Gawd sometimes I hate passkeys.
-
@cavyherd Passkey biometric is limited to your device - the biometric stuff is not transmitted over the net, rather it is only used to unlock the private key that is held in secure storage inside your phone or other device.
(Some devices, such as Apple, do move the passkey private keys around, but it seems that the biometric stuff never leaves your phone or laptop.)
So the biometrics don't move over the net, is what I'm hearing? Just the "passkey" product?
So basically I wouldn't be able to use the passkey without that particular device (or one networked to it through the cloud)?
If I've understood correctly. once one has set up a passkey, one can't then go back to using passwords?
How is this an improvement, exactly?
-
@karlauerbach so for a site that you have a passkey for on your Apple devices, what happens when you try to log in from a Linux device?
@ShadSterling On my Linux machines (and FreeBsd machines) when I am using the web to get to some sort of service - like my banks - I usually hit a "passkey first" gate that sends me searching for a button to that says something like "login with password". Good sites have that alternative - at least they do now, but who knows what will happen in the future.
I have seen that security people tend to forget some of the side effects of their policies. I've had expensive devices rendered useless, for instance, when the IETF "deprecated" certain algorithms used by TLS - browser makers dropped that code in favor of newer algorithms, but there was no way to update my expensive test gear, so I was forced to keep some obsolete laptops and browsers so I could use that old, but still useful test gear.
-
@karlauerbach yeah but if someone gets on your phone you're super fucked, right? The other physical item (the hardware 2fa key) is required.
@codinghorror You raise an important point - physical possession of a device that is holding private key/crypto data is problematic. However, modern desktops, laptops, and phones have tamper resistant chips designed specifically to hold stuff and also be really hard to crack open and get the data. These are usually called "Trusted Processor Modules" or TPM - these are one of the reasons why Windows 11 was initially restricted only to platforms with a TPM.
Of course, there are means to open up a TPM, but those means tend to be practiced by things like national security agencies rather than run-of-the-mill crooks. But crooks are always getting newer and better tools.
-
So the biometrics don't move over the net, is what I'm hearing? Just the "passkey" product?
So basically I wouldn't be able to use the passkey without that particular device (or one networked to it through the cloud)?
If I've understood correctly. once one has set up a passkey, one can't then go back to using passwords?
How is this an improvement, exactly?
@cavyherd Yes, passkeys generally lock you into a set of coordinating devices that know how to share the passkey private keys (but do not usually share the biometric to unlock those keys.)
So far most websites do allow a fall back to regular login via name/password or a form of 2FA. But how long will that practice continue? I fear that lazy website designers will chose to drop those older methods.
-
@cavyherd Yes, passkeys generally lock you into a set of coordinating devices that know how to share the passkey private keys (but do not usually share the biometric to unlock those keys.)
So far most websites do allow a fall back to regular login via name/password or a form of 2FA. But how long will that practice continue? I fear that lazy website designers will chose to drop those older methods.
Well, I'm certainly not going to be in a hurry to make their case for them.
-
One of the systems I use uses voip for 2FA. Would that still be SMS?
@cavyherd @hakfoo Voice over IP (VoIP) is usually run using protocols such as SIP (for call setup) and RTP (for the actual data/voice carriage.)
SMS is different.
Texting is an umbrella term that covers a multitude of various kinds of message transfers, one of the older forms being SMS. (For instance, SMS can't give the "delivered" or "responding" statuses that one gets from more modern message transfer protocols, such as used by Apple between iPhones. This is why there are sometimes issues between iPhones, Android phones, and other message platforms.)
-
Confirm my understanding that SMS is basically texting via phone, yes?
@cavyherd @hakfoo Other way around - SMS is a subset of what we now call "texting". Modern text tools use various different protocols, one of which is SMS, depending on things like "what can the other end do". I don't know the details other than to know that it is a rather messy world down there under the "text message system" covers.
-
Well, I'm certainly not going to be in a hurry to make their case for them.
@cavyherd You might find that you are already using passkeys - I didn't realize that I had set some up when they first came along. For example, Amazon makes it almost painless and unknown to slide into using passkeys to login rather than your user name/password.
-
@karlauerbach @airshipper Passkeys, like forms of 2FA, force you into this "where is the device that can let me in" pattern.
The fact that Apple cross syncs the thing is both a feature, and also a security vulnerability. Why do I want to hand my keys out to everything else, much less through a party I shouldn't be trusting?
Making good security easier for older people would be lovely.
@jhaas @karlauerbach @airshipper It shouldn't be hard to do security for older people that younger hackers couldn't break. E.g., require the user to answer the security question "who is Anson Williams?"
[edit: had to correct the name, which hopefully means I'm not quite yet an Old.]
-
@ShadSterling On my Linux machines (and FreeBsd machines) when I am using the web to get to some sort of service - like my banks - I usually hit a "passkey first" gate that sends me searching for a button to that says something like "login with password". Good sites have that alternative - at least they do now, but who knows what will happen in the future.
I have seen that security people tend to forget some of the side effects of their policies. I've had expensive devices rendered useless, for instance, when the IETF "deprecated" certain algorithms used by TLS - browser makers dropped that code in favor of newer algorithms, but there was no way to update my expensive test gear, so I was forced to keep some obsolete laptops and browsers so I could use that old, but still useful test gear.
@karlauerbach so a bad site for which you’ve created a passkey on your apple devices would make it impossible to log on from your Linux machines? And good sites today might become bad sites in the future? That sounds like if I start using passkeys then switch to Linux I’ll be permanently locked out of some sites, which makes using passkeys sound like a vulnerability
-
@karlauerbach so a bad site for which you’ve created a passkey on your apple devices would make it impossible to log on from your Linux machines? And good sites today might become bad sites in the future? That sounds like if I start using passkeys then switch to Linux I’ll be permanently locked out of some sites, which makes using passkeys sound like a vulnerability
@ShadSterling Not quite - it may be that some stupid websites will make themselves "passkey only", but that would lose them a lot of clients, especially older people or people who use non-smart phones (and there are many of those.)
There really is no problem with passkeys except that they can't be used except on devices with biometric (or equivalent) sensors and that many websites once they enable passkeys seem to hide the old ways behind tiny text links or the like.
-
@jhaas @karlauerbach @airshipper It shouldn't be hard to do security for older people that younger hackers couldn't break. E.g., require the user to answer the security question "who is Anson Williams?"
[edit: had to correct the name, which hopefully means I'm not quite yet an Old.]
@msbellows @jhaas @airshipper I would have picked "Who is Rula Lenska?"
-
@msbellows @jhaas @airshipper I would have picked "Who is Rula Lenska?"
@karlauerbach @jhaas @airshipper You forgot "the hell," but dang, yes, that's a fabulous alteration!
-
Gawd sometimes I hate passkeys.
I have to deal with some fairly old people - people who have lost much of their vision and who have never been particularly technically minded.
The modern race-to-lock-everything has moved a lot of services (such as outlook) to move to passkeys.
That's nice - unless one is trying to deal with problems for an old person who is 800 miles away.
It appears that many of these services treat having a passkey as a one-way ratchet. Once someone (me) has set up a passkey (limited to my computer and phone) then the service switches to demand a passkey rather than the password to get in - but the old person's phone/computer does not have the passkey nor knows how to use it even if they did.
Our present Internet - largely programmed by young people with tech knowledge and good eyesight - is becoming increasingly hard to use by older people while things (like medical services) increase security that these people do not know how to use and can't be managed remotely.
@karlauerbach I'm a senior, reasonably tech-proficient, but avoiding passkeys for as long as I can.
-
R relay@relay.mycrowd.ca shared this topic
