172
The War on Passwords Is One Step Closer to Being Over (www.wired.com)
submitted 1 day ago by GreenEngineering3475@lemmy.world to c/technology@lemmy.world
117 comments fedilink hide all child comments

“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

top 50 comments
sorted by: hot top controversial new old
[-] mlg@lemmy.world 1 points 1 hour ago

I remember when Microsoft made a big deal about this on Windows and then their "implementation" was making the local signon a number PIN.

And not a proper separate auth operation lol. You either set up almost everything with the PIN or use a regular password, not both. Makes it useless on enterprise.

Realistically we should all be using a key/pass vault since that would make using passkeys much easier, but that's too complicated for the internet in ~~2004~~ 2024.

If it were me, I'd just issue everyone a yubikey.

[-] msage@programming.dev 4 points 3 hours ago

I'm lost on this - is this better than GPG?

[-] corsicanguppy@lemmy.ca 11 points 13 hours ago

Does it require an array of fucking containers and a flurry of webAPI calls? Then no.

[-] SirEDCaLot@lemmy.today 2 points 4 hours ago

No it's actually pretty simple. No containers. Your passkeys can be managed in the browser (Google Passwords), by a plug-in like BitWarden, or in a third party hardware device like YubiKey.

[-] NateNate60@lemmy.world 18 points 17 hours ago

I still have no idea how to use passkeys. It doesn't seem obvious to the average user.

I tried adding a passkey to an account, and all it does is cause a Firefox notification that says "touch your security key to continue with [website URL]". It is not clear what to do next.

[-] JackbyDev@programming.dev 8 points 11 hours ago

After my password manager auto filled a password and logged me in the website said "Tired of remembering passwords? Want to add a passkey?" I didn't know what it meant so I said no lol.

[-] Scrollone@feddit.it 1 points 2 hours ago

Me too, I don't trust the system and I don't want to be locked into a specific browser and/or device.

[-] echodot@feddit.uk 4 points 16 hours ago

I think you actually have to buy a passkey device. Then configure it to work with a particular account.

You plug the passkey into your computer and then whenever it asks for a password you literally touch it and it does its thing. I think there are options like biometrics that you can add on top but you don't have to have that.

[-] el_abuelo@programming.dev 6 points 14 hours ago

Devices themselves can act as passkeys too - I.e. your phone, laptop etc...

[-] xor@lemmy.blahaj.zone 3 points 12 hours ago

...except the ones that can't

I think it depends on whether you have a TPM chip in it

[-] EngineerGaming@feddit.nl 2 points 8 hours ago

What are you talking about? KeepassXC, to my knowledge, is not dependent on any TPM, snd it does support passkeys.

[-] xor@lemmy.blahaj.zone -4 points 7 hours ago

devices themselves can act as passkeys

I didn't say a device needs a TPM to support passkeys - I said I believe it it needs one to be a passkey

Thank you for your passive aggressive response caused by poor reading comprehension, though

[-] EngineerGaming@feddit.nl 1 points 7 hours ago

From what I understand, "passkey" refers to software, so no such thing as "device being a passkey". Unlike a hardware key.

[-] xor@lemmy.blahaj.zone 1 points 5 hours ago

You understand incorrectly. "passkey" refers to a token used for the public key authentication that is used for sign in, which needs to be stored somewhere - this can be stored in a hardware key like a YubiKey, or in your device's credentials manager. In principle, this could be anywhere, but it needs to be somewhere secure to not be trivial to compromise (eg taking out your HDD and just copying your passkey off it)

In Windows' case, this secure credentials store is the TPM chip, which is why you are not able to use passkeys on Windows devices that have no TPM chip (unless you use another hardware implementation).

Tldr: passkeys are data, not software, and to store the data, you need some form of hardware, which needs to be secure to not be a really bad idea.

If you'd like to do some reading before confidently correcting me further, I'd suggest reading about how passkeys work.

