• Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security
  • Passkeys were developed to replace passwords for better account security, but their rollout by Apple and Google has limited their potential
  • Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
  • phoneymouse@lemmy.world
    link
    fedilink
    English
    arrow-up
    177
    arrow-down
    9
    ·
    edit-2
    7 months ago

    Not commenting on the merits of the blogpost’s arguments, but Proton is selling their own product here too

    • StereoTrespasser@lemmy.world
      link
      fedilink
      English
      arrow-up
      54
      arrow-down
      17
      ·
      7 months ago

      And if you believe in our mission and want to help us build a better internet where privacy is the default, you can sign up for a paid plan to get access to even more premium features.

      Translation: don’t give those other guys money, give us your money!

      • yamanii@lemmy.world
        link
        fedilink
        English
        arrow-up
        47
        arrow-down
        2
        ·
        7 months ago

        The horrors of giving money to a company that actually cares instead.

      • Encrypt-Keeper@lemmy.world
        link
        fedilink
        English
        arrow-up
        23
        arrow-down
        1
        ·
        7 months ago

        Well no, their call to action isn’t to not give anyone else money. They didn’t have anything negative to say about their competition like 1Password. They’re just warning you about the shady things Google and Apple are doing specifically. And as an alternative they’re offering their own solution instead, which also doesn’t cost any money.

    • QuantumSparkles@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      30
      arrow-down
      1
      ·
      7 months ago

      As a fan of Proton services I don’t like “blog posts” from companies where the solution to a problem is just their product, regardless of who the company is

    • Encrypt-Keeper@lemmy.world
      link
      fedilink
      English
      arrow-up
      22
      ·
      7 months ago

      Proton enabled passkeys in their free tier. So ultimately, yes by using their free tier and being safe in the thought that you can always leave if you want, that might drive you to pay for a paid plan.

      But companies trying to earn your business by offering you a good honest product is not at all the same as a company using anti-consumer practices to keep you from leaving lol.

    • AA5B@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      7 months ago

      As someone who is not familiar with photon, I love to see a vendor presenting a feature with a technical discussion, even if they’re also selling it. As far as I can tell, no one was hiding intent, no one was directly selling, so “well done”. Or maybe I just agree with the premise, I dunno

      • Josie@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        7 months ago

        We’ve tried to stay true to the intention behind passkeys. With Proton Pass, passkeys:

        • Are easy to use, no matter your device or platform
        • Can be quickly shared or exported
        • Use an open-source implementation
        • Are available to everyone with our Free plan
  • capital@lemmy.world
    link
    fedilink
    English
    arrow-up
    74
    arrow-down
    1
    ·
    7 months ago

    If I can’t add your passkey to my Bitwarden vault, I’m not using your passkey.

    • FrankTheHealer@lemmy.world
      link
      fedilink
      English
      arrow-up
      16
      ·
      7 months ago

      Yeah or if they only offer 2FA via SMS. Like 1) it’s not even that much more secure and 2) it’s just more awkward.

      But I also hate how Steam and Blizzard only allow you to verify logins in their mobile app. Fucking ridiculous.

      • EngineerGaming@feddit.nl
        link
        fedilink
        English
        arrow-up
        4
        ·
        7 months ago

        It is stupid that they not only require the app to be present, but to verify each and every trade. Even those for items that drop to everyone for free. Good thing it does work in an Android VM but still - very annoying.

      • hperrin@lemmy.world
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        1
        ·
        7 months ago

        That doesn’t seem unreasonable at all for not having to host your own server.

        • Serinus@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          10
          ·
          7 months ago

          That’s with hosting your own server. Unfortunately I only discovered this paywall after sending them $10 out of good will.

          Of course it’s open source, so it’s certainly possible to break their DRM, and if it were something less sensitive I would.

          I still might, but VaultWarden looks like a better alternative.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        9
        ·
        7 months ago

        I pay $10/year for my wife and I, total. The $40 is if you want 3-6 people. AFAIK, you still need to pay if you self-host and use the premium features, but you can self host on the free plan as well.

        $10/year for my wife and I is completely reasonable, and I’d pay the $40/year if my kids needed their own accounts. It’s a fantastic service.

