| ▲ | arjie 9 hours ago |
| Passkeys have way too many footguns for me. If I use my phone to sign in I'm going to accidentally create a passkey there on iOS embedded webview. When I use Google Chrome, the website won't give me any information for me to find where I stored the passkey. Was it in iOS keyring? Chrome? My Bitwarden? If I had any discipline around this it would make sense but if I accidentally double tap on the screen I've got a passkey and it's stuck on my phone. I'm sure it's of use to many people but it's been no end of pain for me and it has really signaled to me what it's like to grow into an old man unable to use computers when I was once a young man who would find this easy. |
|
| ▲ | lxgr 3 hours ago | parent | next [-] |
| Passkeys on iOS and macOS actually work quite well in that regard. They get stored in your provider of choice across the web, web views, apps etc., at least in my experience. Mine is Bitwarden, and that's available on pretty much all platforms, natively where available (except on macOS currently), as a browser extension otherwise. For the rare instance in which I need to authenticate using a passkey on a computer where I'm not logged into Bitwarden, there's the cross-device CaBLE flow where I can scan a QR code with my phone and use Bitwarden to authenticate. This works across OSes and browsers. |
| |
| ▲ | javier2 2 hours ago | parent [-] | | except... i store my password for work in bitwarden, so I dont want to also keep my work passkeys in the same place. For my personal stuff, that is a risk I can live with so far, but for work it seems dumb. | | |
| ▲ | lxgr 41 minutes ago | parent [-] | | Yeah, definitely don’t mix work and personal credentials. But many password managers allow using different accounts/vaults on one machine. |
|
|
|
| ▲ | cedws 5 hours ago | parent | prev | next [-] |
| There’s another foot gun I wrote about recently: https://cedwards.xyz/passkeys-are-not-2fa/ |
| |
| ▲ | dwedge 5 hours ago | parent | next [-] | | I was reading your other blog post about storing them in bitwarden I have to disagree with this point: > Unless you were forced to by some organisational policy, there’s no point setting up 2FA only to reduce the effective security to 1FA because of convenience features. 2FA both stored in your password manager is less secure than storing than separately, but it still offers security compared to a single factor. The attack methods you mentioned (RAT, keylogger) require your device to be compromised, and if your device is not compromised 2fa will help you. To slip into opinion mode, I consider my password manager being compromised to be mostly total compromise anyway. Also I really like the style and font of your blog. | | |
| ▲ | TacticalCoder an hour ago | parent [-] | | > To slip into opinion mode, I consider my password manager being compromised to be mostly total compromise anyway. But how is that no the entire point? If your 2FA is a proper device, like a Yubikey, the attack surface is tinier than tiny and the device ensures that your secret never leaves the device. We did see cases of passwords managers getting compromised. We haven't seen yet a secret being extracted from a Yubikey. So where you say you consider that your software (password manager) getting compromised is total compromise, we're saying: "as long as the HSM on a Yubikey does its job, we have actual 2FA and there cannot be a total compromise". |
| |
| ▲ | JasonADrury 3 hours ago | parent | prev | next [-] | | This isn't a footgun, you just have absurd security requirements. >It should be pretty obvious that using a passkey, which lives in the same password manager as your main sign-in password/passkey is not two factors. Setting it up like this would be pointless. You simply do not need two factors with passkeys. Using passkeys is not pointless, they are vastly more secure than most combined password+2fa solutions. There are extremely few contexts where an yubikey would be meaningfully safer than the secure element in your macbook. | | |
| ▲ | YmiYugy an hour ago | parent | next [-] | | How is it not 2FA? It's MacBook + Fingerprint. | | |
| ▲ | JasonADrury an hour ago | parent [-] | | It's not 2fa if you assume some catastrophic exploit chain that allows an attacker to dump your macbooks secure element. I don't think that's a reasonable assumption for most people, and you're screwed in that situation even if you use yubikeys. |
| |
| ▲ | gregoriol 3 hours ago | parent | prev [-] | | 2FA is more secure than 1FA even if that one has a high security level | | |
| ▲ | nixpulvis 2 hours ago | parent | next [-] | | To be clear. Proper 2FA, via something like a smartcard or any truly external device is still much more secure. You could have one of those factors be a passkey, that's fine, and may be a good idea. But there are UX issues with passkeys as well, that aren't all well addressed. My biggest gripe is that there is often no way to migrate from one passkey provider to another, though apparently there may be a standard for this in the works? | |
