Thoughts on passkeys? #asknostr
Discussion
I've tried them once or twice, but it was too inconvenient in my use case.
I like
Not sure how they provide much security ā¦ if someone has one of your devices they could in theory by some luck just authorize a login
I've seen the prompts, but not sure what/how/why etc. Don't know how it works.
The technology is interesting but I fear it's net effect is gonna be the ultimate gun to your head by apple/google/Microsoft, if you store them there.
Excellent stuff for the ux! its the only bank account that I don't have to remember my password for.
Roaming Passkeys like in IOS, Android and i.e. Bitwarden are very convenient.
Devicebound Passkeys like yubikeys are much more secure but you need to onboard multiple onto every service in case you lose one. Replacing them is a lot of work.
Iām a big fan and happy to answer questions.
On Linux using Bitwarden, I set up a passkey for Amazon.
1. It only works on the laptop, not on Android. Why?
2. It still requires 2FA, is that necessary?
Make sure you passkey provider is set to bitwarden in settings? Also, if using chrome or a variant i had to go into chrome://flags and set the passkey provider to 3rd party.
1. Also Android 14 and google play services are required. See https://bitwarden.com/blog/bitwarden-passkeys-mobile/ for more Details.
2. the service determines if is requiring additional 2fa after signin with a passkey. PayPal for example requires 2fa despite using a passkey. Most others like Microsoft etc. do not.
Interesting. I use GrapheneOS without play services so that might be my limiting factor.
Regarding the 2FA, I figured it was an implementation detail, but in your opinion, do you think 2FA is necessary if you're using passkeys?
Bitwarden looks interesting, I havenāt used it yet though.
Start today not tomorrow. Bitwarden is amazing. They have a lot of educational content on their YT channel.
What's your rebuttal to the vendor lock-in concern?
bitwarden is FOSS, worst case scenario you can migrate the key to a different application
For the average person on the street, passkeys in Apple/Google are a huge benefit because they mitigate phishing attacks, password reuse, etc. Law enforcement and nation-states are not really a concern for them. But you're right, the vendor lock-in is real. Going through all the passkeys and adding another one when you leave the ecosystem of a single vendor is a lot of work. But as @danny mentioned, you can choose to store them in something like Bitwarden if you need the convenience of a roaming passkey. Thatās fine for, in my opinion, 90% of services. For my most āvaluable assets,ā I use two hardware tokens from two different vendors. Thats my approach Bitwarden + two different hardware tokens.
I love passkeys
A while ago I looked into passkeys with nostr:npub1qe3e5wrvnsgpggtkytxteaqfprz0rgxr8c3l34kk3a9t7e2l3acslezefe , but the authentication seems to be centralized and even a bit technically complex compared to how we do self-sovereign key creation with Nostr and Bitcoin.
I like the Idea but not familiar in practice. If they become standard maybe it could help more people understand managing their own BTC private keys.
Absolutely!šÆ
Been using them in vaultwarden and like the convenience... i am too stupid to know how dangerous it may be, so eh.
I use them mostly with my hardware keys
I donāt trust, just from pure reflex. Someone besides me is custodying them. Not your keys not your ____. I may be wrong but havenāt dug into it.
Good reflex. You're directionally right.
essential for Nostr
i've read mixed things about passkeys from "experts". but if it means that fewer people use their dog's name + !1 i'm for it
Pass
I'm a man who likes freedom and freedom to choose from multiple options for all.
I would use passkeys.
I use KeepassXC and another one. I use it on my phone and I hash and encrypt my archives. I have nearly 10 thousand different passwords. Any compromise and it's a singular loss of one site. My old Yahoo account was a great example. I was sim swapped and someone got in. Fortunately I did something early on that was so retarded that I called Yahoo and have them some information that I had that was totally bullshit but unusual.
You know the three question ruse to recover your accounts. Never give them the answers of your favorite dog. Moms birth city or other social engineering facts. These are easy to get. Instead come up with wildly fake and false information. Have a different one for each account. If you lose this for one account it doesn't matter. If you lose them all it doesn't matter.
I've been practicing this since the late 90s in various forms. I started with 7z archives. I change to anticipate what will no longer be developed. I use only only Open Source software that is easy to find.
A signing device for very infrequent use might be good until it fails. Often used it becomes lazy. I also use syncthing to carry things around. Again, I also change elements to minimize reproduction.
They only secure system is one that is powered down and unplugged. A Linux box or Unix or Windows or Mac in person can and will be hacked.
The iPhones that they bragged about not giving up the keys to can be (dd if out) to another storage medium and broken.
