Passkeys level up security, and while Passkeys make some tradeoffs concerning security vs. usability, they do not introduce any new attacks and make many existing attacks much harder or impossible (e.g. brute forcing attacks or credential stuffing) Passkeys will bypass the hurdle of getting people to start using password managers, and will likely result in the widespread use of biometrics to secure Passkeys Passkeys can potentially make account sharing harder once attestation is supported, something a lot of service vendors are in favor of. Passkeys are also easier to deploy and reliable due to optional device synchronization, which should reduce the need for account recoveries and lower support costs Passkey client support in both software and secure hardware tokens is widespread and available now on most platforms, browsers and most third-party password managers Passkeys are being deployed by major vendors (e.g. Google https://blog.google/technology/safety-security/passkeys-defa...)
============
Conclusion:
No new significant risks or attacks are introduced from the threat model perspective. From a usability and reliability perspective, Passkeys are infinitely better than passwords. Finally, from a support perspective, chances are that if you currently use a system to manage your passwords, it already has Passkey support. For high-security applications, you can also choose to use your hardware token.
Web applications and websites are becoming increasingly critical to everyday life (banking, healthcare, education, shopping, etc.). We must improve security across the board and get rid of old and insecure things like usernames and passwords. The world has also changed, and virtually everyone has a smartphone, something unimaginable even ten years ago, let alone twenty.
Simply put, in every situation where you use a password, you should upgrade to a Passkey if possible.
@keno3003 Sorry euer #Passkeys-Werbevideo klingt nach Lobbying für Großkonzerne.
Passkeys hat mit dem Wegfallens des Schutz des Secrets im Vergleich zu #FIDO2 eine deutlich geringere Vertrauenswürdigkeit. Passkeys wäre nur dann sicherer, wenn man den Betreibern wie #Apple, #Google, #Microsoft absolut vertraut, dass die mein Secret ordentlich handhaben. Aktuellstes Beispiel ist Microsoft mit dem Verteilen von Generalschlüsseln zur #Cloud. 😔
Normale 2FA ist somit sicherer als Passkeys. #TOTP
If I want to use #passkeys with #linux desktop how do I do it? Do I have to have a security USB stick? I am not sure of the point of that. It seems easier to carry on using a password manager.
Is anyone else just a little concerned that the rush towards copyable #passkeys (as against hardware bound such as a #YubiKey) is still a single factor #InfoSec risk? I’m quite happy having a #passkey instead of a password as one factor, so long as I can still add MFA to it, but I’m concerned that this isn’t going to be implemented in most cases.
I made my first #YouTube video! It’s just a little introduction to #Passkeys, the hot new authentication technology that I’m sure everyone is buzzing about… right? 🤓 https://youtu.be/4DamjB5lNVg :boost_request:
Alle reden von #Passkeys und ich frage mich ob das technisch etwas anderes ist als Smartcards, die es ja schon ewig gibt und die man auch schon ewig im Web benutzen könnte.
I had a chance to dogfood Google's passkeys support a couple of weeks back. I'd have posted about my experiences sooner but was requested not to until it launched.
Well today's the day! My review of Google's support of passkeys: it's great! Much better than the "find your YouTube app to approve this login then make your way back here" flow that Google loved defaulting to even with TOTP set up as a second factor. Passkeys sign in happens so quickly, too; I don't have to futz around with my TOTP app to find the code I need, I just tap a button and look at my phone.
I see lots of positive response to the news, too, which makes me happy. I feel like this will drive more people to learn about WebAuthn and hopefully see the benefits of using it for sign in: it's a faster, more convenient way of signing in (and of course it's more secure but most people outside of our sphere don't care about that.) This would in turn drive demand for the technology across more and more sites because, "it's so simple to sign into Google, why can't you do that?"
All in all I'm happy to see such a huge Relying Party like Google commit to supporting passkeys. Here's to a more passwordless world!
Wow, the comments on my article on #Passkeys in the German #iX/#heise has shown me a lot of misconceptions people have:
No, you don't need to synchronize Passkeys
nor do you need to use Google/MS/Apple
nor is storing an encrypted binary blob a big danger
Passkeys aren't just autofilled #passwords: they use challenge auth, not shared secrets!
