Gawd sometimes I hate passkeys.
-
@karlauerbach does this apply to hardware 2fa keys? I honestly don't really understand why we bother with anything else other than the hardware 2fa keys.
@codinghorror I'm not able to evaluate the relative strength of those time-based authenticators vs passkey, but from my own actual experience, passkeys are easier on the user. (And when it comes to time-based authenticator devices I personally prefer the ones that run as apps on my phone rather than on a separate device.)
-
@karlauerbach so your passkeys work in all browsers on all of your apple devices, but not your Linux and FreeBSD devices? Because Apple implicitly syncs them outside of your control with no way to sync to non-Apple devices?
I don’t follow about distinct engagements and binding them together; if I follow a link within a site I’m logged in to, is that a distinct engagement that the service is binding together with a cookie? How does that relate to using multiple browsers or devices?
@ShadSterling Yes, Apple is silently copying my passkey stuff around between my Apple devices. My Linux machines don't play in that world, but as I mentioned somewhere, my Linux machines mostly don't have the hardware to do make a biometric test.
-
@codinghorror I'm not able to evaluate the relative strength of those time-based authenticators vs passkey, but from my own actual experience, passkeys are easier on the user. (And when it comes to time-based authenticator devices I personally prefer the ones that run as apps on my phone rather than on a separate device.)
@karlauerbach yeah but if someone gets on your phone you're super fucked, right? The other physical item (the hardware 2fa key) is required.
-
@oddhack @GhostOnTheHalfShell @GamesMissed What you are describing is not a passkey system. What you describe seems to be a name:time-based-authenticator system. Usually passkey systems only require a login name and a biometric (the biometric is processed locally on your machine and not transmitted.)
A lot of financial institutions use this method. Indeed many banks hand out RSA fobs to customers to use. These generate a new 6-digit authentication sequence every 30 seconds or so. There are also software versions, such as the Google Authenticator App.
(When I was working on various things at "the labs" sometimes we had to pass through rotating gates, kinda like jails, and we were physically locked in until we had passed all the identification/authentication tests. I never felt comfortable when locked in that way.)
@karlauerbach @GhostOnTheHalfShell @GamesMissed I did not intend to imply it was a passkey system and did not use that term.
N.b. I would be less unhappy being able to use GA or similar, than being forced into activating the bank's (edit: half-assed) app with exactly the same security required to get into the website to begin with.
-
@ShadSterling Yes, Apple is silently copying my passkey stuff around between my Apple devices. My Linux machines don't play in that world, but as I mentioned somewhere, my Linux machines mostly don't have the hardware to do make a biometric test.
@karlauerbach so for a site that you have a passkey for on your Apple devices, what happens when you try to log in from a Linux device?
-
Gawd sometimes I hate passkeys.
I have to deal with some fairly old people - people who have lost much of their vision and who have never been particularly technically minded.
The modern race-to-lock-everything has moved a lot of services (such as outlook) to move to passkeys.
That's nice - unless one is trying to deal with problems for an old person who is 800 miles away.
It appears that many of these services treat having a passkey as a one-way ratchet. Once someone (me) has set up a passkey (limited to my computer and phone) then the service switches to demand a passkey rather than the password to get in - but the old person's phone/computer does not have the passkey nor knows how to use it even if they did.
Our present Internet - largely programmed by young people with tech knowledge and good eyesight - is becoming increasingly hard to use by older people while things (like medical services) increase security that these people do not know how to use and can't be managed remotely.
@karlauerbach @clew I once made a living writing about tech, but am completely baffled by passkeys. I'm no longer young, but I don't think the problem is related to my age.
-
Gawd sometimes I hate passkeys.
I have to deal with some fairly old people - people who have lost much of their vision and who have never been particularly technically minded.
The modern race-to-lock-everything has moved a lot of services (such as outlook) to move to passkeys.
That's nice - unless one is trying to deal with problems for an old person who is 800 miles away.
It appears that many of these services treat having a passkey as a one-way ratchet. Once someone (me) has set up a passkey (limited to my computer and phone) then the service switches to demand a passkey rather than the password to get in - but the old person's phone/computer does not have the passkey nor knows how to use it even if they did.
