And then…
The password manager can’t fill the form. You’ve got to change your 10-word, unique passphrase because it’s 3 months old. And you have to verify with a text.
Oh and then you have to type it in on your TV with a remote and on-screen keyboard.
Also you better hope you used the password manager for this obscure app you don’t remember signing up with.
It used a different URL for sign in so isn’t picked up by the password manager.
The password is too strong doesn’t accept Ukraine letters.
Dose your granny have the a password manager. She should but would she understand how it works.
alternatives to passwords are just excuses to harvest info
Not if it comes to hardware-based passkeys I would argue
true, but i would also argue that’s a much less utilised alternative. most people don’t even know what that is even though it’s a great redundancy.
they don’t need to know what’s happening when a panel pops up on their phone, says touch the fingerprint scanner, and enrolls a passkey. it’s on the companies
It is quite normal to ask for an email address at registration even when using password based authentication.
*it has been become quite normalized
No email would be fine for most people, but then there would be the small number of folks who will cry all hell when they forget their passwords and/or secret questions and can’t get in…
It was more or less the default many moons ago, then just a username became more common, now it is back to email or some third party login
Magic link is lazy 2fa.
Implement TOTP support, you lazy fucks.
What’s the 2nd factor? Email and what else?
Email is considered insecure as a 2nd factor. TOTP stands for Time-based One-Time Password. Usually you store a seed and that combined with the time generates a time based password. If someone intercepts it, it’s only valid for a certain time frame (I think about a minute or so), after which it’s invalid.
Yes but email is only a second factor when used in addition to a first factor (e.g. password). If it’s just magic link without password, then email is the only factor
I love FIDO logins and next to fucking no one implements them :(
And when they do they only offer them as the second factor.
Yes, let me first input my password (from a password manager), the let me approve with a passkey that is meant to make my password not necessary.
But email based login: FUCK THAT SHIT.
I actually prefer using FIDO2 as a second factor only cos I use YubiKey which can only store 100 RKs.
Depending on the security needs using hardware based security as a second factor while still requiring some other form of auth is not actually a bad idea.
What are they?
Public key cryptography tied to physical hardware, so if you lose your phone / usb key, you need to use your backup recovery code; a fairly short one time password that negates the security benefits of Fido in one easy step.
It can also use biometrics, but that requires every device you log in on to have biometric readers.
Or you could use multiple fido key’s as backups
Absolutely 100%. Click login, accept passkey signature, logged in. This is the way to go
As an autistic person I felt this in my bones. I cannot STAND email based authentication.
Very few things on the internet and computer actually need accounts. Everything requiring a login is a cancer.
Yes and no in most cases it is used to limit misuse somewhat but i absolutely agree that its taking over hand. God bless trashmails.
More people should use passkeys
Passkeys get undeserved hate
nah, too cumbersome and mistic
Password manager users living life on easy mode.
But you know what’s the safest way for us to keep your password safe? Not asking for one to begin with. By not creating a password with us you have no risk of it leaking, and we don’t have to deal with the responsibility of keeping it secure. The sign in link is going to your email, which presumably is protected with two-factor authentication, if you have it set up (which you should!).
https://www.404media.co/we-dont-want-your-password-3/
They had a follow up later too (paywall)
Passkeys ❤️
If they arent on a USB stick, protected against being copied, they are only a single factor that instill false safety.
Depends on the system. The thing where your password manager is managing your passkeys? That’s a single factor unless it’s doing something tricky that none of them do.
When it’s the tpm or a Bluetooth connection to your phone? That’s actually two factors, and great.I’m curious what you think tricky is?
For instance, 1Password requires your secret key for initial login/setup on a device along with the username and password. After initial login/setup the secret key is no longer required, but you still need the password to access.
I’d call that a fair trade off. Someone would need to know my password and have unfettered access to my previously set up device to login, or they would need to know the secret key.
The secret key is not stored by 1Password (the company). If you store it in 1Password and the last device is lost/broken/stolen then your account is essentially dead. You have no way to get back in.
It can totally be fine for your needs, and secure while it does so, and not be two factors.
It’s a question of what’s required for access. In this case, they would need your password and to have had some manner of device access at some point to steal the value used by 1password to verify you at one point had the secret key. Someone with a keylogger from a random untargeted malware infection could plausibly get sufficient information. It’s really good 1 factor.
