passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.
Hello this is the google passkey authority, there is a recall of your passkey. Please confirm your mailing address so we can send you a replacement and refund for your postage of your dangerous key to us.
Maybe. But realistically, if they do try to export it there will be tons of warnings from the application letting them know that revealing it to a 3rd party will impact their security.
It’s not impossible by any means but it raises the bar. While an attacker can snarf a username/password with a convincing website and an email, they’re now going to have to impersonate Microsoft security and call people to guide them through the process.
It is worth mentioning that you are not bound to Google or any other big tech company if you want to use passkeys. 1Password and Bitwarden are both working on supporting them.
What they never tell you is what they’re bound to. If they’re bound to my phone and I lose my phone I’m absolutely up seven ways to Sunday in trouble. How do I back them up? How do I recover them if my phone is stolen?
Normal reply from Google, Apple, etc, would be that you should enable CloudSync(TM)(C)(R) and send all your personal information to their servers. So thay can protect you from whoever will want to get your personal data. This is how you can be sure that even if you lose your phone, your passkeys(TM)(R)(C) will be safe*. (see our EULA, part 17A, section 4.5.6.7 what is our definition of passkey safety).
For Apple devices, Passkeys are stored in and synced by iCloud Keychain, which is end-to-end encrypted. (As far as I’m aware, it’s not possible to get iCloud Keychain not to use E2EE. Some categories of iCloud data are only encrypted if you turn on “advanced data protection,” but Keychain is not one of them.) I think Apple’s response would be that if you lose your iPhone, then what you need to do is to get a new iPhone, sign in to iCloud, let it sync, and then you have all of your passkeys again.
One counterargument to this is, “well, what about the time between losing my old phone and getting the new one?” I saw one Apple employee point out that if you had used a strong password—one that you were relying on a password manager to remember for you—then you’d be in the same situation. I’m not sure I totally buy that; at the moment, password managers (generally construed) run on a wider variety of computers than passkey-storing password managers. It’s entirely possible that you could lose your iPhone (thus losing access to your passkeys) but still have, you know, pass running on your Linux desktop, so that you’d still have access to your passwords. But over time I’d expect more and more systems to add support for storing passkeys.
My understanding: you have a passkey per device. You log into your account with another device and revoke the passkey for your stolen phone. If you get the phone back, you re-enroll it with a new passkey.
I believe we will see passkey providers who are more friendly to the needs of the technologically inclined and who crave control.
That said, the level of improvement the average user will get from this is – staggering. It is not a panacea, but for the average user it will be a massive improvement both in terms of user-experience and security. It even has benefits for the smaller providers of services who no longer have to store a password hash in a secure manner. Many new products already opt out of this by using OAuth, and Passkey is an improvement on that.
I am cautiously optimistic that the good on this will far outweigh the bad.
Does anyone know how https://lobste.rs/s/zvrtsw/how_hype_will_turn_your_security_key_into relates to this? That post was arguing that “passkey” branding will lead to non-resident keys being useless. I have three hardware security keys (“Security Key NFC” by Yubico) and it’s a really important feature to me that I can use them on an unlimited number of websites.
I thought of that article as well and it correctly points out that the issue is one of terminology and marketing hype: FIDO has settled on “a passkey is a resident key” when it should really be “a passkey is any possible authenticator that a user chooses to use(resident key, non-discoverable credential, etc.)”.
Couple that with marketing of certified keys claiming to support “unlimited keypair” storage (with that being true only with non-discoverable creds) and now we have an upcoming browser feature to autocomplete logins with ONLY resident keys.
I like the idea of using something like paperback. Paperback and paper key actually save my private keys as a printed scannable document. Then if my computer dies I just have to scan the paper. My biggest fear about all these things is the way they require me to use government controlled and corporation controlled trust stores
Hello this is the google passkey authority, there is a recall of your passkey. Please confirm your mailing address so we can send you a replacement and refund for your postage of your dangerous key to us.
Are you confusing passkeys with physical security keys (e.g. YubiKeys)?