  • Swarfega@lemm.ee
    link
    fedilink
    English
    arrow-up
    61
    arrow-down
    2
    ·
    7 months ago

    It seems no matter what new advancements we make in technology the big tech companies seek nothing more to implement it in a way that benefits themselves. Regardless if it means fucking over the consumer.

    I really hate what the internet has become over the last couple of years.

    • Tak@lemmy.ml
      link
      fedilink
      English
      arrow-up
      19
      arrow-down
      1
      ·
      7 months ago

      That’s capitalism for you. They’re not interested in making things better, they’re interested in making more profit.

      • sunbeam60@lemmy.one
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        10
        ·
        7 months ago

        Correct. But often that only happens if they make things better for you.

        • Encrypt-Keeper@lemmy.world
          link
          fedilink
          English
          arrow-up
          10
          arrow-down
          1
          ·
          edit-2
          7 months ago

          On the contrary, companies making a profit by making things better for you as a concept is pretty close to extinct. See corporations realized they don’t have to make better products if they just box out the competition so that you no longer have a choice. Theres even a term for it now, because practically every company across every industry is doing it, enshittification. Charging more for inferior projects is the new goal.

          A company that grows itself by making a better product is an objective rarity in the modern world.

  • alsu2launda@lemmy.world
    link
    fedilink
    English
    arrow-up
    64
    arrow-down
    6
    ·
    7 months ago

    Not surprised,

    Google too nowadays.

    There’s a reason why they removed their company motto “Don’t be Evil”

    • Ashyr@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      19
      arrow-down
      13
      ·
      7 months ago

      Google has obviously been crap for a long time, but that was just a dumb motto to begin with. It’s not aspirational, it’s not useful for anything and it barely requires anything of anyone.

      They changed it to: Do the right thing.

      It’s not much better, they’re still an awful company, as most companies are, but this is just the worst reason to rag on them.

  • elrik@lemmy.world
    link
    fedilink
    English
    arrow-up
    57
    arrow-down
    1
    ·
    7 months ago

    I am not using passkeys until it’s possible to easily migrate them between providers (not just devices / browsers). If I used Proton Pass, and then later decided to use another password manager, could I export my passkey data?

        • Swarfega@lemm.ee
          link
          fedilink
          English
          arrow-up
          12
          ·
          7 months ago

          The next question is does anyone actually let you import passkeys? I don’t think there is ☹️

          I have a few keys in Bitwarden but before I go adding more I am going to play with Proton Pass. A lot of users were understandably annoyed when Bitwarden released passkey support but in such a limited manner.

    • gian @lemmy.grys.it
      link
      fedilink
      English
      arrow-up
      8
      ·
      7 months ago

      Proton Pass allow you to export your passwords in various formats (both plain and encrypted). That you are able to import somewhere else is not something Proton Pass can guarantee but you have your data.

  • ILikeBoobies@lemmy.ca
    link
    fedilink
    English
    arrow-up
    60
    arrow-down
    5
    ·
    7 months ago

    Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.

    I wonder if there could be any bias in Proton claiming their product is the best

    • sunbeam60@lemmy.one
      link
      fedilink
      English
      arrow-up
      26
      arrow-down
      2
      ·
      7 months ago

      Well of course. It’s still right - the ecosystem lock-in is insane. There needs to be a standard for cloud to cloud transfer between providers.

      Or you know, use Proton Pass or 1Password.

    • ikidd@lemmy.world
      link
      fedilink
      English
      arrow-up
      20
      arrow-down
      2
      ·
      7 months ago

      I’d trust them miles before Google or Apple. Hell, they dropped the prices on some of their products when they found ways to provide them cheaper. Proton is a good company.

      • vermyndax@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        2
        ·
        7 months ago

        That doesn’t mean they will be around forever. Economic realities care little about whether a company is good or not.

        • Andrenikous@lemm.ee
          link
          fedilink
          English
          arrow-up
          7
          ·
          7 months ago

          In fact history has shown the good die out or become corrupt. Still using them for now though.

        • timbuck2themoon@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          6
          ·
          7 months ago

          Iirc you can export everything. Most allow export of passwords of course but i think proton allows export of passkeys too.