To be two factor there would need to be a requirement for two factors to be demonstrated at auth time. For example, if 1password encrypted the passkeys in such a way that the passkey could not ever leave the device, like via certain types of hardware backed key storage, then unlocking the vault is proof of something you know, and the usage of the signature is proof you have the chip.
The trickery comes about in the techniques available to move the passkey between encrypted hardware devices without it ever being exposed or loosing the “device you control” assurances.For the record, I use 1password. Just not for passkeys on desktop. I prefer the Bluetooth connection to my phone, since phones currently do a much better job providing uniform targets for what’s needed to provide the proper two factor for something like passkeys.
Can it be copied from your phone? (e.g. by migrating your phone via a backup)
Then it can be compromitted and is essentially a single factor (because some website permit you to login via the key only).
Only if you’d need to completetly renew the key, then it’s truly secure.There are secure ways to transfer the key that preserve the properties that make it useful as two factors in one.
Basically, the device will only release the key in an encrypted fashion readable by another device able to make the same guarantees, after the user has used that device to authenticate to the first device using the key being transferred.
A backup works the same way.
Website wants you to make a passkey, go to login but the entry form only accepts the user name, then you have to click next to password which may or may not accept the passkey.
Is that FIDO? What’s the difference?
Or the obscure ways for 2FA/MFA. Passkeys are mostly cloud based. Yeah fuck no! The weakest Passkey is weaker than my usual random generated password, if the site don’t do any shady business and require a weak password. Hardware keys are luckily not pushed for usage. I don’t like them either. You require at least 2, for backup reasons. They also cost quite some money and they have zero auth. Just connect to usb and tap it. Also retrieving the backup and get a replacement for a defective one, takes some time.
Good old TOTP as 2FA is perfect, paired with a strong, random password. With my TOTP, I have an encrypted backup in my cloud, on my NAS, older backups in secure places and backup codes in several places. The TOTP App I use is open source and I have a mirror of the source code.
This should be enough security, if sites don’t screw up all the time. You can bypass 2FA all the time. Even the credit card company screwed up big time. Usually you get 2 separate letters, one with your pin and one with your card. Both came on the same day. Also I actually didn’t needed the pin in the first place. I was able to add the card to the app and see the pin there, without actually verifying anything, except the credit card number.
Maybe when passkeys are supported in my password manager, I will try it but so far it isn’t and switching is not an option, as it doesn’t support the features I need. There is an open issue for an alternative password manager, with that feature request and it has some people wanting it, but its still not added. But passkeys doesn’t fix the issue for me using stronger keys, it fixes the site owners to allow stronger keys but they are still not required to use it. Some devs are just weird. I’ve read one PR for an FOSS project I use, where someone wanted to implement a universal oath or such stuff, that would support all types of external authentifications. Nope, the dev refused the PR and they wanted to stay at the 2 proprietary implementations, for 2 services, even though this universal implementation would work with these 2 too. I can’t tell exactly what it was. I was experimenting with an auth service for my self hosted stuff, to not deal with several accounts and rights systems. This service was the first one which I wanted to switch and they didn’t wanted to support it, leaving me with the standard login.
What password manager doesn’t support passkeys these days?
Vanilla KeePass. The Dev isn’t interested to providing a communication outside of its program, but he clarified, that plugins have all the right access, to do that but as it seemed to the dev, there is no dev interested to making such a plugin. KeePassXC does support it but they are still missing entry templates. This is the only missing feature that is holding me back to switch.
What the hell are passkeys? I think outside deep tech forums, nobody knows what they are.
Simplest way I can think to explain it is that it’s similar in concept to SSL. If you understand SSL you should be able to understand passkeys.
Every hardware based key I ever used also required PIN, but as far as expense and backups, yes, for personal use the cost generally may not be justified. I got all my personal ones as a bundle that was on sale. For work I would argue that some businesses can easily justify the cost to create a rotating stock of hardware keys to deal with lost keys. Generally in that environment you have centralized PKI, where you can revoke the certificate on the lost key and then issue a new certificate on a new hardware key. This doesn’t help for all sign in methods tied to hardware keys, but can be very practical when implemented right.
I also agree on TOTP as the ultimate generic 2FA method, with several worsening options until the despised email or sms 2FA. I will also add that you can setup TOTP on modern hardware keys, where you must insert and complete PIN entry. The inconvenience is that you must have all your keys and password manager available at setup time for places that don’t support multiple TOTP codes.
