“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

  • nevemsenki@lemmy.world
    link
    fedilink
    English
    arrow-up
    139
    arrow-down
    8
    ·
    1 month ago

    If the passkeys aren’t managed by your devices fully offline then you’re just deeper into being hostage to a corporation.

    • unskilled5117@feddit.org
      link
      fedilink
      English
      arrow-up
      38
      arrow-down
      3
      ·
      edit-2
      1 month ago

      The lock-in effect of passkeys is something that this protocol aims to solve though. The “only managed by your device” is what keeps us locked in, if there is no solution to export and import it on another device.

      The protocol aims to make it easy to import and export passkeys so you can switch to a different provider. This way you won’t be stuck if you create passkeys e.g. on an Apple device and want to switch to e.g. Bitwarden or an offline password manager like KeyPassXC

      The specifications are significant for a few reasons. CXP was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. […] CXP aims to standardize the technical process for securely transferring them between platforms so users are free […].

      • nevemsenki@lemmy.world
        link
        fedilink
        English
        arrow-up
        18
        arrow-down
        2
        ·
        edit-2
        1 month ago

        That’s between platforms though. I like my stuff self-managed. Unless it provenly works with full offline solutions I’ll remain sceptical.

        • darklamer@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          14
          ·
          1 month ago

          I like my stuff self-managed.

          Bitwarden / Vaultwarden is a popular available working solution for self-hosting and self-managing passkeys (as well as passwords).

          • EngineerGaming@feddit.nl
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            2
            ·
            1 month ago

            TBH I don’t see a reason why something as simple as a password manager needs a server, selfhosted or not. I don’t get the obsession with syncing everything, so would rather stick with normal KeepassXC.

            • Synestine@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              6
              arrow-down
              1
              ·
              1 month ago

              Have you never lost your password device (phone, laptop, etc) suddenly and unexpectedly? That’s when you really want that file synced somewhere else. But then it’s too late. Bonus on many password vault servers is shared folders, so one can share their garage door code with the family but keep the bank account details to oneself.

              • EngineerGaming@feddit.nl
                link
                fedilink
                English
                arrow-up
                4
                arrow-down
                1
                ·
                edit-2
                1 month ago

                No, but this is very unlikely because I do keep regular backups manually. I just don’t feel the need for it to be a constantly-online server.

      • RecluseRamble@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 month ago

        And who forces all the corps to correctly implement that protocol? Getting you locked in is in all of their interests, after all.

        • unskilled5117@feddit.org
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          1 month ago

          I think it‘s fair to remain skeptical but the big organizations were part of the development, so there seems to be some interest. And it‘s not always in their interest to lock users in, when it also prevents users from switching to their platform.

          Development of technical standards can often be a fraught bureaucratic process, but the creation of CXP seems to have been positive and collaborative. Researchers from the password managers 1Password, Bitwarden, Dashlane, NordPass, and Enpass all worked on CXP, as did those from the identity providers Okta as well as Apple, Google, Microsoft, Samsung, and SK Telecom.

      • umbrella@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        not the first time i hear this though. im skeptical until proven otherwise

    • Draconic NEO@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      2
      ·
      1 month ago

      That’s a great way to lose access if your device gets lost, stolen, or destroyed. Which is why I’m against and will continue to be against forcing 2FA and MFA solutions onto people. I don’t want this, services don’t care if we’re locked out which is why they’re happy to force this shit onto people.

      • nevemsenki@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 month ago

        Well yeah, that is true. Security and convenience are usually at odds… MFA has place, unless you don’t mind some guy from russia access your online bank account ; but I definitely wouldn’t use it on all my accounts.

        • Draconic NEO@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 month ago

          Yeah and since Online bank accounts can also almost always be reset if you lose the 2FA/MFA key by calling customer support, or going to your bank and speaking with themt in person, there’s almost no risk of losing access completely. It’s a service you have access to because you’re you. Something that isn’t the case with Reddit, Github, Lemmy accounts, or Masotodon. I’m not able to regain access after losing those 2FA solutions by virtue of being myself, they treat you just like the attacker in those cases. Really not worth it there, both since what is being protected isn’t worth it, and the risk far outweighs it.