Our present Internet - largely programmed by young people with tech knowledge and good eyesight - is becoming increasingly hard to use by older people while things (like medical services) increase security that these people do not know how to use and can't be managed remotely.
@karlauerbach @smn Passkeys are a great technical solution to a problem that is extremely hard to describe even to technically minded people and every explaination of them I’ve ever seen utterly fails at communicating why they’re a good thing and how they work (from a user’s perspective).
I think it’s a symptom of programming and software having, over the last two decades, gotten extremely complex for absolutely no reason—and people (including those who make those annoying websites) simply can’t explain things anymore.
-
@crystalmoon I live in the Apple world, so for most bank transactions, or paying bills, or even buying something at a store, I find that the most I need is my face (for facial recognition biometric) or my finger (for fingerprint biometric).
My banks seem to have some sort of size/dollar threshold that triggers the use of a time-based authenticator, like an RSA widget or Google Authenticator app. Because we own a business we usually have to do that when dealing with our business accounts.
@karlauerbach Same, I also run iOS. In this case the banking apps wants a Persona-like authentication flow because of several fraud-related court losses
-
@karlauerbach Same, I also run iOS. In this case the banking apps wants a Persona-like authentication flow because of several fraud-related court losses
@karlauerbach after that first auth, they will usually require a PIN or whatever on-device biometrics is available
-
@airshipper I personally like passkeys and use 'em when I can.
My complaint is that so much of our modern world is made by young people who have no experience with what happens as people age (and die) and the tasks that many of us have to undertake to support aging people on that journey.
I was particularly outraged how hard it was to sign into the outlook email account of one aging person. My computer/phone had a valid passkey, but that person's devices did not, so they wanted to use their old (and still valid) password. Outlook was like a ratchet - it said "oh you have a passkey, if you want to use a password - well you now have to jump through several badly labeled hoops that you won't understand."
And this was to allow them to sign into their health care service to fetch a 2FA email.
As a future executor of various estates I now know that upon their death the first thing I do is grab their cell phone (I have the login) and keep it powered on.
@karlauerbach @airshipper Passkeys, like forms of 2FA, force you into this "where is the device that can let me in" pattern.
The fact that Apple cross syncs the thing is both a feature, and also a security vulnerability. Why do I want to hand my keys out to everything else, much less through a party I shouldn't be trusting?
Making good security easier for older people would be lovely.
-
@cavyherd Do consider setting up passkeys. They are a great improvement over passwords and one usually does not forget to carry one's biometrics wherever one might choose to go. Often setting up a passkey is so painless that one might not even notice that it was done. (It is annoying on my Mac Mini because that machine does not have Apple's fingerprint button, so I usually set up passkeys on my other Apple devices and let them be [hopefully securely] propagated via Apple's iCloud sharing.)
One of the weakness of passkey is that you usually need a computer/phone onto which the private key part of the desired passcode has been propagated - so you usually need your smart phone or laptop, you can't expect to be able to walk up to an arbitrary computer, while wearing nothing but your birthday suit, and securely log in. With passwords you could do that - although I rarely see a naked person doing banking.
I have zero desire to unleash my biometrics into the System. & I don't use a smartphone, so I don't even see how setting up a passkey wouldn't be a massive •in•crease in inconvenience? I also don't use the cloud, so honestly it sounds like just another gambit to lock in to the major tech platforms?
"Conveninece" is...not a selling point.
-
"One does not forget to carry one's biometrics".
Except they're inaccessible on VERY common use cases like "desktop PC without webcam" or "public kiosk".
So we have to do terrible Rube Goldberg flows for non-smartphone users. I really don't want my digital life centered around a delicate theft-target device that's mostly a vector for funneling personal data to an American bigtech.
TOTP 2FA can be run on a freaking Commodore 64. Emailed codes are tech-agnostic.
THANK you. This is my thinking exactly.
-
@hakfoo @cavyherd 2FA is good (certainly more secure than a simple password) and, as you point out, requires few resources (apart from the need to have a 2nd communications medium to carry the 2nd factor messages.) But it does have vulnerabilities, particularly if the attacker has ways to affect the routing of the 2nd factor to the user. For instance Telco routing of that 2nd factor via SMS has been a source of attack.