I didn’t invested too much time into hardware keys but requiring additional software on other PCs, still is a no-go for me. With my current setup, I only need my smartphone and I always carry it around.
For business use, this is a whole different topic. With a proper setup, all machines would require the software and you shouldn’t access these accounts outside from company devices. Its also an expense which the company must carry and its easier for them to handle backups. Also in that Setup, you can have SSO/LDAP, where you can physically proof that you are you and requesting resetting the MFA. With an online service, they usually require a weak proof, like just the access to an email account.
I just needed to think of the scene from the Simpsons, where Mr. Burns and Smithers go all through the security checks and in the end, there is a flimsy open backdoor, where a stray dog entered the room. All security in the front doesn’t matter, if the backdoor is not secure at all and until the backdoor is that unsecure, I’m not willing to add money and time, to make the front door more secure.
You can force auth on hardware passkeys for every activation. A sort of local password. Much more secure, also if somebody is in possession of your passkey and you didn’t just loose it somewhere you would be fucked anyways.
I have three, one for home, one for backup, and one for travel. I can See why ppl. Are annoyed by that, but speaking of costs, you can get these starting from ~20 Dollars. Additionally, passkeys could and should replace passwords and not EB generally used as 2FA.
Also many password managers (incl. FOSS) do support Passkeys, but having them in your password manager makes them arguably useless. Same if you use 2FA on your phone and a password manager and your phone gets compromised somehow.
I quote myself from a different comment:
I just needed to think of the scene from the Simpsons, where Mr. Burns and Smithers go all through the security checks and in the end, there is a flimsy open backdoor, where a stray dog entered the room. All security in the front doesn’t matter, if the backdoor is not secure at all and until the backdoor is that unsecure, I’m not willing to add money and time, to make the front door more secure.
The phone argument lacks a bit. Accessing the TOTP App and the password manager do require a separate authentification, to get encrypted. Sure if they snatch my phone away, when its fully unlocked, including my password manager, they have access for a limited time. They need to be fast enough, until I can remotly lock it or until it automatically locks itself. Android phones can now detect when they are stolen. Either by the movement or when it goes offline. The latter I tested and it’s not instant, but you still don’t have long.
I don’t think about potential backdoors. If there is no known backdoor, then I deem it save. Sure they also could me to unlock the phone. This would be xkcd 538. And this applies to any security.
Adding more security and inconvenience doesn’t make sense to me, so long the backend is shit. So far a few big companies did screw up hard in their backend and dozens of smaller sites do some bad stuff, that it doesn’t really matter how strong your login is. Here I reference back to my quote.
In a closed system, like a company, this added security makes sense, as they usually control the backend as well. If my CEO would send me a text request to reset his logins, I would call him or walk to his office, and ask him directly. Sure with AI, they could impersonate his voice but I don’t think they can impersonate his way to speak.
Well Passkeys are a good step to enhance security and remove potential backdoors from companies for one. As you have your private key that cannot be easily imitated and is checked by the company that you use.
And generally speaking, your phone can be attacked via software without even having physical access. So if your phone is infected they gain access (at some point during usage) to both your password manager and your 2FA. It is just never a good idea to have multiple thongs in one place.
On a side note, with physical access to one of your devices for a longer time, most things can be accessed by a malicious actor.
Of course everything can be hacked. When I think something is compromised, then I need to change everything. So far I didn’t heard of any remote zero click compromise. With the fancy hacking tools of some companies, its not publicly known how they gained access. I suspect either physical access or some malware. But we are speaking on a high level of hacking, that most people don’t need to be scared off. At that level, there are other things to worry about.
When we just look at the dangers an average person might encounter, this level of security is fine. I do had accounts compromised and I can exactly tell what my mistake was. One was sharing my password with someone else and not knowing how secure his devices where and not having 2FA. The second one was that I used the same password everywhere. At this point I was switching to generated passwords and still didn’t had every account changed (the unimportant ones).
Of course Passkeys are by nature a more secure implementation, as you are unable to save plaintext passwords but there is one thing that this can’t solve and that’s being that they remove and reset your auth, without verifying your identity. Hackers still can steal session tokens and sites don’t need to require additional authentification, when altering your authentification.
A lot of motherfuckers typing in code with a keyboard need a beating with said keyboard.
If a programmer can’t get a login form right they need permabanned from ever shipping another release.
