Perhaps this is something I shouldn't be feeling, but this bothers me and I do not know why.
I can see that you might not want it exposed to the user to prevent social engineering but at the same time, if I can't view then I don't feel like I actually own it. Is there a mechanism that might exist to help me not feel this way? I am totally new to passkeys as a concept as well, but I understand the larger goal.
> you can no longer manually type the passkey in on random devices that don't have your password manager on it
This is a huge problem, though. My password manager has no online component, and only runs on my phone. On purpose.
When I use it, the password manager shows me the password that I need, and I type it in manually.
I could change to a different method, but then I lose a lot of flexibility. I can no longer log into things from machines other than my own.
Things like Yubikey address some of this, but then I can no longer log into machines unless I have sufficient physical access to plug the key in.
To be clear, I'm not arguing that any of this means passkeys aren't desirable, but I am saying this to point out that passkeys are not functionally equivalent to passwords, and passkeys do restrict some kinds of use.
> Passkeys are a new way to sign in to apps and websites. They’re both easier to use and more secure than passwords, so users no longer need to rely on the names of pets, birthdays or the infamous “password123.” Instead, passkeys let users sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan or a screen lock PIN. And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.
I HATE paragraphs like this. It's as if you're purposely obfuscating what they really are.
>Passkeys are a new way to sign in to apps and websites. They’re both easier to use and more secure than passwords, so users no longer need to rely on the names of pets, birthdays or the infamous “password123.”[1]
Hmmm... is THIS the vectors people are considering when they make these things? I mean, it makes sense, but it does put it a whole different perspective.
Am I correct to think that these aren't real problems if you use passphrases instead of some cliched password?
Because you can steal my phone and get through the lock screen to access all my stuff with the passkey, but you can't get my master password out of brain lest you put a probe in it.
> there's no social-engineering technique someone can use to get you to copy and paste your passkey to an enemy
This is a deep, fundamental flaw in passkeys. It's just another example of enshittification disguised as denying end-user control "for their own good." There is no for-profit organization anywhere that I trust more than I trust myself, and there's no threat model where it's more likely I'll be socially engineered into giving up my long random password than that I'll suffer data loss.
> It got worse. Rather than dotting out the passwords and requiring you to click on them to reveal them, the passwords were just sitting there in plain sight for all to see.
Isn’t this only once you authenticate with password or biometrics? The passwords are shown in clear text so they can be cut and pasted for use.
I don’t think this is a risk as it means someone gave you access to the device password in the first place.
> The generalized solution to this is allowing 3rd parties to be your passkey provider, so that you can choose how your passkeys are stored
The password manager I use has no cloud component (which is why I chose it), and addresses this by allowing me to export my password collection to an encrypted backup file.
Would this be a thing that the passkey folks would be OK with? That would ease a lot of my hesitation.
> I still don't understand what problem passkeys solve for me that my random passwords in my password manager didn't already solve.
I just don't understand them at all. As in, I somehow can't just wrap my head about that they are.
My current understanding is that they are like NIH client TLS certificates, but whose content you can never even read (not even the encrypted bytes), that you can't backup (because you can't read), and that's why you have to use a proprietary device with custom hardware from a random company to act as a middleware between your actual secrets (hidden in-device) and you, and trust that device and company to handle the auth for you.
At least that's my current understanding, as far as the details I could find about them (my search terms seem to be failing me). If I could understand them better, maybe I wouldn't be so pessimistic.
So, given that that's how they look to me, they rank pretty low in my trust scale of stuff that I should let handle my auth, including ownership of any secret material. That scale currently looks like this (most trusted first):
(1) Open source software > (2) Desktop computer components that you can plug into motherboard > (3) Smartphones > (4) Let Google/Apple/Microsoft generate and control my secrets > (5) USB sticks from random companies.
(P.S.: Yes, computer components are closed, but even if I don't completely trust them they still rank higher based just on them having existed for longer, so you kinda know what to expect and how incidents are handled.)
> Sensitive info belongs to a password manager which limits it to the domains the data belong.
So all that stands between you and being in this exact situation (or worse, since passwords) is your password manager's url comparison?
I refuse to use LastPass - the interface is horrible (probably because you're expected to use the browser extension). But I don't want my password manager anywhere near my browser. I'd really rather have to take an affirmative action in order to release each individual piece of information so I know what I'm disclosing and to who.
> Passkeys have no easy way to extract the private key and do not request to enter the private key to authenticate.
Sure the do. All somebody needs is the password to your password manager. It's a single point of failure and by putting your passkeys in there to you've made it even more vulnerable.
Do you put a passkey on your password manager that exists outside of that ecosystem? Once you have that why not just use it for everything?
The parent wasn't giving security advice. They were asking a valid question.
I use pass <https://www.passwordstore.org/> to store and get my BitWarden master PW. Pass is encrypted by a PGP key residing on my HW token/smart card and encrypted with a good but (for me) memorable PW.
In my case it's not really due to paranoia, but as I already had pass in use for critical and very important credentials before, and as I 1) was only evaluating BitWarden first and 2) did not want to remember two master passwords, so I went for this approach, and it works out quite well for how I use BitWarden (basically only on my workstation where I require my HW token anyway).
> Passkeys can make it harder to switch password managers because the password managers are designed not to let you copy-and-paste a passkey, including from Google's Password Manager to Apple's Password Manager.
This part right here is what I fear the most about Passkeys. I've read too many horror stories of people getting banned from Google (often for no valid reason) and losing access to all of their data. It is absolutely insane to hand over all your passwords to a company like this.
> So you can't imagine how owning the passwords...
Emphasis mine.
That's the thing that bugs me about 1Password's recent moves. They don't own my passwords and I don't want them to own them. They're my passwords, and I want to store them how I want. Not be at the whims of 1Password's business strategy.
> This doesn’t actually pose much additional security risk because by hypothesis anyone who can read this file has read access to your current private ssh keys already.
Yes, but they don't have access to my password. That's kind of the point. Having a password-protected private key file is much less useful without the password. If you're going to store the password, might as well just remove it and save yourself the trouble.
Perhaps this is something I shouldn't be feeling, but this bothers me and I do not know why.
I can see that you might not want it exposed to the user to prevent social engineering but at the same time, if I can't view then I don't feel like I actually own it. Is there a mechanism that might exist to help me not feel this way? I am totally new to passkeys as a concept as well, but I understand the larger goal.
reply