I still think passkeys are kinda stupid
Discussion
Why? Physical keys are best 2FA, no?
Stay away from those physical keys, overpriced, can't be updated, when there's a vulnerability you have to buy a new one, some of them are closed source too. Use an app for 2FAs.
Refuses to elaborate and leaves?
The passkey is stored on the device. If you lose the device, or change device without passkey bacluos, you lose access to all your accounts. Normie will get rekt so hard.
Finally someone said it. Haha
nevent1qqsg4393qlvyj5vk3z5gycnh95udmtludjeu2fnkmy8mpk739wh8ykq7ehfjx
I like them. Especially the physical Yubikey type. Just have to remembered to add backups.
I use the open source u2fzero keys 🫡
The thing is, if they did what they said they did (seed stays on device) they could be quite cool. Like turning phones into hardware wallets.
BUT, they have a “sync” feature in which the content is encrypted so that it can be sent to another device. This would be OK if the encryption key was known only to the recipient device…
BUT, the encryption key is actually your PIN. The intermediary (Apple, etc.) holds the “encrypted” payload, so that if you lose your phone, you can get a new one, download the encrypted passkey DB, and decrypt it with your same PIN.
This search space is incredibly tiny (4-6 digits). So any attacker with access to the encrypted payloads can easily brute force it to get everything. So the security of your sync’d passkeys is entirely reliant on the intermediary.
It’s “trust me bro” security masquerading as sovereignty.
Passkeys are cool because they're locked to a domain, which prevents phishing.
Passkeys are cool because you can secure them with a phone's secure element or on a device like a yubikey.
I would not, however, recommend storing passkeys in a software-only password manager.
Is that really what we need? To lock people's access to things in their phones that can be lost or break anytime? Or they (and services) have to go through infinite undocumented hops for things to work in other ways?
Besides that it's proprietary technology with a 300-page or more spec that is impossible for normal people to implement but they try to sell it as an open protocol or something.
What’s an alternative?
I've been asked to set them up on a few websites now. Haven't used yet. Did some quick research, but need to learn more. Public/Private key pair, but yeah a password manager would be a good possible option, other than that... IDK.