Sadly, the support for passkeys is still lacking.

    • Synapse@lemmy.world
      link
      fedilink
      arrow-up
      25
      ·
      4 months ago

      As I understand it, instead of the website or online service storing your password (in a, supposedly secured way), with passkey your password manager stores a private key and the online service stores a public key (or rather a lock). The key and the lock are paired together cryptographically (mathematical functions that are non-reversible). Now when you login with passkey, the service sends a challenge generated from the lock, that can be solved only with the matching private key, your password manager solves the challenge and your authenticated. Locks and keys were not exchanged during the process, and services never store your key. Everything happens automagically.

      It actually uses the same protocol used is some hardware security keys such as Yubikey and Solokeys. The problem remains the same as with hardware security keys, adoption and support, compatibility. It’s very rare that a service supports these options, although they exist for a while.

      Anyone feels free to correct me if I wrote something wrong. I am by no mean an expert.

      • cron@feddit.orgOP
        link
        fedilink
        arrow-up
        16
        ·
        4 months ago

        Your explanation is correct.

        For me, the critical issue is still compatibility. Not all password managers support passkeys, not many sites support passkeys etc.

        • Synapse@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          4 months ago

          Yes, I have my Solokey for a while. I can count the compatible services I use on the fingers of one hand. Passkey, as of today, even fewer…

    • Encrypt-Keeper@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      4 months ago

      The (over?) simplified version is they’re basically the same as the key/certificate pairs you use to connect to a website securely while also proving its identity to you.

      Some key benefits of passkeys are:

      • Your private key doesn’t leave your device (or your password manager). You no longer have to worry about if the website you’re using is incompetent and storing your password in plain text waiting to be stolen in a breach. The only one who can expose your passkey is you (or your password manager)
      • Your passkey isn’t something you have to remember so for the unwashed masses it’s more idiot proof because they’re more secure by default
  • the_weez@midwest.social
    link
    fedilink
    arrow-up
    20
    ·
    4 months ago

    The passkey user experience needs work. It’s mostly on the client side, I think the implementation is good but it’s just way too easy to lose a passkey forever.

  • slazer2au@lemmy.world
    link
    fedilink
    English
    arrow-up
    19
    arrow-down
    1
    ·
    4 months ago

    Na, the biggest brain move is using an EICAR test string as a password.

    First off, if your password is stored in plain text any AV will quarantine the file, including database files.

    Secondly, if the password is leaked, any file containing it will be quarantined.

  • graphito@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    10
    ·
    edit-2
    4 months ago

    Dear google, can I have custom passkey provider on my Android <13?

    Google:


    Spoiler: There’s no option to change the passkey provider nor even mention of passkeys in settings

    • lud@lemm.ee
      link
      fedilink
      arrow-up
      5
      ·
      4 months ago

      While annoying it’s understandable that they don’t backport everything from newer updates.

    • cron@feddit.orgOP
      link
      fedilink
      arrow-up
      5
      ·
      4 months ago

      looks interesting, a bit like all this “login with google” but without a third party needed.

      I’ve never heard of it before, and the idea is more than 10 years old, so it is probsbly very niche.

      • min@lemmy.sdf.org
        link
        fedilink
        arrow-up
        4
        ·
        4 months ago

        It ends up being a lot like FIDO or Passkeys but without having to store a separate key for each site. Each key is derived from your master key and the domain so they are all unique, to prevent tracking, but you still don’t have to save a separate private key blob for each site. There is also a recovery key built into the spec so that if your master key somehow gets out, you can use your recovery key to prove you’re the real person and regain your account to change the signin public key.

  • JohnDClay@sh.itjust.works
    link
    fedilink
    arrow-up
    7
    ·
    4 months ago

    If you can remember all your passphrases, is randomly generated enough of a benefit to justify having a centralized vulnerability?

    • GenderNeutralBro@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      11
      ·
      4 months ago

      I couldn’t possibly remember all my passphrases unless I reused them everywhere, which would leave me with an arbitrary number of centralized vulnerabilities, under the responsibility of people who don’t give a shit.

      • JohnDClay@sh.itjust.works
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        Like storing them in planetext? If they’re not, I wouldn’t think similarities in part of the input would lead to a vulnerability.

        • GenderNeutralBro@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          Sure, why not?

          Passwords have been leaked from many companies you’d expect to have decent security policies. I have no visibility into that, so I would not assume competence across an arbitrary number of sites. God only knows how many of the services I use store my password in plaintext, or improperly hashed.

    • brossman@infosec.pub
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 months ago

      in that case, the password manager is just a (hopefully offline) backup. still a good idea imo.

    • calcopiritus@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      4 months ago

      I don’t know how many accounts an average internet user has, but I’m pretty sure it’s well above the human’s memory capabilities. Assuming this is true, there are 4 scenarios:

      1. You use the same password everywhere, so any service leaking it means it’s leaked for every other one.

      2. You use different passwords every time, so you have to have a centralized vulnerability where you store them all.

      3. You memorize some, and the rest do the same as 2.

      4. Like 1. Except you memorize more than 1 password.

      5. Is the least secure but the easiest.

      6. Has the centralized vulnerability problem.

      Assuming that in 3. You don’t store the most critical passwords (email, banking, etc.) it’s the most secure. But requires a lot of care and memory. And also has the highest penalty if you forget a password.

      1. Is just 3. But worse (but don’t need to check the password storage).

      So instead of comparing 2. To 5. (5. Being a magical scenario where you can remember all your passwords that are different from each other). We should compare 2. to 3. (Or 4. Instead of 3. If you really don’t want a password storage).

      1. Is massively more convenient than 3. The only advantage of 3. In convenience is that you don’t need to have a password storage for some passwords. Which I don’t think it’s comparable to having to remember passwords.

      The only security benefit of 3. Over 2. Is that your critical accounts are safe if that password storage is breached.

      How likely is it to be breached though? If you are serious about security you should be using an actual password manager, which is focused on security. The only way to get passwords out of it should be to put in the master password, which should be impossible if the master password is good enough (which you can afford since you only need to remember one password). Additionally, you can use multiple factors, which might not be available on normal websites.

      The only moment really where a password can be intercepted is while it is in your clipboard. Which is why TikTok reading the user’s clipboard without consent should be taken way more seriously than it had been.

      Of course every method fails with the wrench to the head technique (insert xkcd here).

  • henfredemars@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 months ago

    We haven’t reached the level of passwords yet because of their restrictive policies leading to users storing copies of their passwords near the computer.

    We basically just have usernames with slightly more steps.