I like passkeys but like pretty much any tech trend I think positively about there MUST be some kind of downside corporations want me to ignore by using it so they can leverage more control over my life without me knowing so inform me.
Instead of a pssword you have in your brain and they cant extract, the passkey is stored and can just be extracted for convenience
>>108567841Passkeys are generated on a device-by-device basis. The other side doesn't have the authentication token, it just receives the authentication token from your device and your device's passkey is secured and validated via biometrics.Passwords require security at both ends.
Facial-recognition seems to be hard to break. Scammers are using weird workaround to get verified on certain services.https://youtu.be/6PChc6WwI2Ihttps://youtu.be/rjxAYdUe8uU
>>108567943And? My point still stands, if they can read out the secure storage of your device, which can assumed, they can access every sitePassword managers support sharing passkeys between devices, which also kinda defeats the purpose
Corporations want you to store passkeys on their cloud sync service so that you're reliant on them to login to all your shit. You should be able to use a cloud service of your choice instead, a hardware key, or an OS/platform key.
>>108567943If they can send a passkey to your phone, they can send a passkey to their servers
>>108567211if your phone breaks, it's over.
>>108567841Do you store SSH keys in your brain too? Cause passkeys are just SSH keys for normies.>>108568021You don't even know why. It's because everyone implements passkeys wrong.They should be stored as one-to-many in a database, one account can have multiple passkeys.Yet everyone just add a passkey column in the account table and call it a day.A column or one-to-one relation locks the user to a single device if the passkey cannot be exported or syncronised via the network. If the device is stolen, corrupted, destroyed or lost then the account holder is locked out of the platform.>>108568108>You should be able to use a cloud service of your choice instead, a hardware key, or an OS/platform key.It's already like that. I can pick any installed password manager as my password and passkey handler. See pic rel.>>108568128A passkey is tied to a domain and is managed by the secure element of your device. The private key is never leaked by the secure element.
>>108568141even *if* we assume no cloud sync, alternative login modes, account recovery options, and the private key being unextractable by design... you should have more than one device/key authorised at all times, precisely for that reason.
>>108568180>you should have more than one device/key authorised at all timeswhy? what if both break at the same time or lose both to tragic boating accident?You really expect people to keep multiple keys, even off-site and then do that for every site they need a passkey for? don't these shit keys usually have some pathetically low number of key slots too?fuck off. this shit is turbo aids. It's pathetic we've had asymmetric auth mechanisms like X.509 Client certs, SSH keys, etc and we reinvent a really mentally retarded and pointlessly constrained variant of the former.
>>108568172>It's already like that.Yes, but not on all operating systems / web browsers. Linux desktop and Windows 10 don't have platform keys. And I have no idea whether I can, for example, plug my Trezor wallet into an iPhone and use that to authenticate on Safari.
>>108568172My ssh key is secured by a password in my brain yes, not a "secure" enclave on a device unknown entities can potentially access (or just put your finger on the device)In theory passkeys sound nice but the reality is that they make it easier for agencies to access your shit
>>108567211>there MUST be some kind of downside corporations want me to ignore by using it so they can leverage more control over my life without me knowing so inform me.Yes. Until the export and import are standardized (they are stuck in the draft stage for years by now), you're basically trapped into the ecosystem bubble, to which you bound your passkeys to. So with Android it would Google, with iOS - Apple, with Windows - Microsoft and so on.
>>108567211>puts sign in with other device at bottom>probably puts you through an even shitter and more annoying option modalkek how is this shit legal?
>>108568196I'm not telling you or "people" to do anything. I'm saying that even if one were to choose to go down the autistic route with no backup/sync/recovery of any kind, it's still not "over" so long as you have another device to authenticate the others. I'm already kind of used to this sort of mentality from things like Wire/Element, instead of using some kind of cloud key backup I always made sure to have more than 1 active session.
>>108568196>don't these shit keys usually have some pathetically low number of key slots too?You're either misunderstanding how it works or are thinking about something else entirely.
PAKE solves the retarded MitM question. mutual TLS or out of band digital signatures solve both the MitM question and remove secrets from the server. The real question I have is, why wasn't serious consideration given to simply providing a proper SASL Auth API in the web that servers and browsers could rely on? Passkeys are just another talmudic powergrab and the fact that import/export is still not ratified or that members of passkeys had melties about keepassxc should be enough proof of it. If you use this shit willingly, you're probably retarded.
>>108568218What are you on about? You can choose your own passkey manager software on all those systems...
I like pattern authentication systems that rely on random characters in a grid where you type out the characters in the sequence that makes up your pattern.
>>108568200Use up to date software and ditch crappy OSes.They are already available everywhere.>>108568217>not a "secure" enclave on a device unknown entities can potentially accessPasskeys cannot be phished. Your SSH keys with password protection can be phished.>they make it easier for agencies to access your shitJust live in a country with no key disclosure laws: https://eylenburg.github.io/countries.htm>>108568276That anon meant exporting existing passkeys from one password manager and import them into another.It did not meant switching to a different password manager.
