic from Google.
Mozilla is in the process of implementing passkeys in Firefox. This page tracks the status of various implementations of passkeys.
Yeah I’ve already switched to LibreWolf after seeing the AI bullshit that FF is adding in the name of “spotting fake reviews”. My ass. Unfortunately I can’t use it at work apparently, the security app we use flagged it because I tried to import passwords from another browser… sigh
CAN I JUST BROWSE THE DAMN INTERNET PLEASE
Did you just make up something that could happen and then get mad about it?
Yeah I’m in that kinda mood today. And it’s not exactly far fetched.
Satire typically highlights something that has happened, not something made up.
The onion…?
it’s passkeys. they are getting integrated in a lot of stuff right now, including password managers like bitwarden
Mot likely it won’t need to have chrome. However maybe Google services may be required.
However it is also very likely, if a device cannot support such feature, it will only require a password and 2fa.
Use a yubikey, that doesn’t vendor-lock you to an OS ecosystem. They make one with nfc so it’s not a pain to use with your phone.
I’m not sure if this is universal or specific to the last site I tried to use my Yubikey with as a passkey, but it only would allow it to be used as 2FA, not actual passwordless authentication.
I assume this is because Yubikeys don’t create a secret for each individual website I suppose? Not exactly sure about that one.
The site likely didn’t support passkeys. But passkeys are basically webauthn passwordless login, and per the yubikey docs they support that.
See https://www.yubico.com/authentication-standards/fido2/ and https://fidoalliance.org/passkeys/#faq for more info. See also https://support.apple.com/guide/iphone/use-passkeys-to-sign-in-to-apps-and-websites-iphf538ea8d0/ios specifically the bit about adding a passkey to a physical key.
Google definitely supports passkeys, and they were one of the sites that did this. I’ve just replied to another comment regarding this. I wonder if the Yubikey 4 (I’m not sure how to tell which one I have, since they look about the same) just doesn’t support passkeys, which would be… unfortunate.
It’ll be even more unfortunate if there’s a weird mix of sites that support the Yubikey as a passkey and some only support it as a passkey. My Pixel is supported as a passkey, but Firefox on Linux doesn’t support this - only on Windows and macOS. I believe Chrome/Chromium does, which is equally as frustrating as my Yubikey possibly not supporting passkeys.
Strangely enough, Google lets me “add” my Yubikey as a passkey, but then does not let me sign in with it due to it not being “recognized”. If I remove it as a passkey, and only use it as a 2FA token, attempt to sign in and use the “Enter your password” option, it will then let me use the key after I’ve entered my password as a second factor.
So it seems Google has removed the error (or its not triggering anymore) as they will have been one of the first sites I tried to create a passkey for, but it still does not let you use it as a passkey.
Per Yubico’s specs on the Yubikey 4, it does not support FIDO 2 resident credentials, meaning it does not support Passkeys.
Compare to the specs of the Yubikey 5C NFC or Yubico Security Key C NFC, which both have this section:
FIDO2
The FIDO2 application allows for secure single and multi-factor authentication, and can store up to 25 resident credentials. These credentials, which are protected by a PIN, enable passwordless login, where the YubiKey, unlocked by a PIN and authorized by touch, can log you in to your accounts without entering a username or password. The FIDO2 application is FIDO certified.
See also Yubico blog post with an FAQ about passkeys:
How are passkeys different from YubiKeys?
They’re the same, and they’re different.
They’re the same because YubiKeys have had the ability to create these passwordless enabled FIDO2 credentials (passkeys) since the YubiKey 5 Series became available in mid-2018. Currently, YubiKeys can store a maximum of 25 passkeys. We are evaluating increasing this in the future because of the likely increase in fully passwordless experiences across the web that require them.
They’re different because Platform created passkeys will be copyable by default using the credentials for the underlying cloud account (plus maybe an additional password manager sync passphrase), whereas passkeys in YubiKeys are bound to the YubiKey’s physical hardware where they can’t be copied.
I wouldn’t run out right now and buy a Yubikey to store Passkeys given the 25 key limit and the likelihood that Yubico releases a new key that supports storing far more of them, but if you do, the $25 Security Key series is the cheapest option.
Interesting, I’ll probably just have to wait till either Bitwarden supports Passkeys, or wait till Firefox on Linux supports cross-device Passkeys (so, my phone for example) as yeah a 25 key limit is not likely to be worth purchasing an upgrade for just yet.
The credential needs to be set as discoverable and some other stuff to work for passwordless login (the token must store site specific data)
You would need to reregister it as passwordless to not just use it as 2FA after having entered a password (meanwhile standard 2FA with webauthn don’t store anything on the token, the website sends encrypted credentials to the token which only the token can decrypt and then authenticate with)
Both the website and your physical security token must support the right type of webauthn credentials (the token has storage for a certain number of slots with “discoverable credentials”).
Passkeys is a variant of the same which is bound to your device’s own TPM / SE security chip or equivalent, plus a synchronization feature for backups.