          • kiagam@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 month ago

            Access to my main email account (outlook) is currently blocked because someone decided to try a password from some earlier leak and locked it. It can only be unlocked with SMS MFA, which I can’t use because I’m travelling abroad. There is no other way to do it. The other option they give you a form that only works if you don’t have MFA set up (it says so on the faq). I even asked someone to fill the form from my home computer so the location data matches earlier accesses, but didn’t work. You also can’t contact support without logging in. If I had lost/changed that phone number for any reason, I would lose access forever. Luckily I will be back home soon.

            • Draconic NEO@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 month ago

              I had a similar scary situation like that before where the phone number linked to the account wasn’t mine anymore. Luckily I was able to get back because I was still logged in on another computer and it hadn’t kicked me out yet, I was able to go to account settings and remove the phone number, then google let me log into the account again. Had I been kicked out of the account, I would’ve lost it for sure.

      • EngineerGaming@feddit.nl
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 month ago

        In case the device gets lost/stolen, you should have a backup of the database that contained the passkeys. That’s why I would be only using the implementations that allow doing that easily.

    • rottingleaf@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      2
      ·
      1 month ago

      Y’all here talking so smart ignore another thing - the more complex your solutions are, the deeper you are into being hostage to everyone capable of making the effort to own you.

      Don’t wanna be hostage - don’t use corporate and cloud services for things you need more than a bus ticket.

      You are being gaslighted to think today’s problems can be solved by more complexity. In fact the future is in generalizing and simplifying what exists. I’m optimistic over a few projects, some of which already work, and some of which are in alpha.

  • Gutless2615@ttrpg.network
    link
    fedilink
    English
    arrow-up
    78
    arrow-down
    15
    ·
    edit-2
    1 month ago

    Literally just use a password manager and 2/MFA. It’s not a problem. We have a solution.

    • shortwavesurfer@lemmy.zip
      link
      fedilink
      English
      arrow-up
      45
      arrow-down
      3
      ·
      1 month ago

      Actually, it is still a problem, because passwords are a shared secret between you and the server, which means the server has that secret in some sort of form. With passkeys, the server never has the secret.

      • Gutless2615@ttrpg.network
        link
        fedilink
        English
        arrow-up
        15
        arrow-down
        5
        ·
        1 month ago

        The shared secret with my Vaultwarden server? Add mfa and someone needs to explain to me how passkeys do anything more than saving one single solitary click.

        • 4am@lemm.ee
          link
          fedilink
          English
          arrow-up
          23
          ·
          1 month ago

          When a website gets hacked they only find public keys, which are useless without the private keys.

          Private keys stored on a password manager are still more secure, as those services are (hopefully!) designed with security in mind from the beginning.

          • weststadtgesicht@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 month ago

            If a website with old-school passwords gets hacked, the hacker only gets salted hashes of passwords - this does not seem to be much worse?

            (Websites that store plaintext passwords surely won’t implement passkeys either…)

        • shortwavesurfer@lemmy.zip
          link
          fedilink
          English
          arrow-up
          12
          arrow-down
          1
          ·
          1 month ago

          Pass keys are for websites such as Google, Facebook, TikTok, etc. And then they go into what is currently your password manager or if you don’t have one, it goes into your device. You still have to prove to that password manager that you are, who you say you are, either by a master password of some sort or biometrics.

      • Programmer Belch@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        18
        arrow-down
        9
        ·
        1 month ago

        Best password manager is offline password manager.

        KeepassXC makes a file with the passwords that is encrypted, sharing this file with a server is more secure than letting the server manage your passwords

        • hikaru755@lemmy.world
          link
          fedilink
          English
          arrow-up
          15
          arrow-down
          1
          ·
          1 month ago

          This is not at all relevant to the comment you’re responding to. Your choice of password manager doesn’t change that whatever system you’re authenticating against still needs to have at least a hash of your password. That’s what passkeys are improving on here

        • shortwavesurfer@lemmy.zip
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          1 month ago

          I agree, and that’s my method as well. Although I do not ever share the file with a server either. I only transfer it from device to device with flash drives or syncthing.

          • a baby duck@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 month ago

            How do you handle merging between devices? Do you manually transfer/sync every time you add a new password?