          So there’s portability if they ever do disintegrate.

        • gian @lemmy.grys.it
          link
          fedilink
          English
          arrow-up
          1
          ·
          7 months ago

          True, but this is valid for every company.
          Let’s say that since the company is Swiss based and, AFAIK, not quoted maybe they are not driven by the “the next quarter is all that matters” mentality of many quoted (US) companies.
          There is a smaller chance that they will do something stupid to monetize more just to be ok next quarter (while risking to lose everything the next one) and will be there as long as they provide a value to the customer for the paid price.

    • Reddfugee42@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      4
      ·
      7 months ago

      Do you typically just take people’s word for their claims or do you do cursory research?

    • Dark Arc@social.packetloss.gg
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      7 months ago

      Eh… That’s not exactly a silver bullet or necessarily “way better”; it’s got a lot of usability issues.

      You really only want to do that for your most important sites and then you want to use multiple passkeys to make sure you retain access.

  • CriticalMiss@lemmy.world
    link
    fedilink
    English
    arrow-up
    50
    ·
    7 months ago

    When vaultwarden supports this I’ll play ball. If I don’t have control over my authentication methods, then they aren’t my authentication methods.

    • cooopsspace@infosec.pub
      link
      fedilink
      English
      arrow-up
      15
      arrow-down
      7
      ·
      edit-2
      7 months ago

      Do you really think it’s a good idea to store your password, TOTP and pass key in one place?

      • hydration9806@lemmy.ml
        link
        fedilink
        English
        arrow-up
        15
        arrow-down
        1
        ·
        7 months ago

        Yes, as long as that place is only accessible by a physical passkey (such as a Yubikey). The risk is miniscule and the convenience is 100% worth it.

        • cooopsspace@infosec.pub
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          7 months ago

          I’m actually not sold that I should be putting all my keys in a single password manager like Bitwarden.

        • Reddfugee42@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          1
          ·
          7 months ago

          Treating social media accounts as irrelevant is fine as long as none of your real life friends associate with you on the same platform. Once that’s the case, scammers can take over your platform and send messages to your friends telling them you’re stuck and need money or other sorts of things that sound ridiculous but work all the time.

          • DreamlandLividity@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            7 months ago

            I am not treating them as irrelevant, hence a password manager. But I am not treating it as fort knox. Most of my real-life friends probably don’t even go that far.

    • bitwolf@lemmy.one
      link
      fedilink
      English
      arrow-up
      3
      ·
      7 months ago

      Vaultwarden has supported pass keys for a while. The client app does all the hard work in this pattern.

  • dinckel@lemmy.world
    link
    fedilink
    English
    arrow-up
    43
    arrow-down
    1
    ·
    7 months ago

    The way Apple or companies like Paypal implement two-factor authentication, let alone passkeys, drive me up the wall. This all could have been so much better.

    I’m not even going to mention all the platforms that rolled out passkey creation support, but not passkey login support, for whichever damn reason

    • plz1@lemmy.world
      link
      fedilink
      English
      arrow-up
      39
      arrow-down
      5
      ·
      7 months ago

      Yeah, Apple 2FA is infuriating, especially since you can do all factors from the same device. Kind of defeats the purpose of traditional 2FA/MFA. Also, companies that decide you 2FA experience has to use their app, instead of a standards-compliant TOTP app of your choosing…ugh.

      • WolfLink@lemmy.ml
        link
        fedilink
        English
        arrow-up
        32
        ·
        7 months ago

        Traditional 2FA (assuming you mean apps with codes) can be done from the same device (if you have the app with the codes installed on that device).

        It doesn’t defeat the purpose of 2FA. The 2 factors are 1. The password and 2. You are in possession of a device with the 2FA codes. The website doesn’t know about the device until you enter the code.

        • plz1@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          7 months ago

          Yeah my point is it does not protect the local device well. It does protect well from remote compromise though.

      • paraphrand@lemmy.world
        link
        fedilink
        English
        arrow-up
        18
        arrow-down
        2
        ·
        edit-2
        7 months ago

        If you think forcing everyone to carry an object other than their phone around so they can use 2factor on their phone is a good idea… Or if you said I need to go to my laptop when I’m logging in on my phone and vise versa… that’s nonsense too. Sure maybe some companies require this. But that’s different.

