undefined | Better HN

0 pointsdfabulich1y ago0 comments

People keep trying to answer this question, so I'll try, too, but I'm going to do a better job than anyone else. ;-)

Passkeys are randomly generated passwords that are required to be managed by a password manager. All the major password managers support them, including Apple, Google, Microsoft, Mozilla, and 1Password.

By requiring the passkey to be managed by a password manager, you get some anti-phishing protection. A passkey includes metadata, including the website domain that created it, and the password managers simply won't provide the passkey to the wrong domain. They provide no way for you to copy and paste the passkey into a website, as you can with a password; there's no social-engineering technique someone can use to get you to copy and paste your passkey to an enemy.

A passkey manager is morally required to do an extra factor of authentication (e.g. fingerprint, Face ID, hardware keys, etc.) when you login to a website, but the website has no way of knowing/proving whether that happened; they just get the password.

You reset your passkey the same way you reset your password, because passkeys are just passwords that have to be managed with a password manager. Some sites make it easy to reset your password, some make it hard. You know the drill; there's nothing new or different there.

If you're happy with your password manager, there's no real need to switch, but even very "sophisticated" password users have been known to fall prey to social-engineered phishing attacks.

Are you sure you're never going to copy-and-paste your password into the wrong hands? I don't trust myself that much.

Passkeys can make it harder to switch password managers because the password managers are designed not to let you copy-and-paste a passkey, including from Google's Password Manager to Apple's Password Manager. I think all the password managers kinda like that, and there's something good and bad about it.

0 comments

red_admiral1y ago

I'm assuming tech people would also like to know that a passkey is not just "a really long password" but also one that's never sent to the server directly - instead it's used in a challenge/response protocol (like SSH keys). Which requires software, either the browser or an external password manager, to run.

I think that's what you're getting at in paragraph 3?

There's no reason you couldn't have an open source passkey manager that allows you to backup and view the key if you really want to. SSH works just fine that way.

Xelynega1y ago

It's up to the server whether it uses it in challenge-response or not. That's application-specific behaviour that's past the definition of passkeys themselves.

The reason you couldn't have an open source passkey manager that allows backup is that it wouldn't be a "passkey manager" then, just a password manager. To be a passkey it seems to require that it can't be exported/viewed other than by the website it was created for(even by the user).

tsimionescu1y ago

> The reason you couldn't have an open source passkey manager that allows backup is that it wouldn't be a "passkey manager" then, just a password manager. To be a passkey it seems to require that it can't be exported/viewed other than by the website it was created for(even by the user).

That's simply false, and there are passkey managers that allow this - KeePassXC for example.

kxrm1y ago

> even by the user

Perhaps this is something I shouldn't be feeling, but this bothers me and I do not know why.

I can see that you might not want it exposed to the user to prevent social engineering but at the same time, if I can't view then I don't feel like I actually own it. Is there a mechanism that might exist to help me not feel this way? I am totally new to passkeys as a concept as well, but I understand the larger goal.

2 more replies

red_admiral1y ago

It feels ... suspicious ... to me that in 2024, we're designing a new authentication scheme explicitly around resident keys, but challenge-response is optional. Credentials in any new protocol should never be sent over the wire, period.

jackson14421y ago

> It's up to the server whether it uses it in challenge-response or not. That's application-specific behaviour that's past the definition of passkeys themselves.

Do you have a source for this? After reading the W3 spec[0] this seems entirely antithetical to the Passkey model and additionally raises concerns about the integrity of hardware mfa devices.

[0]: https://w3c.github.io/webauthn/

discardedrefuse1y ago

> Passkeys can make it harder to switch password managers because the password managers are designed not to let you copy-and-paste a passkey, including from Google's Password Manager to Apple's Password Manager.

This part right here is what I fear the most about Passkeys. I've read too many horror stories of people getting banned from Google (often for no valid reason) and losing access to all of their data. It is absolutely insane to hand over all your passwords to a company like this.

mingus881y ago

I have been using passkeys for a while in the form of yubikeys

Best practice is to register two keys to every website. Keep one physically in a safe.

