Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing… that lives on my phone? What if I lose my phone? What if you steal my phone?
You must log in or register to comment.
Tuta mail keeps prompting me for a passkey, and I don’t know where to get what it wants. So I basically can’t use it.
People are making things more complicated than they already are. I simply keep my passwords and passphrases inside my memory.
P.S. My password is not ‘Password123456’
How do you remember 70+ different password+username combinations?
Or do you just re-use passwords…
I have a system of pattern for every new password. So I just have to remember the pattern of things (a pseudo algorithm) that I use to generate new password. I won’t say that it’s uncrackable. But, works for me. And I don’t think anyone care enough to go after my passwords.
The problem I have with a system like that is it doesn’t account for leaked passwords/data breaches.
When you find one of those services has had a data breach and your password was compromised; you’ve now gotta adjust your mental algorithm to make an entirely different pattern, either for every site, or you’ve gotta remember each of the changes you’ve made for specific sites.
Long term it turns into a mess.
The real solution is to only remember one or two passwords and have widespread oauth adoption. Instead of having to sign up with every possible website and app, I should only need a couple of google/Facebook/apple/steam/github/Amazon/PayPal/whatever.
But we need one that isn’t using our logins to track where/what we are doing.
There’s no way for the average person to keep up with remembering unique, strong passwords for all the sites that require them.
You either have to write it down, save it in a password manager, reuse passwords, or have simplified passwords or patterns.
There’s no way for the average person to keep up with remembering unique, strong passwords for all the sites that require them.
Passphrases with a simple formula to make them unique for each site.
You just have to remember the formula, you get a strong unique password for each site.
Easy and safe, and doesn’t tie you to a single point of failure like a specific device or a password manager.
Add two factor authentication on top (with multiple options, of course, otherwise you’ll get locked out once you inevitably lose the second authentication method), and you can even safely use it from third party devices which you don’t want to remember how to access your accounts.
Except if your “formula” is to make your passwords
Twit-(password)-ter…it’ll be exceedingly obvious if someone were able to get your password from Twitter and then credential stuff at any other website. That’s not real security.
Also a password manager doesn’t have to be a single point of failure. First of all, they have like 3 or 4 points of failure before they actually lose anything, and you can always make an export or go back to a pen and paper password journal if you really want to to make an offline second point of failure.
Just have full on sentences or phrases. My professor told me once his old password was GoofyMickeyDonaldMinnieDaisy$1234567890 if it didn’t have a character limit. Otherwise he omits a character or two.
Then one password breech and your password everywhere is exposed to the world. That’s bad advice.
Yeah password re-use is the main method of cracking passwords. That obscure site that you think “oh I don’t need a good password for this because it’s a site I don’t care about”? Guess what, they have shitty security practices, and now crackers have access to every site where you’ve used that same password.
Just use a simple formula to make the passphrase unique to each site. 🤷♂️
We’re supposed to take security advice from someone for freely gave their password out?
But in all seriousness yes phrases are better. You don’t need the money symbol 1234t67890 especially if it makes it harder to remember.
You can even have each phrase be the website. TargetSucksMonkeyDick, BestBuySucksMonkeyDick are secure passwords.
Which is KIND OF ok unless someone looks at a password breech list and figures out your super simple pattern. And I’m sure the rise of AI being used in password breech attacks will just make it more automated.
Real, true, random passwords/tokens is really the only way to actually be safe. Which means you have to use a password generator, AND something to save the password.
BestBuySucksMonkeyDick is the password I use on my luggage!
Phrases are definitely more memorable than forcing people to use capitals, numbers, symbols, all that shit. But there are just so many passwords to remember.
You are not supposed to have relation between the words. This password is vulnerable to a dictionary attack. If you are not a high value target you should still be OK.
My vote is password manager. You can use 1 really good password for it and as many stupidly good passwords anywhere else since youre likely auto filling or pasting it in.
Just if your using it locally, remember to take a backup.
Assuming you have a strong base password you aren’t concerned with being broken, you can use that, followed by a unique identifier for what you’re logging into, so every password is essentially the same, but also unique. Something like, translate the lyrics to a song (say without me by Eminem) to first letters and punctuations, 2tpggrto,rto,rto, and add the identifier.
