A lot of services support passkeys. Microsoft even has an option to make my account “passwordless”. Since they are more secure than passwords, will you be switching some / most of your accounts to passkeys any time soon? Interested to hear everyone’s thoughts on passkeys. 🔑
I use a password manager. I don’t care about it. Passwords are reasonably secure.
Passwords can be leaked, mostly by bad security on server side.
Passkeys use secure keys, it checks public keys on both sides and send private key to authenticate, without both keys can’t login or if the server is compromised.
It’s like GPG or SSH works.
Close but private keys don’t get sent.
It sends information encrypted via your public key to your client, then your client proves that it’s the real owner of the key by decrypting the message, and then sending a new message back encrypted by the private key that the server can then verify.
This is what’s better than a password, the information for providing authentication (the private key) never leaves your computer (where as you almost in all implementations of password based auth, send the password itself to the server).
A question, since you sound like you know what you’re talking about. Is this analagous to password-free SSH? I.e., private key used to log in on the basis of a pre-agreed public key?
Yeah basically. See “What is a passkey” on https://fidoalliance.org/faqs/#PasskeysFAQs
From a technical standpoint, passkeys are FIDO credentials that are discoverable by browsers or housed within native applications or security keys for passwordless authentication. Passkeys replace passwords with cryptographic key pairs for phishing-resistant sign-in security and an improved user experience. The cryptographic keys are used from end-user devices (computers, phones, or security keys) for user authentication.
Which begs the question, “What is FIDO?”. To which the About FIDO page replies, literally, “FIDO authentication uses standard public key cryptography techniques to provide phishing-resistant authentication”.
Arrghghgh! Orwell was right about people’s incredibly capacity to write with zero clarity.
More generally, IMO what we have here is a classic case of ELI5 vs “ELI know something already”. I use SSH and manage the keys myself but I still can’t find an answer to this question: is a “passkey” just another word for “the private key in a public-private keypair?”
Whenever I look into this, the explainer always either jumps straight into super-dense technical details, or describes it all in term of metaphors as if talking to a small child. Oh well.
Reading through all the jargon and simplifying it, the answer: yes they’re the same in the way you mean.
“SSH” and “passkey” are both technologies built on asymmetric cryptography. They thus at a fundamental level do work in the same way, it’s all the protocol and practices stuff that gets bolted on that is where things become different and where things took time to get into place so we could use these things on the web (and not just “we” who know what SSH is but “we” who make up society).
Arrghghgh! Orwell was right about people’s incredibly capacity to write with zero clarity.
The problem is arguably that for the people who understand it enough to say “yeah, they’re the same idea”, the key point is “asymmetric cryotherapy” in an authentication context, the key point is not SSH. SSH is just how most technically inclined users have most directly experienced asymmetric cryptography deployed as an authentication mechanism. It’s that same mistake textbooks often make of burying the lead in an otherwise obscure reference the reader may or may not pickup on.
But yes, it would be helpful if some major site would provide this comparison “so that I don’t have to! 😉”
See also “Enrollment and Sign-in with FIDO” in https://fidoalliance.org/how-fido-works/
It’s that same mistake textbooks often make of burying the lead in an otherwise obscure reference the reader may or may not pickup on.
Exactly. Thanks for clarifying.
It’s PKI, public key infrastructure. It’s secure so it’s used in many applications. Including ssh using keys.
It sends the private key? Are you sure about that?
Just like positrons are the opposite of electrons maybe passkeys send private keys and keep the public ones in PKI… wait…
Passwords can be leaked, mostly by bad security on server side.
Wouldn’t this be solved by storing only hashed passwords?
Let’s assume that hashing passwords falls into the “good security” bucket, and wouldn’t be part of the “bad security” scenario.
Figured as much. I thought that was just “standard”, but even “standard” can be a lot to expect lol
Password managers support passkeys.
I use a password AND passkey.
Passkeys as password replacements reduce the total factors required to login to a service. If you use 2fa for all your services anyway then passkeys are a downgrade. That’s why so many people are angry they are having security options removed.
For people who use the same username and password everywhere, then passkeys are a upgrade.
So normal people get a benefit from passkeys in exchange for getting locked into a ecosystem.
For security minded people I hate passkeys.
- Less factors to login
- Discoverable
-
- Unlike fido2 webauthn the service the credentials attach to have to be known, so if anyone steals your hardware key, or gets access to your phone they can see all the passkeys and accounts you have
I WANT my logins to be something I know, something I have, and something I am. Password, hardware key, biometric unlock of key.