        Authy on my phone is just as “dumb” as Keychain on my phone.

        How else are you imagining this should work? Keep in mind normal people need to do it too.

        • plz1@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          7 months ago

          If I’m on my laptop, and the 2fa code shows on that same laptop, it defeats the purpose of it. The point is sortation of security privileges, ask this just adds more work while providing no less security to the device. It does protect you from remote compromise, though.

          • jkrtn@lemmy.ml
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            7 months ago

            It doesn’t defeat the purpose of it, as you indicate, it can protect from remote attacks.

            • AA5B@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              7 months ago

              Also most or all of these should require some for of local authentication.

              For example I have 2fa apps on my phone, where I need to use them, so yes, that’s less than ideal. However

              • it protects against remote attacks
              • it protects against SIM attacks
              • and even if someone stole my phone and unlocked it, they’d still need my face id for every use
        • sudneo@lemm.ee
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          2
          ·
          7 months ago

          I bring my yubikey with me, it’s in my keychain. This is not only more secure against phone theft/access, which probably is not very relevant for most people, but it spreads the risk of locking yourself out.

          For example, I was in Iceland with my girlfriend and she “lost” her phone. We wanted to locate it, so I logged to Google for her, which asked 2FA. If she used her phone, she would have been toast. Instead I made her use yubikeys too, and she just logged in and found her phone.

          Obviously you can lose your hardware tokens too, but it’s generally less likely (you take out your home keys way less than your phone, for example). You can also backup your TOTP on multiple devices etc., of course.

        • AA5B@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          7 months ago

          For Apple, it’s your iCloud account that everything depends on, and it’s the weakest point. Not by itself maybe, but in practice there needs to be a way to reset your iCloud password, even without your phone. Currently I believe that’s just an Apple representative asking life questions, but that information is mostly publicly available. There needs to be a better way.

          A physical 2fa device may be just what we need to securely rest our iCloud passwords, keeping everything else more secure

      • 9point6@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        7 months ago

        The factors are:

        • Something you have
        • Something you are
        • Something you know

        Here the password is something you know and the device is something you have (typically also protected by something you are, like your fingerprint or face)

        Someone with your phone but no password or fingerprint is SOL. Someone with your password but not your phone also SOL

    • friend_of_satan@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      7 months ago

      PayPal for sure, because at one point they actually removed the ability to use a hardware mfa token.

      A little known fact about iCloud is that you can use hardware MFA tokens. I think this feature was just recently released though. They force you to enroll at least two tokens too, which is a nice safety. I set this up about a month ago and it’s been great.

  • SkaveRat@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    36
    arrow-down
    1
    ·
    edit-2
    7 months ago

    I’m well versed in IT security, and even with (or because of) my knowledge, I still haven’t looked deep into setting up passkeys on my services. Just because it’s such a clusterfuck of weird implementations.

    I can’t imagine being a normal consumer and wanting to set them up. The poor support teams having to support this…

    And I’m managing at least one service at work that could totally benefit from passkey integration. The headache of looking into how to properly implement them is just way too much

    • deranger@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      7
      ·
      7 months ago

      I can’t imagine being a normal consumer and wanting to set them up.

      It’s quite simple on iOS. IIRC, when logging into the paypal website you get a prompt asking if you’d like to use passkeys. Accept that, then you get a keychain prompt asking if you’d like to make/use a passkey. Click continue and pass FaceID authentication, then you’re in with a passkey. For future logins you click the login with passkey and it faceIDs you in. It’s easy.

        • deranger@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          1
          ·
          edit-2
          7 months ago

          I’m not saying it’s good, I’m saying it’s easy. It is not hard for normal consumers to setup.

  • werefreeatlast@lemmy.world
    link
    fedilink
    English
    arrow-up
    31
    arrow-down
    1
    ·
    7 months ago

    Lock downs are pretty much a hard pass for me. Anything I buy, I research, and if there’s even the slightest hint of BS incompatibility, it’s simply a no go.

