Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing attacks and make your online experience smoother and safer.
Unfortunately, Big Tech’s rollout of this technology prioritized using passkeys to lock people into their walled gardens over providing universal security for everyone (you have to use their platform, which often does not work across all platforms). And many password managers only support passkeys on specific platforms or provide them with paid plans, meaning you only get to reap passkeys’ security benefits if you can afford them.
They’ve reimagined passkeys, helping them reach their full potential as free, universal, and open-source tech. They have made online privacy and security accessible to everyone, regardless of what device you use or your ability to pay.
I’m still a paying customer of Bitwarden as Proton Pass was up to now still not doing everything, but this may make me re-evaluate using Proton Pass as I’m also a paying customer of Proton Pass. It certainly looks like Proton Pass is advancing at quite a pace, and Proton has already built up a good reputation for private e-mail and an excellent VPN client.
Proton is also the ONLY passkey provider that I’ve seen allowing you to store, share, and export passkeys just like you can with passwords!
See https://proton.me/blog/proton-pass-passkeys
#technology #passkeys #security #ProtonPass #opensource
Does it beat Bitwarden though? Bitwardan has supported at least 2 services for me using passkeys ,one of which is google.
I might be misunderstanding this,but it doesn’t seem like proton beat anyone to anything.
Edit for info: https://bitwarden.com/passwordless-passkeys/
They’re talking about the fact that Bitwarden doesn’t support passkeys on mobile
Right,yeah,that’s true for mobile indeed.
Sad that these sort of features are paywalled.
Why shouldn’t these features require money?
It’s $10 per YEAR. This is an extremely reasonable price given the importance of the service.
Bitwarden employees need to eat too.
I’d be perfectly okay with them just charging for Bitwarden, period. Instead they pretend it’s free but charge premium for all the most effective security features, including 2FA to their own services. Effectively it creates a group of people that use Bitwarden without access to these security features but complacent enough to not seek alternatives that would offer these features at a price acceptable for them (possibly free, like KeepassXC).
Bottom line: security shouldn’t be a premium feature. It should be either available or not at all. Never as a premium within the service.
For logging in, Bitwarden supports TOTP, email, and FIDO2 WebAuthn on the free plan. It only adds Yubikey OTP and Duo support at the paid tier, and WebAuthn is superior to both of those methods. This is an improvement that they made fairly recently - back in September 2023.
The other features that the free plan lacks are:
- the 1 GB of integrated, encrypted file storage. This is a convenience that is nice to have, but not essential to a password manager.
- the integrated TOTP generator. This is a convenience that many argue is actually a security downgrade (under the “putting all your eggs in one basket” argument).
- Upgraded vault health reports - free users get username data breach reports but not weak / reused password reports. This is the main area where your criticism is valid, but as far as I know free competitors don’t offer this feature, either. I looked at KeepassXC and didn’t see this mentioned.
- Emergency access (basically a trusted contact who can access your vault under some circumstances). This isn’t essential, either, and the mechanisms they add to ensure security of it cost money to provide.
- Priority support - free users get 24/7 support by email, which should be good enough
It’s not paywalled. It’s not yet implemented in mobile bitwarden apps. It probably won’t be paywalled once implemented because it’s not paywalled in extension where it’s already implemented
2FA is a paid feature in Bitwarden. That’s the feature we were talking about.
Edit: fuck me for explaining myself
They will have to rip Bitwarden (soon Vaultwarden) from my cold dead hands.
When are they changing their name? I didn’t even know
They aren’t. Vaultwarden is the selfhosted version.
True, it is good, but they need to speed up on passkeys for mobile as many do use mobile devices and what’s the point of having passkeys on desktop.
Proton is also the ONLY passkey provider that I’ve seen allowing you to store, share, and export passkeys just like you can with passwords!
1Password has had this for several months.
As others have mentioned, Bitwarden also has this. This really feels like an ad.
Thanks I did not know that. I see they say share via the vault, but don’t specifically mention exporting, as in to a file for importing elsewhere outside 1Password. But certainly LastPass, Bitwarden and others I’d looked at were not exporting the passkeys.
i looked at it and it literally says passkeys aren’t supported on Android right now. so this is bullshit.