            Not trying to sell you on putting it in cloud storage or anything, but one really nice benefit to doing so is automatic merging through clients like Keepass2Android. If I add a new site to my phone and it doesn’t already have the latest copy of my vault, it’ll fetch and merge that first.

            • shortwavesurfer@lemmy.zip
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 month ago

              Technically yes I don’t have to use a desktop or laptop very often and do most of my computing from my mobile phone running lineage OS obviously and so what I do is if I add a password once every quarter at least I back it up to a flash drive so that if nothing else I will only lose a few months worth of data. I also don’t go signing up for accounts and services all that often since I am particularly interested in keeping my privacy. So very few modifications occur with my passwords in three months. If I absolutely must get a new password onto my laptop immediately, then I will go ahead and plug in my flash drive and manually synchronize whenever that is required as well.

      • huginn@feddit.it
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        3
        ·
        1 month ago

        You can share passwords without the server seeing them. Many managers don’t but there’s nothing infeasible there. You just have a password to unlock the manager. Done.

        • shortwavesurfer@lemmy.zip
          link
          fedilink
          English
          arrow-up
          9
          arrow-down
          4
          ·
          1 month ago

          What I’m getting at is that a web server has a password, in some form. And so if that site gets breached, your password itself may not get leaked, but the hash will. And if the hash is a common hash, then it can be easily cracked or guessed.

          • huginn@feddit.it
            link
            fedilink
            English
            arrow-up
            10
            arrow-down
            1
            ·
            1 month ago

            Ultimately I’m pro passkey but when it comes to password managers: if the hash of your vault is easy to crack you’ve fucked up big time. There shouldn’t be any way to crack that key with current tech before the sun explodes because you should be using a high entropy passphrase.

          • theherk@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 month ago

            Not anything sufficiently modern. Salted passwords should be exceedingly difficult to reverse.

    • huginn@feddit.it
      link
      fedilink
      English
      arrow-up
      27
      ·
      1 month ago

      Never forget that technologically speaking you’re nothing like the average user. Only 1 in 3 users use password managers. Most people just remember 1 password and use it everywhere (or some other similarly weak setup).

      Not remembering passwords is a huge boon for most users, and passkeys are a very simple and secure way of handling it.

      • funkless_eck@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        20
        ·
        1 month ago

        I work for multiple organizations. The majority of which have a Google sheet with their passwords in that are

              c0mpanyname2018! 
        

        Those that aren’t are

               pandasar3cute123? 
        
        • Echo Dot@feddit.uk
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          1 month ago

          At one point the organization I work for had a password that was literally Password-022!, guess what it was the following month?

        • Prison Mike@links.hackliberty.org
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 month ago

          I had to start hashing passwords and sending it to the haveibeenpwned API.

          I also fight with my users over data normalization because any time I add some rule (like don’t put “SO#” as part of the value of the “SO#” field), they’re too stupid to realize the point and find some other “hack” around it.

    • helenslunch@feddit.nl
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      1 month ago

      I mean, it is. Aside from an additional associated cost, it’s still much less convenient.

  • Aniki 🌱🌿@lemmings.world
    link
    fedilink
    English
    arrow-up
    57
    arrow-down
    7
    ·
    1 month ago

    I’ll switch when it’s fully implemented in open source and only I am the one with the private key. Until then its just more corporate blowjobs with extra steps.

    • 4am@lemm.ee
      link
      fedilink
      English
      arrow-up
      23
      arrow-down
      1
      ·
      1 month ago

      That’s exactly how passkeys work. The server never has the private key.

      • devfuuu@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 month ago

        And we all remember the huge drama about it because they allowed for taking the keys out and backup them up.

        • Kusimulkku@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 month ago

          I think a big part of it was exporting them plain text by default. I’m in the “I know what I’m doing” camp but I guess for someone who doesn’t that sort of handholdy stuff not allowing the export them without encryption stuff makes sense.

    • huginn@feddit.it
      link
      fedilink
      English
      arrow-up
      10
      ·
      1 month ago

      Passkeys are an ancient authentication setup, have always been better than passwords and are finally getting traction.