With password managers I would say the same basic practice applies. Make sure you have a working offline backup of whatever secrets you hold dear.

There are some sites that only allow you to register a single passkey for an account (AWS Console last I checked) but these should be getting fixed as it becomes more popular

Thrymr1y ago

> Best practice is to register two keys to every website. Keep one physically in a safe.

Well, this sounds convenient. Keep the second one in a safe, but register a key to it for every website you use.

Is this a practice we actually believe users will carry out?

1 more reply

mac-mc1y ago

> By requiring the passkey to be managed by a password manager, you get some anti-phishing protection. A passkey includes metadata, including the website domain that created it, and the password managers simply won't provide the passkey to the wrong domain.

There are so many apps that don't get this right. Make a login on the website, store it in 1password, and then try to login in their mobile app and it doesn't show up as a password because the associated URL is mismatched on the mobile app. Like mybank.com and auth.mybankmobileapi.com

mingus881y ago

1password has a URL field. All you have to do it add the extra URLs

Better yet, while on mobile, search for the entry of the desktop site and have it fill. 1password will ask if you want to update the entry for this site

nullfield1y ago

Except they ignore subdomains. Unless you fix that on a per-item basis, in their desktop application.

I think, finally, that the reason this feels so dirty-apart from companies and lock-in and all-is that it’s taking the “something you know” as one auth factor and turning it into something that, not only do you not know, the big goal of is to make sure you can’t know but something you have.

al_borland1y ago

I have been using 1Password for over 15 years and it has the ability to only show/fill passwords when on the correct site. The issue is, over time, companies shift their strategies on the web. URLs change, while the accounts stay the same. I have had to update these details many times. I've also run into situations where the browser plugin isn't functioning, for whatever reason, and the only way in is to copy/paste. There are also times where I'm not on my computer. For example, I usually piggyback on my dad's copy of TurboTax each year. When I'm over there, I will often need to pull up a password on my phone and type it into TurboTax as it logs into my bank to download the tax forms. Passkeys don't sound like they can solve that problem. I'd question if the Passkeys would work in TurboTax even if I was running it on my own computer.

With passwords and logins, it seems like there are far too many edge cases to draw a hard line to say they are locked in the password manager forever. Having a way to copy it out, or export, is also a way to ensure portability, if the password manager being used ever becomes bad and a different option is needed.

Password managers put users in a vulnerable position, as once a user is invested, they've got you by the short hairs. The thing that keeps this from being a big problem, is that there is always a way out. Eliminating this way out, or raising the barrier to exit, can temp these password managers to extort their users, which is not good.

closeparen1y ago

Passkeys are signing a challenge using a captive secret, right? The relying party doesn't get the secret.

snowwrestler1y ago

You can have multiple passkeys per username.

This is a huge difference from regular passwords, and the source of a lot of confusion about lock-in.

You can’t easily move a passkey out of the service managing it—true. But you should be able to easily add another passkey from another service. Then you deactivate the first passkey.

It’s a different mental model and the key is in the name. Passkeys are like keys. You can have more than one.

tsimionescu1y ago

It's not a problem of mental model, it's a problem of scale. If I'm switching phone, the last thing I want to do is to go to every website I have an account on and essentially do a second sign up. This is simply a non-starter, and is a big part of why companies like Apple and Google are pushing for this spec: it nicely ties you in to their ecosystem and gives you a huge reason not to move to a different ecosystem.

CogitoCogito1y ago

Do you know if there an open source self-hosted implementation available?

t0asterb0t1y ago

KeePassXC supports passkeys in its latest version: https://keepassxc.org/blog/2024-03-10-2.7.7-released/

pixelHD1y ago

I use selfhosted vaultwarden [0] instance (its a rust implementation of the bitwarden server), and the bitwarden apps (i point the apps to use my server instead of bitwarden).

Vaultwarden + bitwarden client apps (for desktop/browsers) have passkey support, and i've been using them for a month or two without any issues.

That being said, bitwarden client apps for android and ios are going through a rewrite (from xamarin to native iirc), and are yet to support passkeys. However, the bitwarden folk said passkeys are the next feature coming to these apps.