Eventually all will be revealed but there are no secrets to the Lord. The good news is that Satan can not read your mind and what is in your heart unless your allow him to by opening up doors via porn, alcohol, drugs (marijuana is a great one!).
But I'm retarded. Fortunately God loves us all and even retards can make it.
Shut down the spiritual pathways to demons and technically your opsec will improve tremendously. Any leaks will be fine because the temple you are in care of needs the most protection. All else is just your secular job and as long as it is in service to God it will be protected.
So be it.
Positive thoughts
They're for convenience but people pretend they're for security
Air-gapped encryption on specialized hardware is for security, stuff that's for convenience shouldn't pretend to improve security over shit it doesn't improve security over
Maybe passkeys to a relay window that stores your keys in an encrypted OPFS (Origin private file system) vault with a mix of a pin and FIDO2 HMAC secret ("hmac-secret" extension)
https://docs.yubico.com/yesdk/users-manual/application-fido2/hmac-secret.html
https://levischuck.com/blog/2023-02-prf-webauthn
https://developer.mozilla.org/en-US/docs/Web/API/File_System_API/Origin_private_file_system
I have an old Solid demo with a relay window login
Passkeys sound promising, but Iām curious about the privacy implications. Does anyone know how they handle user data? #asknostr
I use them a lot. Easier and faster as I always use randomised passwords and emails but then I hate how much time I waste forgetting passwords, resetting, waiting for the resetā¦blah blah blah. Is it true they canāt be brute force attacked?
So I assume you only use one device and operating system?
At the moment, yes, but I never use biometrics, mainly a passkey thatās stored up top. If there was an easy, universal, safe (decentralised) and cheap way to sign across devices and OS then I would use it and perhaps venture further. For general internet use convenience is priority and then safety because currently for me time is more important than the risk of losing data or access to day-to-day stuff. Is that bad?
Deterministic passkeys, from a seedphrase, yes
eg trezor or bitbox
the problem with device-bound keys (like yubikey) is the fact your key can be taken away from you
bip85 is a bit of a miracle
I'm not sure I understand. Can you use a Bitbox as a passkey? https://fidoalliance.org/passkeys/
I was told (by them) they had fido2/webauthn
Yes, hardware. For the most important services as additional security layer.
So you're using something like a Yubikey for 2FA, not a "full" passkey as supported by Google / Apple / 1Password etc?
A Yubikey can be used as a passkey (FIDO2 / Webauthn) instead of a password. In my experience most websites use the "security key" as a second factor in addition to a user/password login.
It can also be used to store/generate OTP (one time passwords) for 2FA with an alternative authenticator app on a phone/desktop.
I use both methods.
OK, I am starting to understand. Needed to read up on passkeys.
https://www.passkeycentral.org/introduction-to-passkeys/how-passkeys-work
I'm not yet sure if it is a good idea to skip 2FA when a passkey is used (Github does this for example). Also having your private passkey synced into Apple's iCloud (or similar) worries me a bit but I need to experiment some more to form an opinion.
I can't zap you for some reason, so I'll have to thank you the old way. DHH quite on point, as he often is.
Using a trezor as passkey, works well for ssh, gpg and in the browser
Anything with biometrics is a hard NO. You can be forced to turn over your biometric information with a warrant; not possible for passwords and PINs.
I have a FIDO like stick that stores my passkeys so I don't know what you mean by biometrics. Probably the fact that phones can also store passkeys?
My main exposure to passkeys has been with my old iPhone, and it was always asking for my Face ID or fingerprint, so I've never even considered using them anywhere else.
I've also always just assumed the physical devices like YubiKey relied on fingerprints, but I guess I've been mistaken on that... š
They rely on physical touch, but not fingerprints.
What stick do you use? Is it a full passkey, or just a physical 2FA key?
š
Prefer using it with bitwarden web. Not so much on phone
Good as a "sustainable innovation" to upgrade password. It is a tool for Google and Apple.
I own some Yubikeys and use them as a 2nd factor authentication option, they're arguably the most secure form of 2fa. See here for motivation:
https://www.privacyguides.org/en/basics/multi-factor-authentication/#fido-fast-identity-online
It's also a bit more convenient to identify with a permanently plugged in USB-A Yubikey than a TOTP app in my opinion.
I wouldn't want to replace my password manager with them though as as some other people pointed out here you're locked into the passkey provider. So Yubico in this case.
Also make sure to add several Yubikeys or TOTP as a fallback wherever you use them as 2nd factor as you can't export the key and you will be locked out if you lose the one key.
Am I the only one who is using Flipper zero for U2F š