You can use Yubico keys as your passwordless logins. Both Google and Microsoft have this option.
Strangely enough, Google lets me “add” my Yubikey as a passkey, but then does not let me sign in with it due to it not being “recognized”. If I remove it as a passkey, and only use it as a 2FA token, attempt to sign in and use the “Enter your password” option, it will then let me use the key after I’ve entered my password as a second factor.
So it seems Google has removed the error (or its not triggering anymore) as they will have been one of the first sites I tried to create a passkey for, but it still does not let you use it as a passkey.
I haven’t encountered this issue, yet. I’m using LibreWolf browser (v118.0) and tested logging in my Google and MS account passwordless. BTW, I have Yubico Security Key NFC (the blue one).
Someone else correct me if I’m wrong but it works similar to PGP.
Background info:
- Your device generates two keys, a private key and a public key
- The public key can be given to anyone and the private key stays with you
- The public key is used to encrypt data and the private key is used to decrypt it
Usage:
- You sign up for a service with all the normal info minus a password and click submit
- In the background, a private key is generated and stored in iCloud Keychain, Google Passwords, or a 3rd party password manager (so all your devices can access it). A public key is also generated and given to the service
- Now you try and login. You enter your username and click login
- In the background, the server encrypts a challenge, token, or some piece of data and sends it to your device
- Your device decrypts that piece of data with the private key associated with the website
- At this point, your device either sends the decrypted data back to the server in exchange for an access token or maybe you decrypted the access token (not sure exactly how that will work. If it’s the former, the data would still be encrypted via ssl so only you and the server would see it)
- Now you are logged in
Closing:
So, it’s supposed to be more secure because every time you login, you never type in a password that gets transferred to the server for verification. The server is sending your device data to verify so that it can then verify you. This mainly prevents phishing and the reuse of passwords but I suppose if someone hacks into your iCloud account or whatever, they have the keys to the kingdom 🤷♂️
As you point out, the single point of failure is access to the passkey repository. Of course, this will usually be 2FA, so much more secure than simple passwords which people usually employ.
One major issue, IMHO, is vendor lock-in. I’ve no doubt Apple is going to make migration away from iCloud a huge pain in the ass. It’s just another way they’re going to make it difficult to leave their ecosystem.
I’m also worried about backups. People lose access to their Google and Apple accounts routinely for any and no reason at all. Will these keys be stored in the cloud? If so, access to EVERYTHING is just a capricious random algorithm away from being lost.
I wouldn’t touch any passkey system which doesn’t provide a seamless way to migrate away especially if I’ve lost access to my Apple/Google account.
Having a seamless way to migrate away is itself a security risk, since that method could be used by attackers to compromise the key store. The migration path for any of the major players (Apple, Google, Microsoft, Yubikey) involves logging into each site you used a passkey with, adding a new one from your new passkey store, then revoking the old passkey.
Password managers that store Passkeys may handle this differently, though, and are your best bet if you want migration flexibility.
The method you describe is untenable for 99.9% of the population. If that is truly the only way to migrate, then this move to passkeys is a catastrophe for security. In the coming years, millions of people are going to be permanently locked out of important accounts. Accounts will be written about the clearly flawed implementation of passkeys by Apple and Google, and a whole generation of people are going to shun passkeys forever. Myself included. This is a nightmare for vendor lock-in. I can see why Apple and Google are so ready to implement this.
I’m really over people calling backups a security risk.
There’s a reason bitwarden, 1password, last pass, etc etc. allow you to export your passwords. They also all allow you to do so in an encrypted file.
Accessible keys are a security risk, regardless of how you feel about it. If a key is accessible on the system then any exploit with elevated read permissions can steal the entire key store. By leveraging hardware features that let you add and use a key but prevent reading it, you mitigate that risk. There’s a reason that on Yubikeys, secrets are write-only.
Bitwarden, 1Password, and other companies who build password managers are able to operate with higher expectations of their users. Their users opted into using a flexible, secure tool, and as such, they can provide riskier options to their customers. They know that providing a TOTP solution in their application doesn’t force their customers to use it when doing so would be outside their risk tolerance.
That said, every password manager that I know of - Apple’s, Google’s, Microsoft’s, Firefox’s, as well as dedicated password managers - has an export tool. But this doesn’t mean that all of those providers value having flexibility. I’d argue that in many cases it just means that they recognize that a password alone isn’t trusted enough to warrant concealing it. Given that you have to know the password to enter it, there’s much less value in concealing it from the end user. Since passkeys don’t work that way and do have that value, it makes sense for providers, if they are opting to prioritize security, would choose a less-flexible solution that most of their users don’t care about.
If the big providers did offer a more flexible alternative, enabling exports, to advanced users, those users would necessarily have reduced security and they would have to opt into that ahead of time, since later the secrets would be inaccessible (theoretically - depending on how the syncing is implemented it might be feasible to intercept them. My assumption, since syncing is within a given ecosystem only, is that when synced they are encrypted with a public key that only their secure hardware can decrypt). Also, having such an option would require a different code pathway when interacting with the secrets store, which would mean more potential code that could have bugs.
deleted by creator
I have a long list of questions about PassKeys and none of this articles explains them well enough.