[0]: https://github.com/dani-garcia/vaultwarden

ar-jan1y ago

https://github.com/protonpass

Also see https://proton.me/blog/big-tech-passkey

caconym_1y ago

Bitwarden, which you can self-host (I do this) seems to have at least partial support now, and I know they're working on improving it. However, I'm not sure if their client and server are both fully FOSS.

zie1y ago

They are, but you have(?) to have a license to run the OSS server code.

https://github.com/bitwarden/server

Like the other commenter mentioned, vault warden is the independent server version that doesn't require any of that.

khimaros1y ago

vaultwarden at the very least is libre

iknowstuff1y ago

Strongbox for iOS/macOS. Uses the keepass file format

yonatan80701y ago

So passkeys are essentially like SSH keys but for web/app logins

toomuchtodo1y ago

They are a pleasant and improved UX for the equivalent of X.509 PKI primitives.

https://en.wikipedia.org/wiki/X.509

zie1y ago

Well, different anyway.

red_admiral1y ago

... with some of the functionality of SSH keys removed, like being able to use one key for many accounts, or many keys (on many machines) all for the same account.

At least that's how I understand it.

barryp1y ago

I think you're right about the first part...a passkey being tied to a single account on a single site.

But not the second: on Github for example you can have multiple passkeys for the same account.

2 more replies

Xelynega1y ago

Unless I'm missing something these are nothing like SSH keys. They would be closer to regular password auth with SSH where you store the password in a file that's only readable by SSH.

SSH keys are asymmetric such that I can make a public half available publicly and then use that to generate signatures of any challenge the server sends.

With passkeys either the server needs to store the value raw(making it susceptible to data breaches or malicious actors), or store the hashed value(making it impossible to do a challenge-response, and making it susceptible to MITM/replay attacks).

It seems to be all the downsides of SSH keys(aka losing it having implications), with none of the upsides, plus additional downsides(hardware devices can only generate 25 unique ones instead of using 1 and sending the public to all services with confidence it hasn't exposed any private info).

1 more reply

torstenvl1y ago

> there's no social-engineering technique someone can use to get you to copy and paste your passkey to an enemy

This is a deep, fundamental flaw in passkeys. It's just another example of enshittification disguised as denying end-user control "for their own good." There is no for-profit organization anywhere that I trust more than I trust myself, and there's no threat model where it's more likely I'll be socially engineered into giving up my long random password than that I'll suffer data loss.

psd11y ago

Good for you; I'm ashamed to say that I've hurt my data sanctity far more than any criminal has, with 2am tinkering with my systems.

I have vaultwarden at home but I don't use it because I just know I'll fuck up my tunnel while I'm travelling or something.

This is my threat model: "hi mum. I need you to drive to my house and fish a keyboard out of the cupboard. Plug it into the big black box and type exactly what I tell you..."

1 more reply

iknowstuff1y ago

Then use a password manager that allows it

1 more reply

Angostura1y ago

Thank you. Very helpful

j / k navigate · click thread line to collapse

0 comments

red_admiral1y ago

I think that's what you're getting at in paragraph 3?

There's no reason you couldn't have an open source passkey manager that allows you to backup and view the key if you really want to. SSH works just fine that way.

Xelynega1y ago

It's up to the server whether it uses it in challenge-response or not. That's application-specific behaviour that's past the definition of passkeys themselves.

tsimionescu1y ago

That's simply false, and there are passkey managers that allow this - KeePassXC for example.

kxrm1y ago

> even by the user

Perhaps this is something I shouldn't be feeling, but this bothers me and I do not know why.

2 more replies

red_admiral1y ago

jackson14421y ago

> It's up to the server whether it uses it in challenge-response or not. That's application-specific behaviour that's past the definition of passkeys themselves.

Do you have a source for this? After reading the W3 spec[0] this seems entirely antithetical to the Passkey model and additionally raises concerns about the integrity of hardware mfa devices.

[0]: https://w3c.github.io/webauthn/

discardedrefuse1y ago

mingus881y ago

I have been using passkeys for a while in the form of yubikeys

Best practice is to register two keys to every website. Keep one physically in a safe.