| ▲ | Genbox 2 hours ago | parent | prev | next [-] | | Are you saying that two weak factors are more secure than one strong factor? | | |
| ▲ | lazide 2 hours ago | parent [-] | | Not who you are replying too. But a yubikey is not a weak factor. In fact, it’s not even meaningfully more secure than passkey (as passkey is designed) - passkey is, however, more convenient. So it’s more ‘one weak factor + (really times) one medium/strong factor’ vs ‘one medium/strong factor’. Which yes, the first one is better in every way from a security perspective. At least in isolation. The tricky part is that passkeys for most users are way more convenient, meaning they’ll actually get used more, which means if adopted they’ll likely result in more actual security on average. Yubikeys work well if you’re paying attention, have a security mindset, don’t lose them, etc. which good luck for your average user. |
| |
| ▲ | PunchyHamster 3 hours ago | parent | prev | next [-] | | if 2fa is "use the second factor that's on same device as first factor" (like when using phone apps in many cases, password + 2fa from email/sms/authenticator app on same device), I disagree. | |
| ▲ | JasonADrury 2 hours ago | parent | prev [-] | | Nonsense, depends entirely on the value of the authentication factor. |
|
| |
| ▲ | lxgr 3 hours ago | parent | prev | next [-] | | > It should be pretty obvious that using a passkey, which lives in the same password manager as your main sign-in password/passkey is not two factors. Setting it up like this would be pointless. If your password manager is itself protected by two factors, I'd still call this two-factor authentication. | |
| ▲ | FreakLegion 4 hours ago | parent | prev [-] | | Passkeys are meant to replace passwords. Not being second factors is the point. | | |
| ▲ | lxgr 3 hours ago | parent | next [-] | | Passkeys can absolutely constitute two factors. At least the iOS and Android default implementations back user verification (which the website/relying party can explicitly request) with biometric authentication, which together with device possession makes them two factor. | | |
| ▲ | FreakLegion 2 hours ago | parent [-] | | That's not what two-factor means. Forget about passkeys -- if you use a password manager, and that password manager has a biometric lock, your accounts don't thereby have a biometric lock as a second factor. The transitive property doesn't apply here. | | |
| ▲ | lxgr 42 minutes ago | parent [-] | | I’d say it does apply transitively, but only if the weakest link itself is also strong enough, and passwords are not. |
|
| |
| ▲ | embedding-shape 3 hours ago | parent | prev [-] | | Someone gotta tell all these SaaS about that if so, because currently everyone is treating Passkeys as an alternative to 2FA. Take a look at how GitHub handles it for example when you use TOTP, they'll ask you to replace TOTP with passkeys. | | |
| ▲ | vladvasiliu 3 hours ago | parent [-] | | Many do what you describe, probably because some manager somewhere needs to tick some checkbox. But GitHub, specifically, allows you to sign in with a passkey. On the sign-in page, there's a "sign in with passkey" link. It activates my 1Password extension, asking if I want to use my passkey. I say yes, and I'm in, I don't type anything. This also works the same way with my YubiKey. |
|
|
|
|
| ▲ | shaky-carrousel 4 hours ago | parent | prev | next [-] |
| I truly don't see the advantage of passkeys over a password manager like bitwarden, with random passwords. |
| |
| ▲ | pibaker 4 hours ago | parent | next [-] | | The main benefit is you will never put your passkey on a phishing site. Password managers provide some protections against it because if they do not work automatically on a website you know something is fishy, but sadly many websites have botched their password input so even with a password manager you may still need to manually copy and paste (or even type, if pasting is disabled) the password. The problem is whether or not the benefit outweighs the additional risks introduced — losing account access when you lose a device, furthering device lock down, difficulty transferring the passkey between devices, UX degradation due to bad implementation. In my opinion the answer is no and I am sticking with my passwords. | |
| ▲ | bryantwolf 4 hours ago | parent | prev | next [-] | | The advantage is that the password never leave the device. It has a public key and signs challenges with the private key but nothing sensitive goes over the wire on every login | | |
| ▲ | valenterry 4 hours ago | parent [-] | | It should be noted that that is not an inherential advantage of passkeys over passwords. It is possible to achieve the same with passwords, e.g. by using a hash-cascade. | | |
| ▲ | lxgr 3 hours ago | parent | next [-] | | Sure, but then you still need a protocol between user agent and website. If you just do this in Javascript, you're not protected against phishing sites just forwarding the password entered directly. Passkeys can in fact be backed by exactly this, i.e. a HMAC-only stateless implementation backed by a single password: https://github.com/lxgr/brainchain | |
