| ▲ | digiown 4 hours ago |
| Passkey/webauthn is a cool tech, and I'd really like to use it everywhere, but I find the anti-user attitudes of the spec authors concerning. The spec contains provisions about "user verification" (the software must force user interaction) and not allowing the user to access the plaintext keys. It appears that the spec authors do not consider the keys to be owned by the user at all. KeepassXC implements passkey support, but they do not implement these anti-user features. As a result, they are being threatened with being banned via attestation: https://github.com/keepassxreboot/keepassxc/issues/10406 https://github.com/keepassxreboot/keepassxc/issues/10407 Screw these "You'll own nothing and be happy" people. I'll own all my keys no matter what. The software I run on my device should never betray me to signal things like "this passkey is allowed to be backed up!". |
|
| ▲ | FreakLegion an hour ago | parent | next [-] |
| I'm replying to this post, but your other posts throughout the thread have similar misunderstandings. User presence tests are an anti-malware feature. The point is that a machine can be compromised without letting bad guys log into your accounts willy-nilly. Is it a super useful feature? No. The bad guys can steal the tokens for accounts you're actively logged into anyway. But that's why the test exists. The whole back and forth about plaintext keys is pretty much people talking past each other. Approximately nobody thinks users shouldn't be able to access their keys in the general case. FIDO just wasn't originally designed for the general case (see Operation Aurora). Now it's playing catch-up. KeePassXC is not "being threatened with being banned via attestation". Attestation requirements are set by the service you're logging into, and KeePassXC is already locked out where those requirements exist (pretty much exclusive to a small number of corporate and government orgs). A random guy from Okta is not threatening to ban KeePassXC. |
| |
| ▲ | digiown 28 minutes ago | parent [-] | | > Approximately nobody thinks users shouldn't be able to access their keys in the general case Citation needed. To me it seems to be the quiet part that they aren't saying out loud. If it's just a consequence of the spec being unfinished, then they shouldn't threaten to ban KeepassXC for this. The purpose of a system is what it does, and commercial passkey implementations lock users out of their credentials and uses it to strengthen vendor lock-in. > Is it a super useful feature? No It's security theater and a way for websites to annoy users unnecessarily. > KeePassXC is not "being threatened with being banned via attestation". https://github.com/keepassxreboot/keepassxc/issues/10406#iss... It's a thinly veiled threat. Making a certification process and refusing to certify KeepassXC is exactly the same as banning it. |
|
|
| ▲ | zamalek 11 minutes ago | parent | prev | next [-] |
| The problem with plain text access (on hardware devices) is that it allows cloning. That is more hostile to users, but it is a stronger security posture. You're supposed to have a backup device somewhere secure, but of course there are many websites that didn't get the memo and only allow a single device. |
|
| ▲ | politelemon 3 hours ago | parent | prev | next [-] |
| > It appears that the spec authors do not consider the keys to be owned by the user at all. This was my impression, and it explains why the original announcement involved companies that would benefit the most from keeping their users on a leash. |
|
| ▲ | cadamsdotcom 3 hours ago | parent | prev | next [-] |
| Agreed, unfortunately. Passwords are easy to understand, transparent and portable, and when used with good hygiene (always using password manager and generating unique & strong passwords for everything) there isn’t yet a strong case for anything else. |
| |
| ▲ | doubled112 2 hours ago | parent [-] | | I’m not happy with everything about passkeys either. I am fine with them as an additional method, but I would never use them as the only method. That said, I had a much easier time getting my kids onboard with a FIDO2 security key than I would have a password manager. Enter your email and touch this is easy to understand. | | |
| ▲ | digiown an hour ago | parent [-] | | One thing it enables is being the sole credential, as in, not needing usernames. It helps with faster logging in and is not prone to security issues caused by browser autofill. This also means sites can allow you to sign up without collecting any more info than registering a passkey, but of course they want to siphon all that data. |
|
|
|
| ▲ | signal11 3 hours ago | parent | prev | next [-] |
| Shafting open source projects that implement your spec is not okay, and is terrible optics. Tech journalists should ask the FIDO Alliance if they’re just Google+Apple+Microsoft in a trenchcoat. Definitely not very open! |
| |
| ▲ | digiown 3 hours ago | parent [-] | | I do get that there are use cases for actual hardware bound keys for enterprise settings. But having non-exportable credentials (effectively non-ownable) is not acceptable in a consumer setting. This is a thinly veiled attempt at strengthening platform lock-in. Look, the spec says you can't export the keys to a file! Too bad, go re-register your 120 websites if you want to stop using iCloud/Google! | | |
| ▲ | Groxx 2 hours ago | parent [-] | | Particularly because "you must use only an approved passkey manager" is fairly easily solved by MDM, which is already widespread. It's DRM, and it will go down exactly the same anti-user and anti-competitive route as every other DRM. Fight it with fervor. |
|
|
|
| ▲ | giancarlostoro 3 hours ago | parent | prev | next [-] |