2tpggrto,rto,rto-goog 2tpggrto,rto,rto-faceb
This is essentially how I manage my passwords that I want to actually remember. Just make sure you’re not SUPER obvious with how you make the identifier, perhaps -g0og or -f4c3b0ok. And no, I don’t use that song lol.
This is essentially the same thing as using the same password everywhere.
Yeah, they are unique. But if one is broken, they are all essentially broken.
Only if you’re specifically targeted. I know enough regex to know that nobody is going to bother trying to parse known passwords to identify patterns like that when there’s a billion suckers who use ‘password123’ for their bank accounts.
As long as the pattern is not super predictable, and aren’t dictionary words, nobody is brute forcing that.
Even a minute mental load at everything you need to log into in a day is still more than the zero mental load I have when using a password manager.
It’s not just more secure, it’s far more convenient. Plus once you start to share a life with someone, you can share all your accounts and passwords effortlessly as well.
These would be extremely easy to detect with regex. Just look for the service name in a password, including common keep speak conversion.
Password123-Facebookthen easily becomesPassword123-GitHuborPassword123-Walgreens.I can assure you, if I was a bad actor that got my hands on a password dump, I’m checking for these kinds of passwords pretty early on.
Vendors will use passkey implementations as vectors for lock-in. Guaranteed. Workplaces need to accept BYO.
Ok so 2fa is based on things you know (passwords) things you have (devices), and things you are (biometrics).
I could see passkeys replacing the phone portion of a 2fa, but replacing a password? That can both invalidate the point of 2fa (verifies you have a device twice) and kill the benefits of having a password (if I lose my device I can still login, if it’s stolen the attacker can’t access all of my accounts).
wouldn’t it be 3fa with biometrics also ? Thanks for your explanation btw
Ideal MFA:
Something you have.
Something you know.
Something you are.
If getting married, add:
Something blue.
Fun fact, I frequently use the word blue as my security question answers. Not all of them but enough that even if a person got to “know” me enough to know what city I was born, they wouldn’t know which answers are true or which are blue.
I use my password manager to generate the answer. My mothers maiden name is CzyHcjMKMfwT4tZ7HXbavQrOPo and my first pet was Avhu6FqPTRsWwafA, but we called him Avhu for short.
All of that and the IRS will still ask what street your first pets mom died on.
Ah, yes, D7k3y2mHy5lZhbyHa St, I remember it well.
I used to make them quite long until I was asked to confirm my identity over the phone using one once hahaha.
Now they’re max 10 alphanumeric characters and all lower case but still random.
I think it makes it even better when I have to read out my 30 character alphanumeric first girlfriend’s dog’s birth town’s name over the phone… they’re certainly gonna know it’s me calling lol
The absolute best is when you get to choose the security question and you can just put “read the Bitwarden secret.”
I like to think that if enough people ended up taking 10 minutes on a support call to validate someone’s identity, when it should take 10 seconds, maybe the companies would learn to stop asking stupid security questions. I like to think that, but in reality nothing will change.
Yeah security questions like that are the dumbest goddamn thing. “Create a super secure password that no one can guess, and enter the answers of five trivia questions about yourself that are likely in the public record about you or that you’ll happily reveal in small talk with strangers just in case you forget that super secure password.”
Passkeys are protected by either your device’s password/passcode (something you know) or your device’s biometrics (something you are). That provides two factors when combined with the passkey itself (something you have).
The benefit of the password is only available if you know your password for your accounts or if you have a password manager. People can only remember a limited number of passwords without resorting to systems or patterns. Additionally, with many accounts now knowing the password is not enough to log in, you must either be logging in from an existing device or perform some kind of 2FA (TOTP, SMS, hardware security key, etc). So you already need to have a backup device to log in anyways. Same with a password manager: if you can have a copy of your vault with your password on another device then you can have a copy of your vault with your passkey on another device. Nothing gets rid of the requirement to have a backup device or copy of your passwords/passkeys if you want to avoid being locked out.
People can only remember a limited number of passwords without resorting to systems or patterns.
People also don’t have a backup device though.
Password patterns are best.
People also don’t have a backup device though.
And that’s a problem with most authentication factors and with how most systems don’t rely on just the password anymore. If you don’t have a backup device, you’re going to run into issues.