| ▲ | mi_lk 4 hours ago | parent | prev [-] | | is it fair to say all passkey implementations have this advantage while only some password implementations can match? | | |
| ▲ | simoncion 3 hours ago | parent [-] | | It is absolutely unfair to say it. Just like passwords stored in a password manager, passkeys can be copied out of the device for safekeeping. Because you can copy them out, a user can be induced to give them to someone. I saw passkey boosters go very, very rapidly from "Passkeys are immune to phishing!" to "Passkeys are phishing resistant!" when lots of real-world people started using passkeys and demonstrated that you absolutely must have a way to back them up and move them around. | | |
| ▲ | lxgr 3 hours ago | parent [-] | | > passkeys can be copied out of the device for safekeeping You can't copy them out on at least the iOS, Android, and (to my knowledge) Windows default implementations. > lots of real-world people started using passkeys and demonstrated that you absolutely must have a way to back them up and move them around. Millions of people use them without being able to move them around in the way you describe. | | |
| ▲ | simoncion 3 hours ago | parent [-] | | > You can't copy them out on at least the iOS, Android, and (to my knowledge) Windows default implementations. Pardon? The official support docs disagree with you [0][1][2]. They absolutely leave the device. Other passkey managers let them leave the device in a way that you control, but even the default ones copy them off the system they were created on. [0] <https://support.google.com/accounts/answer/6197437?hl=en&co=...> [1] <https://support.apple.com/guide/iphone/passwords-devices-iph...> [2] Examine the "Can I use passkeys across multiple devices?" Q and its A here: <https://support.microsoft.com/en-us/windows/passkeys-frequen...> | | |
| ▲ | lxgr 3 hours ago | parent [-] | | Yes, they're synchronized, but I wouldn't call that "copying them out", as that to me implies somehow getting access to the raw private key or root secret bytes. Both Apple and Google have pretty elaborate ceremonies for adding a new device to an existing account in a way that synchronizes over passkeys. | | |
| ▲ | simoncion 2 hours ago | parent [-] | | > ...as that to me implies somehow getting access to the raw private key or root secret bytes. When passkeys were first introduced, they were 100% stuck to the device that they were created. There was absolutely no real way to copy them off. This is when proponents were -correctly- making the claim that they were immune to phishing. When lots of users (who -notably- were not supported by whole-ass IT departments who set up and run systems that handle provisioning and enrolling new devices) started using passkeys, the correctness of the thing that many non-boosters were screaming ("You have to have a way to back these up and move them between devices!") became abundantly clear. Passkeys became something that could be copied off of devices, and proponents -correctly- switched to the claim "Passkeys are phishing resistant". Once things switched around so that passkeys were no longer stuck on a single device, third-party managers got the ability to manage and copy passkeys. [0] Hopefully it's now clear that the shift from "they never leave the device" to "they do leave the device" (and the consequences of this change) is what I'm talking about. [0] At least, they will for the next five, ten years until the big players decide that it's okay to use attestation to lock them out to "enhance security". |
|
|
|
|
|
|
| |
| ▲ | red_admiral 3 hours ago | parent | prev [-] | | They're more accessible to people who don't understand computer security? |
|
|
| ▲ | weird-eye-issue 9 hours ago | parent | prev | next [-] |
| Embedded webviews are the stupidest thing ever. Yesterday I got halfway through a checkout process, had to go back to another app to check something, and then the webview simply disappeared so I didn't bother finishing the checkout. This was on Android Usually I open it in Chrome but for some reason I didn't realize it was a webview this time |
| |
| ▲ | OptionOfT 8 hours ago | parent | next [-] | | Embedded WebViews are a way to track you: https://news.ycombinator.com/item?id=32514793 | |
| ▲ | mgrandl 7 hours ago | parent | prev | next [-] | | I disable them on every app that lets me. It is in every way worse UX than simply opening the browser. | |
| ▲ | dgxyz 4 hours ago | parent | prev [-] | | God yes that. Our VPN client fell over the other day because the auth popup opens an embedded web browser which throws a javascript error as it's bouncing through our ID provider pages. How the fuck we got there I don't know. Everything is a gigantic Heath Robinson contraption. |
|
|
| ▲ | EnPissant 8 hours ago | parent | prev | next [-] |
| You can just use bitwarden everywhere if you are ok with it in the cloud. |
| |
| ▲ | arjie 8 hours ago | parent | next [-] | | I do use Bitwarden everywhere but a couple of times the passkey prompt doesn't show it. I think that's how I got the webview for one of my google accounts stored in iOS keychain. | |