[-] EngineerGaming@feddit.nl 1 points 1 hour ago

That is exactly what I said though - passkeys are software. They're not confined to hardware modules, so there's no such thing as "device being a passkey".

[-] el_abuelo@programming.dev 1 points 12 hours ago

Thanks for clarifying

[-] NateNate60@lemmy.world 6 points 15 hours ago

If that's what's needed, I can say with some certainty that adoption isn't going to be picking up any time this decade.

[-] echodot@feddit.uk 1 points 13 hours ago

They've been around forever as a concept I think I even have one for accessing some servers at work. You're right no one uses them.

load more comments (1 replies)
[-] EncryptKeeper@lemmy.world 22 points 1 day ago* (last edited 1 day ago)

ITT: Incredibly non-technical people who don’t have the first clue how Passkeys work but are convinced they’re bad due to imaginary problems that were addressed in this very article.

load more comments (2 replies)
[-] nevemsenki@lemmy.world 127 points 1 day ago

If the passkeys aren't managed by your devices fully offline then you're just deeper into being hostage to a corporation.

[-] Draconic_NEO@lemmy.world 10 points 18 hours ago

That's a great way to lose access if your device gets lost, stolen, or destroyed. Which is why I'm against and will continue to be against forcing 2FA and MFA solutions onto people. I don't want this, services don't care if we're locked out which is why they're happy to force this shit onto people.

[-] EngineerGaming@feddit.nl 2 points 8 hours ago

In case the device gets lost/stolen, you should have a backup of the database that contained the passkeys. That's why I would be only using the implementations that allow doing that easily.

[-] nevemsenki@lemmy.world 4 points 17 hours ago

Well yeah, that is true. Security and convenience are usually at odds... MFA has place, unless you don't mind some guy from russia access your online bank account ; but I definitely wouldn't use it on all my accounts.

[-] Draconic_NEO@lemmy.world 4 points 17 hours ago

Yeah and since Online bank accounts can also almost always be reset if you lose the 2FA/MFA key by calling customer support, or going to your bank and speaking with themt in person, there's almost no risk of losing access completely. It's a service you have access to because you're you. Something that isn't the case with Reddit, Github, Lemmy accounts, or Masotodon. I'm not able to regain access after losing those 2FA solutions by virtue of being myself, they treat you just like the attacker in those cases. Really not worth it there, both since what is being protected isn't worth it, and the risk far outweighs it.

[-] kiagam@lemmy.world 4 points 13 hours ago

Access to my main email account (outlook) is currently blocked because someone decided to try a password from some earlier leak and locked it. It can only be unlocked with SMS MFA, which I can't use because I'm travelling abroad. There is no other way to do it. The other option they give you a form that only works if you don't have MFA set up (it says so on the faq). I even asked someone to fill the form from my home computer so the location data matches earlier accesses, but didn't work. You also can't contact support without logging in. If I had lost/changed that phone number for any reason, I would lose access forever. Luckily I will be back home soon.

[-] rottingleaf@lemmy.world 4 points 17 hours ago

Y'all here talking so smart ignore another thing - the more complex your solutions are, the deeper you are into being hostage to everyone capable of making the effort to own you.

Don't wanna be hostage - don't use corporate and cloud services for things you need more than a bus ticket.

You are being gaslighted to think today's problems can be solved by more complexity. In fact the future is in generalizing and simplifying what exists. I'm optimistic over a few projects, some of which already work, and some of which are in alpha.

[-] Archer@lemmy.world 1 points 12 hours ago

Thank goodness you didn’t mention any names

[-] rottingleaf@lemmy.world 1 points 12 hours ago

Projects don't react too well to premature attention.

[-] fmstrat@lemmy.nowsci.com 3 points 18 hours ago

Not to mention Apple let's you SHARE them with airdrop.

load more comments (9 replies)
load more comments
view more: next ›
this post was submitted on 15 Oct 2024
172 points (92.2% liked)

Technology

58688 readers
3968 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world