  • AWittyUsername@lemmy.world
    link
    fedilink
    English
    arrow-up
    31
    arrow-down
    9
    ·
    7 months ago

    Yeah I’ve avoided passkeys. Anything that Google is pushing to me is always in their interests.

    • Dark Arc@social.packetloss.gg
      link
      fedilink
      English
      arrow-up
      34
      arrow-down
      1
      ·
      7 months ago

      That is not the takeaway here.

      The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.

      • isles@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        9
        ·
        7 months ago

        Are we talking in circles here? “I avoid passkeys because of Google” “Passkeys implemented by Google have problems”

        • Encrypt-Keeper@lemmy.world
          link
          fedilink
          English
          arrow-up
          8
          ·
          7 months ago

          The way out of the circle that you’ve put yourself in is realizing Google isn’t the only company implementing passkeys.

          • johannesvanderwhales@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            7 months ago

            And that most people are in multiple ecosystems…e.g. Android/iOS + Windows. So they can’t use a solution that’s not interoperable.

        • ItsMeSpez@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          1
          ·
          7 months ago

          Are we talking in circles here?

          No. “I avoid passkeys because of Google” is avoiding an entire technology because of a bad implementation. “Passkeys implemented by Google have problems” is only avoiding passkeys implemented by Google, leaving using passkeys still on the table.

      • Spotlight7573@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        7 months ago

        People getting their accounts compromised leads to spam email, spam comments, fake crypto livestreams, etc that impact others. Google definitely has an interest in preventing people from getting their accounts compromised and not just for the benefit of the individuals with the accounts but their platforms as a whole.

    • AA5B@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      7 months ago

      A lot of my hesitation is that not only are passkeys being pushed by the big vendors AND they seem to have a less than portable implementation BUT ALSO they don’t seem to give enough details. Everything is dumbed down for the less technical until it means nothing

      I like that this thread already has more actual information than all the outreach of the big vendors over months

      • Natanael@slrpnk.net
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        7 months ago

        The spec behind it is solid, it creates per-domain cryptographic keyspairs which allows your device to prove you’re you in a standardized and secure way while avoiding adding a new way to track you across sites, and by using the device’s TPM chip to hold the key it’s also resistant to most types of manipulation.

      • ditty@lemm.ee
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        1
        ·
        7 months ago

        Email was already ubiquitous and generally standardized by the time Gmail released in 2004.

        • Encrypt-Keeper@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          4
          ·
          edit-2
          7 months ago

          Asymmetric cryptography has been ubiquitous and generally standardized by the time Google began letting you store Passkeys, so what’s your point?

          Is Google supporting a particular service or system a dealbreaker for you or not? Because Google has far more fingers in the public operation of email than it does passkeys. So if you’re still ok with having an email account, then you should be just as ok with using passkeys.

      • AA5B@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        edit-2
        7 months ago

        I’m not locked into Gmail: I know it implements standards and I choose it as long as it is most convenient.

        A lot of what comes into my gmail account is actually addressed to various aliases from various providers, and I can point those aliases anywhere

        In particular, all my recent online accounts use unique generated email addresses that I can disable at will, and that forward to my actual email

        • Encrypt-Keeper@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          7 months ago

          Well that’s great news, then you’ll like passkeys because you can use them without being locked into anything.

  • My Password Is 1234@lemmy.world
    link
    fedilink
    English
    arrow-up
    25
    arrow-down
    4
    ·
    edit-2
    7 months ago

    I noticed that recently every post on Proton’s blog has been an advertisement of their services.

    They are hypocrites.

    A few days ago they posted that corporations are bad because they collect fingerprints, profile users, etc., yet they are no better, as their mobile apps rely on Firebase Cloud Messaging (FCM) owned by Google to deliver notifications to their users.

    In 2020 they wrote that they “may offer alternative push notification system”, but apparently shitting on corporations is easier than making actual changes. Four years ago.

          • locuester@lemmy.zip
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            6
            ·
            7 months ago

            Most in the crypto industry wouldn’t consider a hardware key that shares metal with an internet connected device to be a very safe hardware key though. Of course when your hardware key such as a ledger or yubikey is plugged into your computer, now it’s also sharing metal.

            I think the industry needs a term to differentiate between all these categories of hardware wallets.

            The best is an airgapped hardware wallet such as Keystone.