    • priapus@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 month ago

      What do you means by this? What part do you want to be open source? Passkey are just cryptographic keys, no part of that requires anything unfree. There’s aready an open source authentication stack you can use to implement them. You can store them completely locally with KeyPassXC for selfhost Vaultwarden to store them remotely. Both are open source?

  • rickdg@lemmy.world
    link
    fedilink
    English
    arrow-up
    46
    arrow-down
    2
    ·
    1 month ago

    If you tell corporations there’s a way to increase lock-in and decrease account sharing, they’re gonna make it work.

    • umami_wasabi@lemmy.ml
      link
      fedilink
      English
      arrow-up
      24
      arrow-down
      1
      ·
      1 month ago

      One is a new technical specification called Credential Exchange Protocol (CXP) that will make passkeys portable between digital ecosystems, a feature that users have increasingly demanded.

      I.e. I can copy my key to my friends’ device.

      • rickdg@lemmy.world
        link
        fedilink
        English
        arrow-up
        14
        arrow-down
        3
        ·
        1 month ago

        I believe that’s Apple talking to Google, not anything local you can own.

        • 4am@lemm.ee
          link
          fedilink
          English
          arrow-up
          8
          ·
          1 month ago

          Read the article, it’s literally about replacing Import/Export CSV plaintext unencrypted files with something more secure.

          I.e. moving your passwords/passkeys between password managers. This is not about replacing stuff like OAuth where one service securely authorizes a user for another.

      • _bcron_@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        3
        ·
        edit-2
        1 month ago

        I’m not in software but from what I read the importer sends a request and that request is used by the exporter and importer to encrypt and decrypt, so I think there’s a way to tweak the whole process a little and instead have both the exporter and importer ask Netflix or whoever to provide a key as opposed to using the request. Could be wrong tho

        • umami_wasabi@lemmy.ml
          link
          fedilink
          English
          arrow-up
          8
          ·
          edit-2
          1 month ago

          That’s not how Passkey, and the underlying WebAuthn works.

          (Highly simplifies but still a bit technical) During registration, your key and the service provider website interacts. Your key generated a private key locally that don’t get sent out, and it is the password you hold. The service provider instead get a puclic key which can be used to verifiy you hold the private key. When you login in, instead of sending the private key like passwords, the website sent something to your key, which needs to be signed with the private key, and they can verify the signature with the public key.

          The CXP allows you export the private key from a keystore to another securely. Service providers (Netflix) can’t do anything to stop that as it doesn’t hold anything meaningful, let alone a key (what key?), to stop the exchange.

  • Dasnap@lemmy.world
    link
    fedilink
    English
    arrow-up
    26
    ·
    1 month ago

    I always feel like an old granny when I read about passkeys because I’ve never used one, and I’m worried I’ll just lock myself out of an account. I know I probably wouldn’t, but new things are scary.

    Are they normally used as a login option or do they completely replace MFA codes? I know how those work; I’m covered with that.

    • narc0tic_bird@lemm.ee
      link
      fedilink
      English
      arrow-up
      10
      ·
      1 month ago

      Usually just an option in addition to a password + MFA. Or they just replace the MFA option and still require a password. I even saw some variants where it replaced the password but still required a MFA code. It’s all over the place. Some providers artificially limit passkeys to certain (usually mobile) platforms.

      • Semperverus@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 month ago

        All of those options are to NIST-spec. MFA means multi-factor. It doesnt matter what they are as long as they are in different categories (something you know, something you have, something you are, etc: password, passkey, auth token, auth app, physical location, the network you are connected to). Two or more of these and you are set (though, location might be a weak factor).

    • helenslunch@feddit.nl
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 month ago

      It’s not unreasonable at all. I locked myself out of several accounts after everyone recommended keypass for TOTP and then I lost all the keys. Getting those accounts back was a fucking nightmare.

    • Sl00k@programming.dev
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 month ago

      I have passkeys setup for almost everything and on most sites I just enter my username then I get a request on my phone to sign in. Scan my thumbprint and it’s good to go. It’s actually so much simpler than passwords / MFA, but admittedly I haven’t had to migrate devices or platforms.

      I have everything setup through protonpass right now

    • PresidentCamacho@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      Hey good for you, unlike everyone else in this thread making up reasons why the tech is bad, you are mature enough to recognize the fear is from ignorance. I am in the same boat. I’m currently using a manager with MFA on everything which works well for me. Might look into this tech once it’s baked longer. I don’t like the idea of early adoption to a tech when it’s security related.