Recently finished a side project and I was glad I could go with pure login/pass auth. No email no oauth, just a pass phrase for account recovery. It’s refreshing and so damn simple.
On the other end, there is an excessive use of 2FA with systems for whom the concept of SSO seems to be a foreign thing. It’s also sort of funny that 2FA can just mean using a TOTP capable password manager, reverting it back to one factor.
It’s not actually reduced to one factor, just a single point of failure. If their password manager gets taken it’s a problem, however the generated TOTP is worthless in 1 min. So this will protect the login from cases where the password is known like a compromised website or a reused password.
If the site is compromised, then the hackers could have stolen the TOTP secrets as well as the passwords. How do you think the site verifies TOTP codes? If you reuse passwords while using a password manager, you are asking for it, though.
A full hack of every part of the service is not the only way a user’s password could get known to an attacker. Could be MiTM, could be typo-squatted, etc
If a site is that compromised no measure of auth is gonna help, so little use worrying about it.
A lot of the technology you use to connect over VPNs or over the Internet already addresses MitM. If it’s typo-squatted, you are sort of using password managers wrong. You do have the option of setting up TOTP elsewhere like on your phone authenticator so the point of failure isn’t on your side, I just think it’s sort of funny how easily you can make it be one.
But if a password manager is compromised then doesn’t the attacker also get the TOTP key which is what generates the codes in the first place?
It wouldn’t matter if it expires in one minute because they’ll have the token to generate the next code, as well as now knowing the password.
That makes it a single point of failure yes, and the rest of the comment you’re replying to goes into detail on what it does protect from even if both passwd and TOTP are in the password manager
Sorry i misunderstood what you were saying. I thought you were saying that if the password manager was compromised then the attackers would have only 1 minute to make use of the tokens before they change.
That depends on the manager. Good ones won’t have access to your stuff outside of an encrypted blob. Still, it’s generally better to use a separate authenticator.
This. This so much. Password+Totp based login is just two passwords where one is more annoying to use.
Not if your TOTP codes are generated by another device, then the attacker needs your password, plus the device holding the key for TOTP. If you use it on your phone and authenticator is your phone then a theif has everything when they steal your phone.
Hardware key for TOTP is a better 2FA method as its totally separate from your PC or phone
As long as the default recommendation is to use authenticator apps on your main device I’ll see this as a “could be good if implemented correctly, which it isn’t, so it isn’t good”
If you can get at a password by hacking a website, I wouldn’t be holding out hope that they couldn’t then steal the TOTP secret.
I mean yes everything is hackable. Thankfully the hardware key supports FIDO where there is a public / private pair with private locked on the hardware. Not enough services support this though.
So threat is being targeted and having somebody steal the hardware key.
Magic link only is the wirst kind of login systems. However, I don’t know any big real companies that use this.
If you don’t like passwords, just use passkeys.Wasn’t passkeys basically “passwords, but Google has control of them”?
dont think so. what i gatherd passkeys is a public/private key scheme, much like pubkey auth in ssh logins.
Its still just a single factor if some body steals your private key.
Yes, buts it’s not something that can be easily guessed or found on a post it on the monitor
True dat. But if they compromise your computer the first thing the look for is key files.
Like my ssh keys are in a root permission file. Protected from general sight, but if somebody compromises my PC with a CVE on then goodbye keys.
At least with hardware key it is removable and requires a button press.
So accessing becomes physical access or quantum computer cracking
Its never transmitted, can be stored in HSMs. Anything that’s handled wrong is unsafe
Steals it from your system I meant. Which has even happened to security pros.
Phew!
Not even close.
Passkey is a generic technology not specific to any vendor. While there are a few versions of it, the long story short is it uses an encryption key you have to authenticate you rather than a password. This makes phishing extremely difficult if not impossible.
There’s lots of passkey implementations. All the major browsers have one built in with their included password managers. Most good password managers like BitWarden or 1Password also support pass keys. And if you want to be extra secure, the passkey can be an actual hardware token like a YubiKey.
So yeah you see Google pushing passkeys a lot, and if you use Google password manager it will store your pass keys. But you also see Apple pushing it, and Microsoft also.
Slack (except when with SSO). You have to go out of your way to find the settings page outside of the client to set a password.
Anthropic
Booking.com (at least in Germany) only useagic links for some time now. I hate it.
Home depot does