Confirm my understanding that SMS is basically texting via phone, yes?
-
Confirm my understanding that SMS is basically texting via phone, yes?
@cavyherd @hakfoo SMS is one way that "text messages" move between devices. Text messages started out as 140 character things that were carried in an unused part of telephone company cell phone signalling. Since then many other mechanisms have been moved under the umbrella lf "text messaging". I don't know the details other than to know that it has become rather complicated.
-
I have zero desire to unleash my biometrics into the System. & I don't use a smartphone, so I don't even see how setting up a passkey wouldn't be a massive •in•crease in inconvenience? I also don't use the cloud, so honestly it sounds like just another gambit to lock in to the major tech platforms?
"Conveninece" is...not a selling point.
@cavyherd Passkey biometric is limited to your device - the biometric stuff is not transmitted over the net, rather it is only used to unlock the private key that is held in secure storage inside your phone or other device.
(Some devices, such as Apple, do move the passkey private keys around, but it seems that the biometric stuff never leaves your phone or laptop.)
-
@cavyherd @hakfoo SMS is one way that "text messages" move between devices. Text messages started out as 140 character things that were carried in an unused part of telephone company cell phone signalling. Since then many other mechanisms have been moved under the umbrella lf "text messaging". I don't know the details other than to know that it has become rather complicated.
One of the systems I use uses voip for 2FA. Would that still be SMS?
-
@cavyherd Passkey biometric is limited to your device - the biometric stuff is not transmitted over the net, rather it is only used to unlock the private key that is held in secure storage inside your phone or other device.
(Some devices, such as Apple, do move the passkey private keys around, but it seems that the biometric stuff never leaves your phone or laptop.)
So the biometrics don't move over the net, is what I'm hearing? Just the "passkey" product?
So basically I wouldn't be able to use the passkey without that particular device (or one networked to it through the cloud)?
If I've understood correctly. once one has set up a passkey, one can't then go back to using passwords?
How is this an improvement, exactly?
-
@karlauerbach so for a site that you have a passkey for on your Apple devices, what happens when you try to log in from a Linux device?
@ShadSterling On my Linux machines (and FreeBsd machines) when I am using the web to get to some sort of service - like my banks - I usually hit a "passkey first" gate that sends me searching for a button to that says something like "login with password". Good sites have that alternative - at least they do now, but who knows what will happen in the future.
I have seen that security people tend to forget some of the side effects of their policies. I've had expensive devices rendered useless, for instance, when the IETF "deprecated" certain algorithms used by TLS - browser makers dropped that code in favor of newer algorithms, but there was no way to update my expensive test gear, so I was forced to keep some obsolete laptops and browsers so I could use that old, but still useful test gear.
-
@karlauerbach yeah but if someone gets on your phone you're super fucked, right? The other physical item (the hardware 2fa key) is required.
@codinghorror You raise an important point - physical possession of a device that is holding private key/crypto data is problematic. However, modern desktops, laptops, and phones have tamper resistant chips designed specifically to hold stuff and also be really hard to crack open and get the data. These are usually called "Trusted Processor Modules" or TPM - these are one of the reasons why Windows 11 was initially restricted only to platforms with a TPM.
Of course, there are means to open up a TPM, but those means tend to be practiced by things like national security agencies rather than run-of-the-mill crooks. But crooks are always getting newer and better tools.
-
So the biometrics don't move over the net, is what I'm hearing? Just the "passkey" product?
So basically I wouldn't be able to use the passkey without that particular device (or one networked to it through the cloud)?
If I've understood correctly. once one has set up a passkey, one can't then go back to using passwords?
How is this an improvement, exactly?
@cavyherd Yes, passkeys generally lock you into a set of coordinating devices that know how to share the passkey private keys (but do not usually share the biometric to unlock those keys.)
So far most websites do allow a fall back to regular login via name/password or a form of 2FA. But how long will that practice continue? I fear that lazy website designers will chose to drop those older methods.