            • ShittyBeatlesFCPres@lemmy.world
              link
              fedilink
              English
              arrow-up
              7
              arrow-down
              3
              ·
              7 months ago

              Oh, yes. Let’s listen to the crypto industry, that famous industry with no security breaches or frauds. We might as well ask for site design advice from restaurants that don’t put their hours or menu somewhere prominent on their site.

                • GamingChairModel@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  7 months ago

                  That’s probably what pisses me off the most about the cryptocurrency world. They somehow appropriated the word “crypto” to mean their internet money, instead of the meaning it had tracing back to World War 2, if not earlier.

              • locuester@lemmy.zip
                link
                fedilink
                English
                arrow-up
                2
                arrow-down
                1
                ·
                7 months ago

                The crypto industry has been perfecting key security for 10 years with huge financial incentive to do so.

                Hacks and grifters are in every industry. It’s unrelated to a conversation about passkeys.

                • ShittyBeatlesFCPres@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  7 months ago

                  Let me know when the crypto community gets key security perfected so I can buy some glorified airplane points from a guy named catfucker88 or whatever. In the mean time, I’ll use normal cryptography libraries and leave the headassery to others.

              • Aceticon@lemmy.world
                link
                fedilink
                English
                arrow-up
                5
                ·
                7 months ago

                If the key is in the same device that’s being used to access a protected resource over the network, the thing can be potentially be hacked and the key retrieved.

                That’s why there are solutions were the key never leaves a secure hardware device, such as challenge-response authentication were a bank card’s smartchip is used to generate responses to the challenges (with the key never being outside the card) or keydongles that show a variable code, depending on time.

                This is actually pretty old tech.

    • asmoranomar@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      7 months ago

      From my understanding it’s the concept of trust. Basic passwords are complete trust that both ends are who they say they are, on a device that is trusted, and passing the password over the wire is sufficient and nobody else tries to violate that trust. Different types of techniques over time have been designed to reduce that level of trust and at a fundamental level, passkeys are zero trust. This means you don’t even trust your own device (except during the initial setup) and the passkey you use can only be used on that particular device, by a particular user, with a particular provider, for a particular service, on their particular hardware…etc. If at any point trust is broken, authentication fails.

      Remember, this is ELI5, the whole thing is more complex. It’s all about trust. HOW this is done and what to do when it fails is way beyond EIL5. Again, this is from my own understanding, and the analogy of hardware passwords isn’t too far off.

      • geophysicist@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        4
        ·
        7 months ago

        so it’s basically what a SSH key is? can I not log in to an account from my laptop if I set it up on my phone then? that seems like a massive hassle if it’s the case

        • Spotlight7573@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          7 months ago

          It basically performs the same function as an SSH key (providing public key authentication), yes.

          Your issue with logging in on your phone vs laptop can be solved by either syncing them (like the OS/Browser platforms of Google/Apple/Microsoft or a password manager like Proton Pass/Bitwarden do) or by setting up each device separately (like most people should do with SSH keys). Each method comes with trade-offs: syncing means they aren’t device bound and can potentially be stolen, setting it up on each device can be a pain, etc.

          The important thing to remember is that passkeys don’t need to be the only authentication methods attached to an account. You can use the convenience of a passkey most of the time when it’s possible and then fall back to another method (like a password/TOTP pair) when that’s not available (such as when setting up a new device). There’s also always the standard account recovery options if all else fails, those don’t necessarily go away.

          The other thing to remember is that it’s not trying to be a perfectly secure solution to all authentication everywhere but to replace passwords with something better. Not having to generate and store random passwords with arbitrary complexity requirements, being able to log in with just a tap or a click, and not having anything that needs to be kept secret on the website’s side can be enough of an improvement over passwords to make the change worthwhile.

          • geophysicist@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            7 months ago

            If a passkey isn’t device bound, what makes different/better than a complex password? Is it just the standardisation that you mention? Enforcing using passkeys becomes exactly the same as enforcing using complex passwords

            • Spotlight7573@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              7 months ago

              One key benefit regarding hacking: the data that’s passed back and forth between the user’s browser/app and the website/service is a challenge and a response and is no longer sensitive like a password is and the authentication related data (the public key) that the website stores for a user’s account isn’t useful to an attacker.