- Does Android have it build in AOSP or Google Play Services?
- Would it be possible to actually see your private key on Android? Like export them to a file?
- Does they work without third party service? Can it be just me and the service I am logging in, or does it require my servers from PassKey provider (like Google, Bitwarden, 1Password) to work?
- Can it be used offline? For example, can an offline device create token that second online device could use for login? (Like TOTP codes).
- Does they work on other Internet services than the Web? In other words, does they work purely over HTTP and webviews or can they be in future used to login in for ex. SSH servers?
Nothing of that?
You don’t need to export or know what is the key.
The key is different for each device.
You don’t need to export or know what is the key.
But is it possible in the implementation of Android/iOS?
Backups are a thing. With SSH keys I have different key for every device too, but as they are stored in an accessable file (as all computer data should be) they are backed up with the rest of the system.
Keys are stored in the equivalent of iOS’s Secure Enclave (actual name is implementation specific: ARM’s TrustZone, Samsung’s KNOX, Pixel’s Titan M, etc): https://www.howtogeek.com/387934/your-smartphone-has-a-special-security-chip.-heres-how-it-works/
I just replaced my iPhone, and the few places I “sign in with Apple” still work in the new phone. Yes, you can back it up and restore to a different device. I assume you can also use it across devices but I haven’t tried that
This is something different to PassKeys. “Sign in with Apple” is Apple telling online service “let him in”, while PassKeys is storing your authentication data on your device.
So first, no, all the files should not be accessible : There are special not “files”, but keys, like the key used for this method. These keys pose a huge security risk of they are leaked somehow. The key can be something used to encrypt the device/disk, encrypt a connection, and other things associated with encryption.
And because of that security risk, they are often stored in a special chip or simulated chip (like the simulated tpm 2.0 on pc cpu), and not just “stored” so any malware or who knows what can access them just by reading the drive.
Second, the key is never transfered. When you connect to another device, that other device will get another key. Or maybe could it be backed up somehow in case of recovery on another phone? But that would defeat the entire purpose of this.
How Google can do to allow you to connect to another device if the first one is lost, not sure. But it would certainly either ask for a password and a 2fa method.
How Google can do to allow you to connect to another device if the first one is lost, not sure. But it would certainly either ask for a password and a 2fa method.
That’s the key question. From what it seems, it would replace a password manager with different passwords for each website, but you give Google control of the master password.
It is not for the password manager…
It’s just to connect to the google account.
It is not a service to connect to other ones without passwords.
i tested it on another device, it looks like it gets the passkey from the source device (not from cloud), i had to input the original device’s unlock pattern for it to work
And it’s expected as you still had that device. And it’s not the same key, a new key has been created for that new device. Now if that device cannot be accessed?
This is the best summary I could come up with:
Google is taking a big step toward making passkeys the default login option for its users.
Starting today, users logging in to personal Google accounts will be prompted to create and use passkeys instead of passwords when possible.
They’re both easier to use and more secure than passwords, so users no longer need to rely on the names of pets, birthdays or the infamous “password123.” Instead, passkeys let users sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan or a screen lock PIN.
And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.
Google has been experimenting with passkeys across numerous products, including Chrome, over the past year.
Users who want to forgo passkeys can uncheck the “skip password when possible” option in their accounts.
The original article contains 289 words, the summary contains 146 words. Saved 49%. I’m a bot and I’m open source!
people have really unsecure pins.
Ok but what’s unsecure with ‘1111’ as long as I’m not telling the order of the digits to anybody?
It can be cracked in less than a second?
If someone never loses their phones, laptop… Maybe it’s secure.
But if someone steals it, how secure can it be? Is the key protected by the pin encryption? If so the encryption is now useless.
Here is a French video about Micode interviewing the French DGSE : https://youtu.be/g_jEz6aF2b4?si=-sUAIvDf4F7-7kGc
They crack the phone security in 4 seconds with the pin beeing : Mic0rp2022. The software used is hashcat, an open source tool.
How long do you think this will last until they kill it?
deleted by creator
The problem with Google’s passcodes:
- I don’t use Google account on my phone. In a rare occasion I need to access gmail outside of my home, I just log in via a browser, either on my phone or work computer or wherever.
- My home PC has no authentication whatsoever. The three physical locks on my apartment’s door is the access control. Couldn’t lug it around for authentication, anyway.
- I have no other devices that could be used for this passcode thing, and my phone is usually laying around somewhere, probably shut off with empty battery.
In fact, I have not bothered even with 2FA for google accounts. At this point these are just “garbage collection accounts” for spam and youtube subscriptions/playlists, anyway.
i don’t own a ‘device’ to use for this. i don’t even want one.
This video about passkeys is fascinating. They are very secure even if your pin is 1234. The only way for someone to hack your account is if they have your device.