| ▲ | mkehrt 7 hours ago | parent | prev | next [-] | | Tell that to my mom who has created a bunch of passkeys all over the place without knowing what they are. I'm trying to unwind it but it's a mess. | | |
| ▲ | goku12 6 hours ago | parent [-] | | Passkeys are an antipattern in UX design. You want to make it simple for the users? Great! But stop treating them as too stupid to decide anything on their own. Stop locking them out of the decision loop and doing things behind their back. This is practically the corporate design philosophy of the past two decades. You can see this a lot in smartphone design. I keep asking what advantages passkeys offer over TLS self-signed client certificates. I haven't got any answers so far. Perhaps increase the security by encrypting the private key with a password or an external token. This is safe, like SSH and unlike regular passwords, because no secrets are sent to the server. TLS certs and (encrypted) keys are more tangible and easier to manage. Perhaps passkeys do offer some advantages over TLS certs. But can't those be added to TLS, rather than rollout an entirely new system? The infuriating part is that this facility exists in browsers. They just let it rot to an extend that it's practically unusable. Meanwhile, Gemini browsers are using it quite successfully (for those who use Gemini). | | |
| ▲ | cyberax 6 hours ago | parent [-] | | Passkeys ARE self-signed certs. You can store their private key on a hardware token, but you don't have to. Their only difference is the automated provisioning. | | |
| ▲ | goku12 4 hours ago | parent [-] | | > Passkeys ARE self-signed certs. So they took something that works well and created a bad UX around it, while ignoring the working, yet languishing UI/UX that was already around? | | |
| ▲ | lxgr 3 hours ago | parent | next [-] | | You can't be seriously claiming that self-signed PEM certificates were working well. I've been using them for years in various contexts, and they're an absolute nightmare. Despite all their faults, for the average user, Passkeys are still miles ahead of GnuPG card, PIV, PKCS#15 etc. | | |
| ▲ | goku12 an hour ago | parent [-] | | Please check how the client certificate interface of Lagrange, the Gemini browser, works. It's nowhere as complicated as you make it out to be. No passkey interfaces I've seen is as clear as this one. It automatically provisions the certificate (optional. You can share certs among services if you prefer) and associates it with the correct service. So no complicated stuff. It prompts you at the correct time for permission in the clearest way possible. It's like an integrated password manager where your credentials are just files - sort of. That's all that a regular user needs to know about them. It can be exported, imported, backed up, synced, and what not. Gemini strives to finish an entire request in a single transaction. So TLS certs are really the only option for authentication. That's how I learned the elegance of TLS client authentication workflow and started asking why this is so neglected in web browsers. | | |
| ▲ | lxgr 44 minutes ago | parent [-] | | TLS based authentication is even worse. It’s the wrong layer in today’s Internet, given Cloudflare, load balancers etc. Not everybody trusts whatever first hop terminates TLS to also do authentication, and it completely falls flat at non-repudiation for transaction approval. |
|
| |
| ▲ | lxgr 3 hours ago | parent | prev | next [-] | | You can't be seriously claiming that self-signed PEM certificates were working well. I've been using them for years in various contexts, and they're an absolute nightmare. Despite all their faults, for the average user, Passkeys are still leagues ahead of GnuPG card, PIV, PKCS#15 etc. | |
| ▲ | cyberax 4 hours ago | parent | prev [-] | | Self-signed certificates are in the 'barely working' state. They operate on a wrong protocol level, and they can't be provisioned by the website itself. If you try to describe how you _want_ the TLS client certificate UI to work, you'll end up with passkeys. | | |
| ▲ | goku12 4 hours ago | parent | next [-] | | Okay. So they took a solution that was in a barely-working state due to their deliberate neglect, and still managed to give a bad new UX when they got the opportunity to rework it? | |
| ▲ | 0x0 2 hours ago | parent | prev [-] | | > "they can't be provisioned by the website itself." It's funny, we used to have a html tag that would exactly that: <keygen /> |
|
|
|
|
| |
| ▲ | rstat1 8 hours ago | parent | prev [-] | | Doesn't need to be in the cloud for it work everywhere. | | |
|
|
| ▲ | madduci 6 hours ago | parent | prev [-] |
| For this reason I am avoiding it like a plague. It is an additional way to fingerprint your activity and the scenarios where you migrate your passkeys from a device to another seems not really well "oiled" |
| |
| ▲ | lxgr 3 hours ago | parent [-] | | How can passkeys be used to fingerprint you? The WebAuthN extension goes to pretty great lengths to avoid fingerprinting. |
|