  • Encrypt-Keeper@lemmy.world
    link
    fedilink
    English
    arrow-up
    32
    arrow-down
    9
    ·
    edit-2
    1 month ago

    ITT: Incredibly non-technical people who don’t have the first clue how Passkeys work but are convinced they’re bad due to imaginary problems that were addressed in this very article.

    • priapus@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      3
      ·
      1 month ago

      This is a weird thread. Lots of complaints about lock in and companies managing your keys, both of which are easily avoidable, the exact same way you’d do so with your passwords.

      • Sl00k@programming.dev
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        1 month ago

        Also the people talking about added complexity? I’m convinced all the complaints are from people who haven’t set one up or used one and are immediately writing it off. Adding one is a single click of a button.

        Then to sign in I literally just get a thumbprint request on my phone after entering my username. It’s far far simpler than passwords and MFA.

  • NateNate60@lemmy.world
    link
    fedilink
    English
    arrow-up
    20
    ·
    1 month ago

    I still have no idea how to use passkeys. It doesn’t seem obvious to the average user.

    I tried adding a passkey to an account, and all it does is cause a Firefox notification that says “touch your security key to continue with [website URL]”. It is not clear what to do next.

    • JackbyDev@programming.dev
      link
      fedilink
      English
      arrow-up
      10
      ·
      1 month ago

      After my password manager auto filled a password and logged me in the website said “Tired of remembering passwords? Want to add a passkey?” I didn’t know what it meant so I said no lol.

      • Scrollone@feddit.it
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        Me too, I don’t trust the system and I don’t want to be locked into a specific browser and/or device.

    • Echo Dot@feddit.uk
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      1 month ago

      I think you actually have to buy a passkey device. Then configure it to work with a particular account.

      You plug the passkey into your computer and then whenever it asks for a password you literally touch it and it does its thing. I think there are options like biometrics that you can add on top but you don’t have to have that.

          • EngineerGaming@feddit.nl
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 month ago

            What are you talking about? KeepassXC, to my knowledge, is not dependent on any TPM, snd it does support passkeys.

            • xor@lemmy.blahaj.zone
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              5
              ·
              1 month ago

              devices themselves can act as passkeys

              I didn’t say a device needs a TPM to support passkeys - I said I believe it it needs one to be a passkey

              Thank you for your passive aggressive response caused by poor reading comprehension, though

              • EngineerGaming@feddit.nl
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 month ago

                From what I understand, “passkey” refers to software, so no such thing as “device being a passkey”. Unlike a hardware key.

                • xor@lemmy.blahaj.zone
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  1
                  ·
                  1 month ago

                  You understand incorrectly. “passkey” refers to a token used for the public key authentication that is used for sign in, which needs to be stored somewhere - this can be stored in a hardware key like a YubiKey, or in your device’s credentials manager. In principle, this could be anywhere, but it needs to be somewhere secure to not be trivial to compromise (eg taking out your HDD and just copying your passkey off it)

                  In Windows’ case, this secure credentials store is the TPM chip, which is why you are not able to use passkeys on Windows devices that have no TPM chip (unless you use another hardware implementation).

                  Tldr: passkeys are data, not software, and to store the data, you need some form of hardware, which needs to be secure to not be a really bad idea.

                  If you’d like to do some reading before confidently correcting me further, I’d suggest reading about how passkeys work.

      • NateNate60@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        ·
        1 month ago

        If that’s what’s needed, I can say with some certainty that adoption isn’t going to be picking up any time this decade.

        • Echo Dot@feddit.uk
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 month ago

          They’ve been around forever as a concept I think I even have one for accessing some servers at work. You’re right no one uses them.

  • 2xsaiko@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    24
    arrow-down
    4
    ·
    1 month ago

    I’m not convinced this is a good idea. Resident keys as the primary mechanism were already a big mistake, syncing keys between devices was questionable at best (the original concept, which hardware keys still have, is the key can never be extracted), and now you’ve got this. One of the great parts about security keys (the original ones!) is that you authenticate devices instead of having a single secret shared between every device. This just seems like going further away from that in trying to engineer themselves out of the corner they got themselves into with bullshit decisions.