Will I be able to export/import a PassKey from a device?
Bitwarden plans to implement that.
By default the big three (Chrome, Safari, Edge) store them via their normal syncing processes (Google Passwords, iCloud Keychain, Edge’s password manager). If you use a different password manager (e.g. Bitwarden) it’s handled by their normal processes (cloud, syncing a database file, etc). I don’t believe there is a way to export a passkey from most of these at the moment but you can almost always have multiple passkeys attached to an online account so you can always just add your new password manager to your account as another passkey.
There is a way to use a key backed by the hardware that is not exportable such as using a TPM or a physical USB security key but I believe that most are pushing the synced ones for the convenience of the end user.
If only companies wouldn’t be patronizing ass hats about it. A few sites deny storing passkeys in software wallets because of “security”. So what, keep using my password is safer now? Fucktards.
Many websites only allow creating a passkey on mobile for example. I also created passkeys on quite a few sites that straight up removed the feature a few days after. I also never found a site that let you completely remove password authentication after adding a passkey.
Didn’t allow me to create one because it doesn’t meet the Google’s security thing (unlocked bootloader).
Fun
Even on mobile they are asshats. I have my password manager registered as the passkey wallet in iOS, so creating a passkey in PayPal for example fails.
PayPal’s passkey implementation really is the worst of all worlds.
I highly recommend using something like Bitwarden or 1password (which can manage both passwords and passkeys), and then generating a passphrase using a method like Diceware. If you’re paranoid you might prefer rolling your own with Keepass but for most people that’s going to be a lot of work. I think 1password’s model is about as secure as you could hope for while still trusting a 3rd party. Definitely avoid Lastpass. In addition to widely reported breaches, they don’t even fully encrypt your data; only the password portion is encrypted while usernames and site data are plaintext.
Since 1P switched to subscription only (which is a dealbreaker for me), I switched to Strongbox. It’s based on keepass, you can store/backup/host your own vault, and it also supports both passkeys and passwords. The UX is almost as good as 1P (few little minor annoying things, but no showstoppers for me). Been great so far.
Just a heads up for anyone, bitwarden can be self hosted using vaultwarden. All of the bitwarden apps and extensions will work.
Also, for anyone already using their stuff, Proton Mail rolled out their password manager. I like it so far, the free edition is good.
I just don’t trust myself enough to self host Bitwarden. It’s just too critical of a service for me to be willing to accept any mistake I might make in hosting it. Absolutely worth the $10/year (or $40/year for the whole family), to have some IT professionals and Azure doing the hosting.
Good call, and I agree. I self hosted it but mine was offline, and would only update if I was in my house. Saw proton pass release, and made the switch since I’ve been using their services for awhile, now.
Am I paying for Bitwarden?
I’ve legit been telling people that it’s free. xD
Oh well you don’t have to pay for it, but I do for the premium features, most notably family sharing of passwords
Is keepass really a lot of work though? If you use xc you have a client that works in windows or Linux, the file itself can be hosted anywhere, I ran for years with it on a USB key. There’s no accounts to create, you just download and go.
KeepassXC works on Mac, too and there’s KeepassDX for Android.
It’s definitely more work than just buying the service from someone that has a ready made app. I don’t think it’s a thing I would recommend to, for example, my parents. I know xc has some sort of form fill thing but it’s not nearly as nice as the browser plug-ins made by the various password manager vendors.
There’s a Firefox plugin that provides that functionality. As for getting my parents on board, any attempt to get my mil onboard with a password manager has been futile, actually using it seems to be the biggest barrier to adoption in my anecdotal experience
The way I intend to handle this is with my keypass password manager since the file database has to be synced manually. The way I handle this is one copy of the database lives on my phone, which is my primary device. Then I copy this database to a flash drive, and then copy it to my laptop. The update process goes something like update the credential on my phone and then a few months later, during my scheduled backup routine, copy the database to the flash drive and then copy the database over to the laptop. So the most I could lose is a few months worth of data instead of all of it. If my phone is ever stolen, I still have a copy of the database on both the flash drive and the laptop, which at most might be a few months out of date, but nothing severe.
I just use Bitwarden and all that shit happens automatically.
I know my way is quite unconventional, but I don’t rely on any clouds whatsoever. If I lose my data, it’s my damn fault.