              One key benefit regarding phishing: passkeys/WebAuthn credentials incorporate the domain name into part of the authentication and it’s enforced by the browser. This means that using a passkey/security key on the wrong site won’t give an attacker anything useful unless they also somehow control the DNS and have a valid TLS certificate to impersonate the site with. This is unlike the situation with a phishing website where a user can be tricked by a fake but convincing looking website into giving over not just a password but a one time code provided through SMS or a TOTP.

              One key benefit regarding usability: The user just has to choose which account to log into from their password manager instead of having it need to autofill correctly on the website (I still run into sites that don’t autofill right). They also don’t need to worry about any specific password complexity requirements or changing passwords in response to breaches or password expiration times.

        • ShittyBeatlesFCPres@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          7 months ago

          You setup passkeys for all your devices with biometric features. I know I have a Yubikey for my desktop, facial recognition on my phone, and a fingerprint reader on my laptop. So, I setup 3 passkeys using biometric (fingerprint or face). I also kept my password and 2FA for now because it’s all new. I wouldn’t recommend jumping in face first.

          I only am using it on a few key sites and partly because I’m a web developer testing it all out. I wouldn’t advise it for the average user at the moment but it’ll mature and many password managers can store passkeys now. As it matures, I’m hopeful it becomes seamless like FaceID and fingerprint readers.

        • asmoranomar@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          7 months ago

          Close, but you are still trusting the device you own. If I were to compromise that device, I could capture that key and use it. Again, this is my limited understanding, but a zero trust solution works in such a way that the actual keys are not stored anywhere. During setup, new temporary keys are generated. A keypass binds to the temporary key for use of authentication. The temporary key can be revoked at any time for any reason, whether it’s due to a breach or routine policies. It can be as aggressive as it needs, and the implication is that if someone else (either you or an attacker) got issued a new temporary key then the other would not receive it. Using an incorrect temporary key would force an initialization again, using the actual keys that aren’t stored anywhere.

          The initialization process should be done in a high trust environment, ideally in person with many forms of vetting. But obviously this doesn’t take place online, so there is the risk that your device is not trusted. This is why the process falls back on other established processes, like 2FA, biometrics, or using another trusted device. How this is done is up to the organization and not too important.

          But don’t get too hooked on the nuances of passwords, keys, passkeys,etc. The entire purpose is to limit trust, so that if any part of the process is compromised, there is nothing of value to share.

          Disclosure: Worked in military and this seems to be a consumer implementation of public/private key systems using vector set algorithms that generate session keys, but without the specialized hardware. It’s obviously different, but has a lot of parallels, the idea in this case is that the hardware binds to the private/public keys and generates temporary session keys to each unique device it communicates with, and all devices can talk with members of it’s own vector set. Capturing a session key is useless as it’s constantly being updated, and the actual keys are stored on a loading device (which is subsequently destroyed afterwards, ensuring the actual key doesn’t exist anywhere and is non recoverable, but that’s another thing altogether). My understanding of passkey systems is solely based on this observation, and I have not actually implemented such a solution myself.

    • Dark Arc@social.packetloss.gg
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      7 months ago

      Not ELI5 level but…

      If you understand SSH keys, it’s basically the same thing made more general.

      Whatever website (e.g. lemmy.world) has a copy of the public key, they encrypt something with the public key, you decrypt it, reencrypt it with your private key and send it back (where they can then decrypt it and verify what they got back is what they expected). By performing that round trip, you’ve verified you have the correct key, and the “door opens.”

      The net effect is you can prove who you are, without actually giving someone the ability to impersonate you. It’s authentication via “secret steps only you would know” instead of authentication by a fixed “password” (that anyone who hears it can store and potentially use for their own purposes).

      That’s all wrapped up in an open protocol anyone can implement and use to provide a variety of (hopefully) user friendly implementations (like the one Proton made) 🙂

    • Swarfega@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      3
      ·
      7 months ago

      I guess it’s a bit like a bank card with a PIN. You go to pay for something and your card stores your credentials on it. To allow those credentials to be read you need to unlock them using the PIN.