#TOTP 's aren't better because they're a real #2FA. Actually they suck against #phishing.
A secure enclave can still be used, but it's mostly used for decrypting the keychain, not storing it
You can still use #YubiKey 's, either with discoverable creds (uses 1 slot each) or non-discoverable creds (1 slot for all Passkeys)
Generally, I think the term 2FA is misleading. Not all 2FA is created equal. One could even argue that Passkeys are "less" 2FA than Password+TOTP -- and yet, it's more secure in most attacks because it can't be phished.
A lot of people seem to think that the more annoying and difficult to use a technology is, the more secure it is. We have the same problem with passwords and their complexity. We humans suck at guessing how secure something is through intuition.
Hier wird auch auf #Passkeys referenziert. Ich persönlich bevorzuge #FIDO2 gegenüber Passkeys, wenn ich sowieso schon einen FIDO2-Token besitze und ich nicht will, dass mein Passkeys-Geheimnis ausgelesen werden kann, was bei FIDO2 nicht der Fall ist.
Wenn man keinen FIDO2-Token hat, hat Passkeys durchaus Vorteile, da es (wie FIDO2) auch gegen Phishing schützt
Only the YubiKey 5 series supports creating and storing passkeys ("resident WebAuthn credentials"), and you can only store 25 of them.
Also, non-passkey use of YubiKeys appears to no longer be [reliably*] supported by Google's Advanced Protection Program. You have to create a reliable passkey, then delete and re-add all of your existing keys (listed under "2-step verification only security keys"). Some of my keys are ... extremely offsite, so it will take time to restore my previous levels of redundancy.
I think I'm starting to understand how we got here, but I'm still unhappy that the benefits of the previous model - in which unlimited sites could be used with each security key, and U2F keys were backward compatible - are gone.
I also feel as though Google, Yubico, and others could have done a better job of communicating the consequences for advanced users ... in advance. Instead, Google searches for "2-step verification only security keys" currently only produce 5 results, which are Reddit threads full of commiserators and Google support threads like this one that are locked without response:
* Once any passkeys use is enabled, some APP users (including me) can sometimes do a fresh Google login from scratch on a new device with only a security key .. but other times, any "2-step verification only" key you try is rejected as unrecognized. I do not know what the variability is - and the forums are full of people with similar complaints.
UPDATE: On further testing, and based on reports from others on the side, it may be that the symptoms I (and the folks in the forums) experienced were a problem for the first few months at launch, but may have been fixed. It last failed for me about a month ago, but I'm unable to recreate from Incognito. But since Google uses many signals to determine how to prompt for what kind of MFA, I am not at all confident that I will be able to use non-passkey security keys from a fresh computer in a new geographic location away from my phone. If Google fixed something , I do wish they'd say something about it somewhere, so that I can key with confidence!
Update 2: a friendly, authoritative reply that we don't think anything has changed, so the symptoms are still mysterious (and maybe more common if a PIN is set on the key?): https://infosec.exchange/@skarra/111309708728390341
Update 3: And to head off some side questions - this doesn't diminish my YubiKey fanboy-ness. :D I do see the trade-offs, and the middle ground for me will probably look something like storing my "top 20" critical passkeys on YubiKeys, and keeping all the others in a password-management layer.
It looks like BitWarden is following suit with 1Password and returning "uv:true" in WebAuthn authentication requests even though the user isn't prompted for anything more than to confirm the use of a passkey. The unlocking of the vault is considered the user-verifying event...
As an end user I appreciate the streamlined experience. But as an RP I'm disappointed - what if vault unlock occurred 5/10/30 minutes prior? Someone could cruise by someone's desk when the vault is unlocked and auth as the vault owner and the RP would be none the wiser 😢
It's a tough middle point that passkey providers have to try and find 🥴
Les #passkeys sont enfin désormais supportées par #ProtonPass de @protonprivacy sur tous les appareils compatibles et les types de comptes (autant gratuits que payants). Ne manque plus que la possibilité de classer les données par dossiers ou étiquettes (labels).