this post was submitted on 11 Oct 2023
291 points (98.0% liked)

Technology

59217 readers
2726 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won't work on another device.

Now I don't know if that key can be stolen or not, or if it's really more secure or not, as people have really unsecure pins.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 57 points 1 year ago* (last edited 1 year ago) (5 children)

While I would agree this sounds more secure, I'm always worried about people getting further locked in to Google's products.

Hopefully this system won't take accounts "hostage" by requiring you use Chrome to log in to them, but it's Google, so...

EDIT: I'm wrong, passkeys are stored per-device and can be shared between devices using an open standard. Here's a video explaining the basics. It addresses my concern at around the 2:50 mark.

[–] [email protected] 42 points 1 year ago (2 children)

Passkey is an open standard. It's not Google specific.

[–] [email protected] 3 points 1 year ago

That's good to hear. I don't know much about passkeys, and I should really spend some time learning about them. Didn't mean to fear-monger, but I guess I'm getting more cynical these days.

[–] [email protected] 1 points 1 year ago

Updated my root comment to reflect this.

[–] [email protected] 41 points 1 year ago* (last edited 1 year ago) (2 children)

We're sorry, Firefox cannot access your IMEI to fingerprint your device. Please use a modern web browser like Chrome, Chrome, or maybe try Chrome.

Yet another anti-consumer, anti-privacy, "for the sake of children!" Type tactic from Google.

[–] [email protected] 29 points 1 year ago (1 children)

Mozilla is in the process of implementing passkeys in Firefox. This page tracks the status of various implementations of passkeys.

[–] [email protected] -2 points 1 year ago* (last edited 1 year ago)

Yeah I've already switched to LibreWolf after seeing the AI bullshit that FF is adding in the name of "spotting fake reviews". My ass. Unfortunately I can't use it at work apparently, the security app we use flagged it because I tried to import passwords from another browser... sigh

CAN I JUST BROWSE THE DAMN INTERNET PLEASE

[–] [email protected] 17 points 1 year ago (2 children)

Did you just make up something that could happen and then get mad about it?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Yeah I'm in that kinda mood today. And it's not exactly far fetched.

[–] [email protected] -5 points 1 year ago (3 children)
[–] [email protected] 15 points 1 year ago (1 children)

Satire typically highlights something that has happened, not something made up.

[–] [email protected] 2 points 1 year ago

Where's the humor?

[–] [email protected] 14 points 1 year ago

it's passkeys. they are getting integrated in a lot of stuff right now, including password managers like bitwarden

[–] [email protected] 8 points 1 year ago (1 children)

Use a yubikey, that doesn’t vendor-lock you to an OS ecosystem. They make one with nfc so it’s not a pain to use with your phone.

[–] [email protected] 4 points 1 year ago (3 children)

I'm not sure if this is universal or specific to the last site I tried to use my Yubikey with as a passkey, but it only would allow it to be used as 2FA, not actual passwordless authentication.

I assume this is because Yubikeys don't create a secret for each individual website I suppose? Not exactly sure about that one.

[–] [email protected] 4 points 1 year ago (1 children)

The site likely didn’t support passkeys. But passkeys are basically webauthn passwordless login, and per the yubikey docs they support that.

See https://www.yubico.com/authentication-standards/fido2/ and https://fidoalliance.org/passkeys/#faq for more info. See also https://support.apple.com/guide/iphone/use-passkeys-to-sign-in-to-apps-and-websites-iphf538ea8d0/ios specifically the bit about adding a passkey to a physical key.

[–] [email protected] 2 points 1 year ago (2 children)

Google definitely supports passkeys, and they were one of the sites that did this. I've just replied to another comment regarding this. I wonder if the Yubikey 4 (I'm not sure how to tell which one I have, since they look about the same) just doesn't support passkeys, which would be... unfortunate.

It'll be even more unfortunate if there's a weird mix of sites that support the Yubikey as a passkey and some only support it as a passkey. My Pixel is supported as a passkey, but Firefox on Linux doesn't support this - only on Windows and macOS. I believe Chrome/Chromium does, which is equally as frustrating as my Yubikey possibly not supporting passkeys.