I use Syncthing to automatically keep the database up to date and usable on all of my devices. Autotype on PC is such a nice feature I wouldn’t want to miss (and it increases security on top of that).
Syncthing is a good option too.
We shouldn’t be getting rid of passwords, or one time passwords, or two factor authentication, or single use codes. The point of security is overlapping features is what brings convenience and deterrence.
Years ago I worked for a company whose servers were in a highly secure facility. I had to pass through a “person trap” to get in, which required three independent things to get through: something you have, something you know, and something you are.
Imagine a booth about the size of a phone booth, with doors on both sides. To open the outer door you need a card key. Once inside the outer door closes. To open the inner door you need to put your hand on a hand scanner, then enter a PIN. Only then will the inner door unlock and let you inside. I was told that the booth also weighed you and would refuse to let you through if your weight was something like 10% different from your last pass through. That was to prevent other people from piggybacking through with you.
Lots of people think that’s all overkill until I explain that it’s all to ensure an authorized person, and nobody else, could get through. A bad actor could steal my card key & might guess my PIN, but getting around my hand scan & weight would be extremely difficult.
The closer we get to this sort of multi-layer authentication with websites the happier I am. I want my bank account, etc. protected just as well as that data center…
Was it like this?
Honestly that’s cool as heck
It’s probably overkill for most people but I would love to have a system that lets me choose what combination of factors together work to login rather than just ‘password and something else’. Something like A,B,C are on the account and you can use A+B or B+C to login. It’d be great for those who don’t necessarily want to trust SMS-based one-time passwords (due to SIM swapping, theft, etc) if we could require something else along with it.
That said, the way passkeys are typically used satisfy multiple factors at once:
Password to unlock your password database that stores your passkey: something you know, the password + something you have, the database
Biometric to unlock your phone that has your passkey: something you are, fingerprint or face + something you have, the phone
SMS second factor is so bad! The really dumb thing in my opinion is the place that uses SMS to factor the most is banks. Now how dumb is that?
I see SMS as a simple deanon rather than a 2FA.
Banks are certainly behind the times and ‘bank-grade security’ is a joke in terms of what authentication methods they offer. I understand that they are slow to change anything though.
My crypto wallet is more secure than my bank because I hold the keys myself and I am not nearly as large a target as a bank. Is it better to go after one person’s money or one million people’s money?
In the EU they have to use something stronger if available. SMS is only used if requested by the user.
I wish it were that way here in the United States. But sadly, nope.
Forget about biometrics, they are way too insecure.
Our cameras have reached a stage where we can replicate fingerprints from photos. ‘What you are’ is useless when we leave part of us everywhere. And furthermore, in parts of the world, authorities can force you to unlock your device with biometrics but not with passwords.
Biometrics can be fine when they are layered on top of other authentication methods.
I strongly disagree. That’s like using MD5 and saying ‘It’s OK, we use SHA256 down the line’. Information encrypted with it might as well be in plain text.
That’s not how that works. If you were using MD5 and then immediately SHA256 the output and not using it for anything else, that would be fine. You’re not accomplishing much in this specific case, but it’d be fine.
When you layer security, the attacker has to pull back each layer. You don’t rely on any singular layer. If the attacker needs biometrics AND a code AND a physical key, that’s very good security.
Exactly. See my reply in another thread where I describe a “person trap” that I used to go through to get into a secure facility. Its biometric check analyzed the geometry of your entire hand. It wasn’t just a fingerprint scanner.
For many people it works well as a trade-off between security and convenience. It may not be for everyone though and that’s okay. Nothing stops you from using a password/passcode to secure your passkey instead.
This is the best summary I could come up with:
It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly.
But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys.
On this episode of The Vergecast, we bring in an expert: Anna Pobletts, the head of passwordless (best title ever?)
She’s convinced that passkeys are the future but also has some ideas on the right (and not-so-right) way to get started.
Vee weighs in on Fossil’s exit from the market, the rise of the smart ring, and much more.
If you want to read more on everything we discuss in this episode, here are some links to start with, beginning with passkeys:
The original article contains 241 words, the summary contains 131 words. Saved 46%. I’m a bot and I’m open source!
What if I lose my phone? What if you steal my phone?
