• azalty@jlai.lu
    link
    fedilink
    English
    arrow-up
    32
    arrow-down
    2
    ·
    2 months ago

    I have never understood the goal of passkeys. Skipping 2FA seems like a security issue and storing passkeys in my password manager is like storing 2FA keys on it: the whole point is that I should check on 2 devices, and my phone is probably the most secure of them all.

    • ByteOnBikes@slrpnk.net
      link
      fedilink
      English
      arrow-up
      7
      ·
      2 months ago

      That was my take too.

      Security training was something you know, and something you have.

      You know your password, and you have a device that can receive another way to authorize. So you can lose one and not be compromised.

      Passkeys just skip that “something you have”. So you lose your password manager, and they have both?

      • Spotlight7573@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        2 months ago

        I think you mean that passkeys potentially skip the something you know. The something you have is the private key for the passkey (however it’s stored, in hardware or in software, etc). Unlocking access to that private key is done on the local device such as through a PIN/password or biometrics and gives you the second factor of something you know or something you are. If you have your password manager vault set to automatically unlock on your device for example, then that skips the something you know part.

      • Modern_medicine_isnt@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        2 months ago

        More than that. You probably use them in public, where there are tons of cameras. So if you forget you phone in say a restaurant, odds are they have video of you unlocking it.
        And let’s not forget all the poorly secured wifi access points people commonly connect to…

    • imouto@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      2 months ago

      It’s not skipping MFA cos some media can provide more than one factor.

      E.g. YubiKey 5 (presence of the device) + PIN (knowledge of some credentials) = 2 factors

      Or YubiKey Bio (presence of the device) + fingerprint (biological proof of ownership) = 2 factors

      And actually unless you use one password manager database for passwords, another one for OTPs, and never unlock them together on the same machine, it’s not MFA but 1FA. Cos if you have them all at one place, you can only provide one factor (knowledge of the manager password, unless you program an FPGA to simulate a write only store or something).

    • sem@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 months ago

      I love storing 2FA in the password manager, and I use a separate 2FA to unlock the password manager

      • azalty@jlai.lu
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        2 months ago

        I imagine you keep your password manager unlocked, or as not requiring 2FA on trusted devices then? Re entering 2FA each session is annoying

        You still have the treat of viruses or similar. If someone gets access on your device while the password manager is unlocked (ex: some trojan on your computer), you’re completely cooked. If anything it makes it worse than not having 2FA at all.

        If you can access your password manager without using 2FA on your phone and have the built in phone biometrics to open it like phone pin, finger or face, someone stealing your phone can do some damage. (Well, the same stands for a regular 2FA app, but meh, I just don’t see an improvement)

        • ByteOnBikes@slrpnk.net
          link
          fedilink
          English
          arrow-up
          4
          ·
          2 months ago

          I went to see HR a month ago and they had a post-it of their password for their password manager. We use passkeys too.

          And this was after security training.

          • azalty@jlai.lu
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 months ago

            😵 some people just don’t care

            It’s their job though, not their personal life, so they might care less

        • sem@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          You’re right if I get a virus I’m pretty cooked. Except I think to set 2fa up on the attacker’s device they’d need the phone authenticator to set it up the first time, so hopefully they couldn’t do it unless they used my computer remotely to login to websites.

          But the password manager locks after 15 min and you have to put a pin in to unlock and decrypt.

          I’m not sure what brute force mechanisms it has against the pin.

          Re-entering the 2fa each session is annoying but it’s way better than having to do it on each individual site from my phone.

    • drphungky@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      2 months ago

      It feels like the goal is to get you married to one platform, and the big players are happy for that to be them. As someone who’s used Keepass for over a decade, the whole thing seems less flexible than my janky open source setup, and certainly worse than a paid/for profit solution like bitwarden.