Strangely enough, Google lets me "add" my Yubikey as a passkey, but then does not let me sign in with it due to it not being "recognized". If I remove it as a passkey, and only use it as a 2FA token, attempt to sign in and use the "Enter your password" option, it will then let me use the key after I've entered my password as a second factor.

So it seems Google has removed the error (or its not triggering anymore) as they will have been one of the first sites I tried to create a passkey for, but it still does not let you use it as a passkey.

[–] [email protected] 2 points 1 year ago (1 children)

Per Yubico’s specs on the Yubikey 4, it does not support FIDO 2 resident credentials, meaning it does not support Passkeys.

Compare to the specs of the Yubikey 5C NFC or Yubico Security Key C NFC, which both have this section:

FIDO2

The FIDO2 application allows for secure single and multi-factor authentication, and can store up to 25 resident credentials. These credentials, which are protected by a PIN, enable passwordless login, where the YubiKey, unlocked by a PIN and authorized by touch, can log you in to your accounts without entering a username or password. The FIDO2 application is FIDO certified.

See also Yubico blog post with an FAQ about passkeys:

How are passkeys different from YubiKeys?

They’re the same, and they’re different.

They’re the same because YubiKeys have had the ability to create these passwordless enabled FIDO2 credentials (passkeys) since the YubiKey 5 Series became available in mid-2018. Currently, YubiKeys can store a maximum of 25 passkeys. We are evaluating increasing this in the future because of the likely increase in fully passwordless experiences across the web that require them.

They’re different because Platform created passkeys will be copyable by default using the credentials for the underlying cloud account (plus maybe an additional password manager sync passphrase), whereas passkeys in YubiKeys are bound to the YubiKey’s physical hardware where they can’t be copied.

I wouldn’t run out right now and buy a Yubikey to store Passkeys given the 25 key limit and the likelihood that Yubico releases a new key that supports storing far more of them, but if you do, the $25 Security Key series is the cheapest option.

[–] [email protected] 1 points 1 year ago

Interesting, I'll probably just have to wait till either Bitwarden supports Passkeys, or wait till Firefox on Linux supports cross-device Passkeys (so, my phone for example) as yeah a 25 key limit is not likely to be worth purchasing an upgrade for just yet.

[–] [email protected] 1 points 1 year ago

The credential needs to be set as discoverable and some other stuff to work for passwordless login (the token must store site specific data)

You would need to reregister it as passwordless to not just use it as 2FA after having entered a password (meanwhile standard 2FA with webauthn don't store anything on the token, the website sends encrypted credentials to the token which only the token can decrypt and then authenticate with)

[–] [email protected] 2 points 1 year ago

Both the website and your physical security token must support the right type of webauthn credentials (the token has storage for a certain number of slots with "discoverable credentials").

Passkeys is a variant of the same which is bound to your device's own TPM / SE security chip or equivalent, plus a synchronization feature for backups.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

You can use Yubico keys as your passwordless logins. Both Google and Microsoft have this option.

[–] [email protected] 1 points 1 year ago (1 children)

Strangely enough, Google lets me "add" my Yubikey as a passkey, but then does not let me sign in with it due to it not being "recognized". If I remove it as a passkey, and only use it as a 2FA token, attempt to sign in and use the "Enter your password" option, it will then let me use the key after I've entered my password as a second factor.

So it seems Google has removed the error (or its not triggering anymore) as they will have been one of the first sites I tried to create a passkey for, but it still does not let you use it as a passkey.

[–] [email protected] 0 points 1 year ago

I haven't encountered this issue, yet. I'm using LibreWolf browser (v118.0) and tested logging in my Google and MS account passwordless. BTW, I have Yubico Security Key NFC (the blue one).

[–] [email protected] 6 points 1 year ago

Mot likely it won't need to have chrome. However maybe Google services may be required.

However it is also very likely, if a device cannot support such feature, it will only require a password and 2fa.