Bitwarden supports passkeys, which are stored in your bitwarden vault. If you lost your device, as long as you can still access your bitwarden account, your passkey should still usable.
I can login with the same passkey on Firefox and Chrome using bitwarden. Too bad it doesn’t work on mobile yet.
No.
That adds nothing to the conversation.
Just my disdain for the idea that passwords will ever go away 😹
Why? Passwords are already used a lot less that they would need to be if we didn’t have things like OAuth tokens, the FIDO2 protocol for 2FA devices, biometrics, etc.
Why should I have to type a password to authenticate myself to a website when I’ve already authenticated myself to the device I’m using and it can present the web site with credentials that prove in who I claim to be?
I think this makes sense for many low impact scenarios, but there’s always going to be a set of services that I dont want to trust to the same provider. For me its my bank, even though passwords have plenty of flaws, and i am trusting my phone to protect tap pay tokens, i would never link my bank login to my google account so I use a memorized password.
of course this is tinfoil hat territory because a threat to my passcodes would probably involve breaking the security systems on android.
I think passcodes currently get consolidated with an entity like Google, but I’ve read Bitwarden is adding support for them. It definitely won’t be an issue long term.
For some reason I thought The Verge was better about having transcripts for their podcasts. I was kinda interested but not around 28 minutes of audio interested. 😞
Yeah, I get some people prefer that format, but I’m going to skip any article that’s just a link to a recording.
Eh… No, thanks.
Passkeys feel so much more worse. It becomes one central point to lose everything.
it’s objectively a downgrade to have to get my phone out just to sign into youtube. i broke my phone screen and couldn’t sign into my damn bank until i got it fixed because they making me verify with a text. bullshit world these days
Exactly, which is why passkeys are so good.
Exactly. You could have access to your password manager on your computer or a backup hardware security key instead. It doesn’t have to all be tied to just one phone, just like you don’t have to have just one house or car key.
And than there’s Google itself, notorious for blocking people’s accounts for nothing and offering zero recourse to get it back.
A huge amount of people use the same password everywhere.
It’s much easier for someone to get your password than your phone.
And it’s much easier for me to lose or break my phone than it is to lose my password.
It’s automatically backed up. This is no different than MFA in that regard. Which I hope you’re using.
Backed up to where and to who?
It certainly feels dangerous if forced upon users not aware of the trade-offs. For people already accustomed to using hardware keys, it’s very much an improvement, as more services will support them too. The problem is in the awareness. On the other hand, people already treat regular passwords as throwaway data and expect services to just let them in, or even never log them out. In this scenario, maybe passkeys can still be an improvement: roughly just as much as enforcing using a password manager.
If you already have a central point to lose everything in the form of a password manager, is it any worse? What’s the difference between a random password stored in your password manager that you don’t remember versus a private key stored in your password manager that you’re not expected to remember? You’ve always needed to make backups or have alternative ways to get in (recovery codes, customer support channels, etc), nothing about that has changed when going from passwords to passkeys. When passkeys are supported on sites, there can be no autofill issues (password or TOTP), no password complexity requirements, no worries about how they are hashing them on the server side, no phishing issues, etc. That’s an improvement over the system we have now.
And for those that don’t have a password manager, they are likely reusing passwords. Passkeys prevent the risk of password reuse and the risk of phishing.
I use a password manager and the database is automatically synchronized to multiple devices. I use syncthing for that, but a public cloud would be fine as well, because it’s encrypted (well, as long as the master password is strong enough)
I export my passwords from my manager regularly and keep them on paper in a secure place. At worst, it would be massively annoying if the password manager somehow blew up. But you can’t hack a paper. On the other hand, like some other person wrote, it’s incredibly easy to break your phone screen and then you’re screwed until you can fix it.
The person who broke their phone screen wasn’t mad about not being able to access the data on it in this case, but rather that they couldn’t receive a text message as the second factor to log in to their bank. Having a backup wouldn’t have mattered, they couldn’t receive the text. Like it or not, having two-factor authentication on accounts is a necessity with the phishing and malware problems out there. Having multiple (secure) factors attached to your account is the best protection against getting locked out.
The breaking of a phone and loss of the data on it can still be protected against by having backups in other locations or offline, like you have.