| How do you even ban something like KeypassXC given that it is open source and any end user could basically edit KeypassXC and bypass a ban? Edit: Reading one of those issues it sounds like they want the keys stored in an encrypted way, is that too much to ask for? I dont care about viewing it but it shouldnt be stored in a plain easy to open JSON. |
| |
| ▲ | hypeatei 29 minutes ago | parent | next [-] | | > they want the keys stored in an encrypted way, is that too much to ask for Well, they are encrypted but the issue is talking about exports. The maintainer of KeepassXC already mentions the issue with that: portability. A backup of such sensitive data (a password manager) is going to be stored somewhere secure (to the user) already. Why would you encrypt the contents and add another layer of complexity that other tools may not be able to handle? I want to be able to rely on those backups in the future and copy paste them around manually if needed. It's user choice, put simply. A specification committee should never be deciding what a user does with their data, period. The security maximalist is always going to advocate for the most secure thing but most of the time that's not practical or friendly to humans. | |
| ▲ | digiown 3 hours ago | parent | prev | next [-] | | That's the thing, they can't yet. They are proposing an attestation scheme. I'm not sure the details are out yet, but the authenticator would presumably use one of the hardware security mechanisms (like a TPM bound key) to "certify" its own authenticity along with the challenge. This will effectively ban all open-source implementations, and end user freedom if widely adopted. Fortunately for us it seems like Apple isn't cooperating here for now, and without Apple signing on, it wouldn't get anywhere. | | |
| ▲ | altairprime an hour ago | parent [-] | | Attestation is not inherently incompatible with open source. Code signing keys are perfectly compatible with open source. You don’t ever commit them to the repo, if they’re even accessible to you at all (vs. in an HSM), and everyone can distinguish your official releases from forks and mods because yours are signed with your key. Attestation is incompatible with having the authority conferred upon upstream automatically inherited by all forks thereof. If you want your fork to have the same authority as upstream, you have to apply for that authority to be recognized and make your case that it deserves that. This is the problem with attestation: that it reintroduces human reputation authorities into the Wild West of computing. If you’re going to argue successfully against attestation, you’ll need to focus on the actual problem rather than the distraction of source code licensing. The same attestation would be necessary whether the app you’re modding is closed source, open source, or a PICO-8 cartridge image: when attestation is in play, everyone knows you’re running a modded version, and they may choose to deny you service over that. That’s the problem attestation poses, and why arguments against passkeys fail so spectacularly to gain traction, by focusing on “open source” (irrelevant) rather than e.g. “right to be modify without being refused service”. | | |
| ▲ | digiown an hour ago | parent [-] | | > right to be different without being refused service You can check my comment history to see the arguments I have against attestation. That's exactly what I argue. It's not an open source problem, it's a user freedom problem, and this is exactly why corporate interests like "open source", but not "free software". Open source is freedom-agnostic: you can use it to hurt users just fine. The current iterations of remote attestation is especially egregious, because most of it is the government itself or an entity the government forces you to deal with (banks). In general I believe remote attestation is actually fine, so long as it does not transcend ownership boundaries. A company can use it to ensure its own colo servers aren't tampered with, for example. But an external authority shouldn't be able to exert control over something I own. In particular there should be no expectation that my device is "trustworthy" in any way at all. Anything else ends privacy and freedom as we know it. |
|
| |
| ▲ | Dedime 3 hours ago | parent | prev | next [-] | | Well, it's stored in an encrypted way - in the encrypted password database. Much like a password, everyone already knows not to share a passkey. But also like a password, as the owner, sometimes I want to look at it! | | |
| ▲ | frizlab 2 hours ago | parent [-] | | Genuine question: why? | | |
| ▲ | mzajc an hour ago | parent | next [-] | | Genuine answers: - because I like backing up my data, especially credentials - because I like looking at how things work in practice - you are on a website called hacker news after all | |
| ▲ | TomasEkeli 2 hours ago | parent | prev [-] | | it's mine. |
|
| |
| ▲ | politelemon 3 hours ago | parent | prev | next [-] | | > ask for That's the key difference. If it mattered, they would make it part of the spec, not threaten a ban. That's even more concerning, there is a central group of people who get to decide who can and cannot use Passkeys. | |
| ▲ | digiown 3 hours ago | parent | prev [-] | | It's an export format. The storage is always encrypted with the database key. And you can view the key directly anyway just like you can view passwords, and copy it from there. |
|
|
| ▲ | AndrewDucker 3 hours ago | parent | prev [-] |
| They don't consider the key to belong to the user. The key is a token generated by the site to allow it to identify a user. In order for them to do perfectly so they do not want users to be able to tamper with them, leak them, or do anything which might violate their assumptions about the key. |
| |
| ▲ | mzajc an hour ago | parent [-] | | No, the private key is generated and stored client-side, and never sent to the server. Even if that wasn't the case, how I store my credentials is none of the websites' business, and my own hardware should do as I say. |
|