I am. In fairness, I’m p sure that if the user can ever view the key material, a phishing attack can be mounted.
Maybe. But realistically, if they do try to export it there will be tons of warnings from the application letting them know that revealing it to a 3rd party will impact their security.
It’s not impossible by any means but it raises the bar. While an attacker can snarf a username/password with a convincing website and an email, they’re now going to have to impersonate Microsoft security and call people to guide them through the process.
It is worth mentioning that you are not bound to Google or any other big tech company if you want to use passkeys. 1Password and Bitwarden are both working on supporting them.
Needs more intentional and subtle misspellings and inconsistent grammar
What they never tell you is what they’re bound to. If they’re bound to my phone and I lose my phone I’m absolutely up seven ways to Sunday in trouble. How do I back them up? How do I recover them if my phone is stolen?
Normal reply from Google, Apple, etc, would be that you should enable
CloudSync(TM)(C)(R)and send all your personal information to their servers. So thay can protect you from whoever will want to get your personal data. This is how you can be sure that even if you lose your phone, yourpasskeys(TM)(R)(C)will be safe*. (see our EULA, part 17A, section 4.5.6.7 what is our definition of passkey safety).For Apple devices, Passkeys are stored in and synced by iCloud Keychain, which is end-to-end encrypted. (As far as I’m aware, it’s not possible to get iCloud Keychain not to use E2EE. Some categories of iCloud data are only encrypted if you turn on “advanced data protection,” but Keychain is not one of them.) I think Apple’s response would be that if you lose your iPhone, then what you need to do is to get a new iPhone, sign in to iCloud, let it sync, and then you have all of your passkeys again.
One counterargument to this is, “well, what about the time between losing my old phone and getting the new one?” I saw one Apple employee point out that if you had used a strong password—one that you were relying on a password manager to remember for you—then you’d be in the same situation. I’m not sure I totally buy that; at the moment, password managers (generally construed) run on a wider variety of computers than passkey-storing password managers. It’s entirely possible that you could lose your iPhone (thus losing access to your passkeys) but still have, you know,
passrunning on your Linux desktop, so that you’d still have access to your passwords. But over time I’d expect more and more systems to add support for storing passkeys.My understanding: you have a passkey per device. You log into your account with another device and revoke the passkey for your stolen phone. If you get the phone back, you re-enroll it with a new passkey.
Presumably this means you log in to the new device with a password, so you still need passwords? (or some alternative authentication)
I believe we will see passkey providers who are more friendly to the needs of the technologically inclined and who crave control.
That said, the level of improvement the average user will get from this is – staggering. It is not a panacea, but for the average user it will be a massive improvement both in terms of user-experience and security. It even has benefits for the smaller providers of services who no longer have to store a password hash in a secure manner. Many new products already opt out of this by using OAuth, and Passkey is an improvement on that.
I am cautiously optimistic that the good on this will far outweigh the bad.
Good news is this seems - despite being beloved of many of the culprits behind EME - to be entirely open. Firefox may have it in v120 or later.
Does anyone know how https://lobste.rs/s/zvrtsw/how_hype_will_turn_your_security_key_into relates to this? That post was arguing that “passkey” branding will lead to non-resident keys being useless. I have three hardware security keys (“Security Key NFC” by Yubico) and it’s a really important feature to me that I can use them on an unlimited number of websites.
I thought of that article as well and it correctly points out that the issue is one of terminology and marketing hype: FIDO has settled on “a passkey is a resident key” when it should really be “a passkey is any possible authenticator that a user chooses to use(resident key, non-discoverable credential, etc.)”.
Couple that with marketing of certified keys claiming to support “unlimited keypair” storage (with that being true only with non-discoverable creds) and now we have an upcoming browser feature to autocomplete logins with ONLY resident keys.
I like the idea of using something like paperback. Paperback and paper key actually save my private keys as a printed scannable document. Then if my computer dies I just have to scan the paper. My biggest fear about all these things is the way they require me to use government controlled and corporation controlled trust stores
OpenID was a good solution to be in control of your accounts
So when will https://lobste.rs get passkey support?