I don’t mind passkeys existing, but I HATE that services are replacing hardware key flows with passkey flows. I want to use my hardware key as fido2 not as a passkey. I don’t want to downgrade my security! Microsoft makes it impossible to use a 2fa hardware key as a second factor now, only as a passkey, that’s strictly worse then before.
To be fair, there is a “something you know” factor - the passphrase for the database containing the passkeys. But I kinda do wish they were more easily password-protected individually, like how you do with SSH keys. You can have a separate database for each passkey I guess… But yea, inconvenient.
100% agree. I have 2FA on everything, passkeys are definitely a downgrade
They are more secure than password authentication, though how much more secure depends on how the user manages their passwords.
If a user never reuses passwords across different services and maintains long complex passwords, preferably randomized strings; the security upgrade of Passkeys is quite marginal. Arguably marginal enough to not even bother. The farther a user gets from ‘ideal’ password security practices though, the more of a security upgrade Passkeys would be for them; though convincing them of that is another story…
Switching to Passkeys does take a lot of responsibility off of both the user and service provider. The user no longer needs to ensure passwords aren’t reused, insufficiently complex, or already compromised; and the service provider doesn’t need to worry about leaking your passkey as they only have the public key portion which can’t be used to login as you.
In some ways they can be more inconvenient though. With a password, even long unique complex passwords stored in my password manager; I can open the password manager on my phone, read the password I want, and manually enter it into an unfamiliar or shared device without having to load my entire password/key vault onto that device. Passkeys make that impossible; essentially forcing you provide the whole vault to the device or give up. It is also a big step for people that aren’t familiar with password managers and are used to just remembering their passwords, to then switch to a passkey manager where they can’t use their memory to login anymore.
There’s good sides and bad sides to everything really. Some people will prefer one way, some will want the other way. Ultimately I think we’ll get pushed into using Passkeys by most companies, just so they can shed some of the responsibility of keeping your credentials secure. A stolen passkey database, unlike a password database, would not allow you to pose as users, which leads to less claims of fraudulent activity.
Passkeys (depending on implementation) are more resistant to info stealer viruses.
The private key portion can be in your OS’s credential store and can be used to sign the challenge without being revealed to the calling application.
Of course this doesn’t work if you got rooted, but a lot of viruses of this kind try to steal what they can get as a regular user, and you can get a lot, ie AWS credentials, saved browser passwords etc.
In my view it’s cheap defense in depth.
I’ll use passkeys if and only if they work with my password manager (Proton Pass). If not, I’m sticking with the password (and 2fa if they offer it)
Proton Pass already supports passkeys: https://proton.me/support/pass-use-passkeys
I know but not all websites do
The website has to build in support for them. Youll start seeing it more over time.
I highly dislike the idea of a passkey replacing a password as it means you’ve lost the something you know and replace it only with something you have.
Passwords AND passkeys together sound great.
To be fair, you cant use the passkeys unless you are logged into your password manager, which requires a password you “know”.
It could be your phone or computer as well, they don’t have to be in a password manager.
And that’s often going to be the default people use.
Now it’s just your face or fingerprint, both of which are easier to bypass if it’s targeted.
Well, then its still 2FA. Something you are and something you have.
Just in addition to my other reply… that was assuming it’s not a government agency.
The police can just force you to do it, but they can’t force a password.
Everyone using a passkey and biometrics on their hardware is law enforcements wet dream.
Including border security where you have less rights.
This exactly why I have a phone that lets me use two factors to unlock it, pin plus fingerprint!
It let’s you require both?
It looks like it’s pin and optional fingerprint, not pin and fingerprint for me? On Android
This is why I always turn it off in airports though.
Pin to unlock phone
Fingerprint to unlock work profile.
It’s just much weaker than a password and passkey / security key.
Something you are can easily be taken from you. (Edit: eg lifting fingerprints can unlock things)
Something you know is harder and would escalate a situation if forced substantially.
They’re FIDO keys but bad.
Here’s a great blog post from someone who knows what they’re talking about: https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/
Very enlightening read. That service lock-in is so real. I had some passkeys in Google Password manager (Android) just to try them out, and then wanted to move them to Bitwarden. I had already disabled Google Password manager on my phone to use Bitwarden. Imagine the headache I had to deal with to move a single passkey over to Bitwarden (really, I deleted one and added one, while dealing with UI hurdles). Until this improves (if ever), I’ll probably stick to my passwords and normal 2FA.
Since I use a good password manager. And use TOTP on everything I can. Which admittedly I do store in my password manager as well. I don’t think passkey really improves security very much in my case.