    Let me link this post again (written by the Kanidm developer). Passkeys: A Shattered Dream. I think it still holds up.

    • unskilled5117@feddit.org
      link
      fedilink
      English
      arrow-up
      19
      ·
      edit-2
      1 month ago

      The author of your blog post comes to this conclusion:

      So do yourself a favour. Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your passwords and manage them. If you really want passkeys, put them in a password manager you control. But don’t use a platform controlled passkey store, and be very careful with security keys.

      The protocol (CXP) which the article is about, would allow you to export the passkeys from the “platform controlled passkey store” and import them into e.g. Bitwarden. So i would imagine the author being in favor of the protocol.

  • HubertManne@moist.catsweat.com
    link
    fedilink
    arrow-up
    24
    arrow-down
    8
    ·
    1 month ago

    The real problem is not passwords so much as trusted sources. Governments should have an email account that citizens have a right to and will not go away and have local offices to verify access issues.

    • Echo Dot@feddit.uk
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      1 month ago

      I don’t want my government hosting my email.

      The last time they had to do anything important they stoled all the sensitive data in plain text in an Excel spreadsheet and then the spreadsheet got corrupted so they lost everything. Of course they didn’t have backups.

      • HubertManne@moist.catsweat.com
        link
        fedilink
        arrow-up
        1
        ·
        1 month ago

        well they deliver your mail. I am envisioning the same protections but also you don’t have to use it in general. but it would be how the government would send things to you. Also I have had corps almost constantly have a breach of my information but not once yet from the feds or my state.

    • helenslunch@feddit.nl
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      1 month ago

      I bet the gov would love to host your email and have access to all the same info Google does…

      • HubertManne@moist.catsweat.com
        link
        fedilink
        arrow-up
        1
        ·
        1 month ago

        well they deliver your mail. I am envisioning the same protections but also you don’t have to use it in general. but it would be how the government would send things to you.

    • SirEDCaLot@lemmy.today
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 month ago

      No it’s actually pretty simple. No containers. Your passkeys can be managed in the browser (Google Passwords), by a plug-in like BitWarden, or in a third party hardware device like YubiKey.

  • narc0tic_bird@lemm.ee
    link
    fedilink
    English
    arrow-up
    9
    ·
    1 month ago

    My password manager supports passkeys just fine, across Windows, macOS, Linux and iOS (and probably Android but I haven’t tried). Surprisingly, iOS integrates with the password manager so it’s usable just like their own solution and it works across the system (not just in the browser).

    This seems to be more about finding a standard way to export/import between different password managers/platforms?

    • trevor@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 month ago

      Correct. The spec is about making it easier and more secure to export your passwords and passkeys when you move from one password manager to another. People are misunderstanding this as some sort of federated authentication system to share your credentials between multiple password managers at the same time, which it is not.

  • mlg@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 month ago

    I remember when Microsoft made a big deal about this on Windows and then their “implementation” was making the local signon a number PIN.

    And not a proper separate auth operation lol. You either set up almost everything with the PIN or use a regular password, not both. Makes it useless on enterprise.

    Realistically we should all be using a key/pass vault since that would make using passkeys much easier, but that’s too complicated for the internet in 2004 2024.

    If it were me, I’d just issue everyone a yubikey.

  • lemmeBe@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 month ago

    It’s enough to read the title. The rest of the article doesn’t provide much else other than being one step closer. 😄

      • msage@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        Does this require any 3rd party to work? I remember reading a blog, something about attesting the client, which was some big corpo like Google/Apple/Microsoft… that’s not for this, right?

        • Spotlight7573@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 month ago

          While the defaults are typically to use what the browser or OS has for storage and sync of the passkeys, you can use other things.

          Like KeePassXC:

          https://keepassxc.org/blog/2024-03-10-2.7.7-released/

          As for attestation to how the key is stored securely (like in a hardware key), Apple’s implementation doesn’t support it for iCloud ones, so any site that tries to require it wouldn’t work for millions of people. That pretty much kills it except for managed environments (such as when a company provides a hardware key and wants to make sure that’s the only thing that’s used).