With password managers I would say the same basic practice applies. Make sure you have a working offline backup of whatever secrets you hold dear.

There are some sites that only allow you to register a single passkey for an account (AWS Console last I checked) but these should be getting fixed as it becomes more popular

Thrymr1y ago

> Best practice is to register two keys to every website. Keep one physically in a safe.

Well, this sounds convenient. Keep the second one in a safe, but register a key to it for every website you use.

Is this a practice we actually believe users will carry out?

1 more reply

mac-mc1y ago

mingus881y ago

1password has a URL field. All you have to do it add the extra URLs

Better yet, while on mobile, search for the entry of the desktop site and have it fill. 1password will ask if you want to update the entry for this site

nullfield1y ago

Except they ignore subdomains. Unless you fix that on a per-item basis, in their desktop application.

al_borland1y ago

closeparen1y ago

Passkeys are signing a challenge using a captive secret, right? The relying party doesn't get the secret.

snowwrestler1y ago

You can have multiple passkeys per username.

This is a huge difference from regular passwords, and the source of a lot of confusion about lock-in.

You can’t easily move a passkey out of the service managing it—true. But you should be able to easily add another passkey from another service. Then you deactivate the first passkey.

It’s a different mental model and the key is in the name. Passkeys are like keys. You can have more than one.

tsimionescu1y ago

CogitoCogito1y ago

Do you know if there an open source self-hosted implementation available?

t0asterb0t1y ago

KeePassXC supports passkeys in its latest version: https://keepassxc.org/blog/2024-03-10-2.7.7-released/

pixelHD1y ago

I use selfhosted vaultwarden [0] instance (its a rust implementation of the bitwarden server), and the bitwarden apps (i point the apps to use my server instead of bitwarden).

Vaultwarden + bitwarden client apps (for desktop/browsers) have passkey support, and i've been using them for a month or two without any issues.

[0]: https://github.com/dani-garcia/vaultwarden

ar-jan1y ago

https://github.com/protonpass

Also see https://proton.me/blog/big-tech-passkey

caconym_1y ago

zie1y ago

They are, but you have(?) to have a license to run the OSS server code.

https://github.com/bitwarden/server

Like the other commenter mentioned, vault warden is the independent server version that doesn't require any of that.

khimaros1y ago

vaultwarden at the very least is libre

iknowstuff1y ago

Strongbox for iOS/macOS. Uses the keepass file format

yonatan80701y ago

So passkeys are essentially like SSH keys but for web/app logins

toomuchtodo1y ago

They are a pleasant and improved UX for the equivalent of X.509 PKI primitives.

https://en.wikipedia.org/wiki/X.509

zie1y ago

Well, different anyway.

red_admiral1y ago

... with some of the functionality of SSH keys removed, like being able to use one key for many accounts, or many keys (on many machines) all for the same account.

At least that's how I understand it.

barryp1y ago

I think you're right about the first part...a passkey being tied to a single account on a single site.

But not the second: on Github for example you can have multiple passkeys for the same account.

2 more replies

Xelynega1y ago

Unless I'm missing something these are nothing like SSH keys. They would be closer to regular password auth with SSH where you store the password in a file that's only readable by SSH.

SSH keys are asymmetric such that I can make a public half available publicly and then use that to generate signatures of any challenge the server sends.

1 more reply

torstenvl1y ago

> there's no social-engineering technique someone can use to get you to copy and paste your passkey to an enemy

psd11y ago

Good for you; I'm ashamed to say that I've hurt my data sanctity far more than any criminal has, with 2am tinkering with my systems.

I have vaultwarden at home but I don't use it because I just know I'll fuck up my tunnel while I'm travelling or something.

This is my threat model: "hi mum. I need you to drive to my house and fish a keyboard out of the cupboard. Plug it into the big black box and type exactly what I tell you..."

1 more reply

iknowstuff1y ago

Then use a password manager that allows it

1 more reply

Angostura1y ago

Thank you. Very helpful

j / k navigate · click thread line to collapse