That being said though I’m a big fan of passkeys and use them everywhere I can. But I don’t store them on devices only in my password manager. So I don’t have to worry about if I lose a device.
I think where passkeys really shine though is for people who still aren’t using a password manager. While I’ve tried to get everyone I know using bitwarden most still don’t. And the ones that do still don’t have half of there accounts in it. They are still reusing passwords across multiple sites. So I think passkeys will massively increase security for the majority of ppl. And for those of us using password managers I still think its a slight improvement to convenience.
They’re better than passwords in that they really are phishing proof and well they are basically RSA key pairs that are generated, so they are naturally brute force resistant. Great for the majority because most people reuse their crappy password over and over again, ignorant of the fact that password managers exist just because they have to spend 10 seconds more to press buttons to generate a password and store them in the db. The tech is great as long as the user knows how to keep them safe.
HOWEVER: Since third party password managers (like Bitwarden, 1Pass, etc.) just recently started to provide support for passkeys, alot of people who wanted to use passkey on first release were locked into big tech bros like Google on Android and Apple on iOS’ solutions. And well that’s not good at all. The tech is great though, I’m all for it. You just need to know where to store them. Ideally, I’d store them offline on my device and that exists already but not on Linux (afaik) nor on Android are they a reality yet.
^They definitely are not more than secure than my yubikey though.^
As soon as KeepassDX supports it i absolutely will be making the switch where possible since it is more secure.
I would very much prefer to use passkeys wherever possible. My password manager of choice Bitwarden also supports them. Unfortunately, Android 13 which I am running does not support setting a default app to handle passkeys. So I cannot access that functionality on my phone yet. I think in a few years I will be authenticating with passkeys for a lot of services. However there will be a lot of services that lag behind in terms of offering passkey authentication.
@bilbobaggins The good part: my self-hosted VaultWarden supports passkeys, so I’ve added them to everything I can. The bad part: Android does not support third-party passkeys on Android 13 and lower, and guess whose phone is stuck with 13 being the latest official release for his smartphone - that means that the websites that completely substitute the password with a passkey, such as PlayStation and Microsoft, are currently off-limits for me because I’ll end up locked outside.
Yeah, I noticed incomplete support as well even though I do have Android 14. I opened an incognito tab on my phone to log in to Google with my passkey and it kept asking for my device fingerprint. Not the passkey I saved in Bitwarden. It still logged me in but it wasn’t quite right. Feels like Android really wants me to use Google’s passkey manager 😓 hopefully this all changes in the future
Have not tried passkeys on mobile, so wonder how it is on Graphene and other degoogled OSes…
With Bitwarden, you can use passkeys on chromium browsers. Vanadium actually enabled support in advance.
You need to have Play Services installed, though. This is due to Chromium, nothing GOS can do about that. No need for even network permission for Play Services, luckily.
Firefox is supposedly adding a standalone implemetation, which won’t require Play Services, any year now…
Don’t have Proton Pass, so don’t know what’s the situation there. With BW+Vanadium, they work well. I just wish Play Services weren’t required. With Google Passwords they probably just work.
Ah, thanks! I don’t use passkeys myself yet, and I guess would be waiting longer - really don’t want Play Services in any form)
Mostly wondering for KeepassXC, as the managers you mentioned are cloud.
They are convenient, but there’s only a couple sites that support full login with passkeys. I’m reading between the lines of your comments none of them are sites you’d use (Microsoft, Github, Google, etc…)
Someone else commented KeepassXC has an open issue about passkeys, perhaps they’ll add support sometimes too.
You’re not really missing anything yet, to be honest. I’ve mostly tried them out just out of interest, and it’s still very much aimed at people using Google or Apple…
they don’t work. Technically they do, but they are a major major pain to manage.
passkeys were invented for vendor lockin and will be used to add friction to migration, say if you wanted to move from apple to bitwarden well sorry you can’t. fido originally made the protocol to sell their dongles and fought like hell to keep them off smart phones, platform vendors are only interested in this to lock you into their system too. there is absolutely nothing wrong with normal passwords.
Random passwords and MFA all the way!
Was about to post the great blog post from my bookmarks, but another commenter beat me to it (t y !). Here’s comments on that blog post on Lobsters and HN :
I would like to use it (or any biometric authentication at all) on Linux with my USB fingerprint reader (DigitalPersona 4500), but it seems broken in libfprint and the devs are unresponsive to their gitlab issues. Using a Windows VM just for fingerprint support is not something I want to do either.