>>108568371>ditch crappy OSes.Nonfree cuck shill, begone.
>>108567211yeah, downside is that if your only device is an iPhone and you lose it, or it gets destroyed, or someone steals it, you are going to be completely FUCKED1. you wont be able to get into your own phone, because you need a second apple device to authenticate you2. the 2 factor authentication apps do not save credentials to cloud, so if you have microsoft/google MFA, you have to manually transfer both, if you do not have an alternative -- you are fucked.3. Many applications on your phone do not transfer authentications, and require relogin, so again you need two devices for about few weeks until you can be confident that everything transferred.
>>108567841so you reuse passwords?
>>108568128passkeys are generated on your device, it never leaves your device. the server never sees it.
>>108568217My passkeys are also secured by a password in my brain, that opens my password manager where they are stored.
>>108568371>exporting existing passkeys from one password manager and import them into anotherIt's up to each password manager to support that. If this is a useful feature to someone then they should use one that supports this to begin with. To me, the key never leaving the device is a feature.
>>108568686If importing and exporting passkeys between password managers would be standardised then they would just follow the spec.In the end, it's the user who wants to transfer data, why shouldn't he be able to do it?
>>108567943>Passwords require security at both ends.Everything requires security at both ends.
>>108567211well, the password managers from corps hold your passkeys hostage, which the protocol cant prevent. keepass supports passkeys though, and it allows you to read them
>>108569005I would think passkeys would just be a one-directional, transient exchange. You register your passkey host the first time you set up the passkey so the platform you're logging into knows you have a passkey then from that point on whenever you need to log on you only authenticate to your device and then your device sends a token to the other end that it approved your credential.The only thing the other end needs to know is that you registered a passkey and receive it when an authenticated passkey token is sent.
>>108568552except when you sync your keychain to icloud of course
>>108567211They're just public/private keypairs simplified for normies. The downside is that if/when your phone dies, if you haven't backed them up anywhere and if you haven't saved all your recovery phrases(i know you haven't) then it's going to be a massive pain in the ass to get into any of your accounts
>>108569062Even if you do the authentication has to happen local to the device. The cloud has your passkey but it still requires you to authenticate yourself to the local device that is transmitting the approval to actually use it.
>>108569069At least for me that's why if I'm able to create a passkey for anything I always make sure the first one I make is on an iCloud device so any iDevice I authenticate to can send the necessary login approval. I'll add Windows-generated passkeys later if I have a fingerprint or facial scanner on that particular PC but those are ancillary passkeys to my iCloud-connected passkey.I guess if I get super pissed at Apple and never buy another iDevice again then I'll have to rethink this but that hasn't happened yet.
>>108567841They can read and interpret your brain signals now. Nothing is safe
>>108569069>They're just public/private keypairs simplified for normies.But doesn't that require the private key to be known to both sides? This system doesn't require the recipient to have the private key at all, since all it's doing is just waiting for an approval from the device at your end and the device at your end is doing all the authentication internally with no actual private data being transmitted back to the other party. The remote party simply knows you have a device that was used to create a passkey on their platform and when that device sends an all clear to log you in.Also I like that this is a self-contained 2FA, also reducing the number of steps needed to log in but keeping the same principle of "have/are/know".
>>108569128Okay, now that I wrote it out, you're right, that's just PKI (the recognition that the passkey exists and the device housing the passkey is the "private key at both ends") but, still, with this you don't need to transmit any sort of authentication data to the remote party so in that regard I think it's still superior to standard PKI infrastructure.
>>108569049If your device is compromised you cannot trust that your passkeys will be secure.
>>108569188Yes but no more so than having a password manager and/or 2FA credential vault that you access through the device as well. If your device is compromised and you access your password manager/2FA hive from it then you're just as fucked, which is not far enough afield to discredit passkeys specifically.
>>108567943>>108568172passkeys are stored on a device you dont ownmy ssh key is stored on a device i do ownso
>>108569204Yes.Which is why everything requires security at both ends.
>>108569210>passkeys are stored on a device you dont ownIf you count your phone or computer as a device you don't own (which could reasonably be argued for).
>>108569232Well certainly passwords have a lot more ways to do security wrong. 2FA is a good band aid for the potential insecurities of straight password authentication (since you can't see exactly what the remote party is using to keep your password confidential and/or obfuscated) but passwordless does seem to be the way forward in an era where "something you know" just feels incredibly weak.>>108568318 (which I also posted) feels like the only truly safe "something you know" left (since the characters you're typing are never the same twice, the only thing you know is the physical placement of the characters you're typing on your screen).
>>108569062>icloudoh you're one of thosestick to using your fingerprints, passkeys and passwords are too complicated for you
>>108569210you can also store your SSH keys on googleand I store my passkeys in a local password vault like keepassxcsopasskeys are stored on a device i do ownssh keys are stored on a device you dont ownsee how retarded you sound?