Looks like they are just rolling out support for Android 14 and up.
I don’t see a way where this isn’t an ad, especially with the end and it’s frustrating.
Agreed. Saying PP four times in two sentences triggers my ad sense. Capitalism never capitulates.
The real question is why the fuck is this guy passing for two password managers if not more, especially if he isn’t even using one?
How do I create a passkey with Proton Pass then? I don’t see that option when pressing the big Plus button.
It is the same for Bitwarden. What I noticed is if I go to a site with passkeys, then Bitwarden prompts me with a pop-up to want to add a passkey. It’s not something you manually add, apparently.
Thanks, buddy! 🙏
If the site you’re using supports passkeys, it should have an option in your account settings somewhere to create one. When you do, proton pass (or whatever other password manager) will prompt you to save that passkey. You can’t manually create one in Proton pass, it has to be the website requesting to save one.
Oh I see! So essentially it’s like creating a separate key pair for each login/site? Or will I be able to reuse the same public key/passkey for many different sites once it’s created?
The first, each account gets its own passkey.
Doesn’t Bitwarden already have that feature? https://bitwarden.com/passwordless-passkeys/
Yes, but as I said, as of yesterday still not implemented on mobile.
Yep, the title is incorrect.reading is hardBitwarden currently only supports storing and using Passkeys via the browser extension. You cannot use them on mobile.
Ah I see. Hope to see it brought to mobile soon.
They’re rewriting their mobile apps to make it possible
But the Bitwarden extension works on Android Firefox, so you could probably use it that way.
I don’t think it has the ability to export/share.
Like in a file?
Bitwarden already syncs between PC and phone.
all devices
Lies, there’s no Linux app yet. As usual, Proton Inc continues to treat Linux users as third-class citizens, all whilst claiming they care about privacy and security.
Edit: They don’t even have a macOS app yet lol.
I tried their mail app, it’s Electron garbage. I love all their other stuff tho.
TBH KeepassXC + SyncThing is superior in every way.
I’m using the browser add-on in Linux across all my browsers. I do have the Bitwarden app for Linux, but to be honest I never open it as it is a pain to have to open a separate app, and then copy and paste. Isn’t it just more seamless to let it replace the browser password manager on Linux? If I want to tidy up my Bitwarden vault, I also do that in the browser.
Devops here. I use the 1Password cli constantly to feed auth tokens and passwords and identity overrides into other shell commands. I’d lose my shit if I had to keep opening my browser to login to all my various workflows. The CLI even integrates with biometrics so my hands never leave the keyboard
I really want to like Proton and all their shit, but they seem to heavily advertise everything they have on every software and product they have in a very intrusive and annoying way.
Simply logging into Proton mail and being bombarded by Proton promotional shit feels like Google all over again.
The app reminds me constantly that I’m a piece of shit for not supporting them by subscribing to their VPN, etc etc.
I would rather they make money from advertising their own pretty awesome services than from advertising unsustainable (environmentally, but also unsustainable for the fucking soul!) bullshit via blood sucking multinational tech companies that prey on the masses with whatever data they can automatically dig up on you. The revenue Proton makes from converting free customers to paid allows them to grow a freely available service that is a user-friendly and is a technical rival of the surveillance capitalists.
My take is:
- If you’re the sort of person that is convinced your requirements need some custom covert ops pagan voodoo self hosted data center in an old cold war era bunker, don’t let me stop you. You crack right on mate and good luck (sounds like you need it!).
- If you want the sorts of services Proton provides, but don’t want to be fucked, then Proton are a good shout.
- If you can afford it, pay for it. It makes the experience smoother and keeps a relatively small but decent company going in an ocean of massive cunts.
- If you can’t afford it and don’t want to use the free version of Proton, I hear Google and Microsoft will happily buy your soul and sell your data.
You’re just going to rub people the wrong way being condescending like that. Find another way to try and bring people to your point of view.
And no, I’m not a shill for Google or Microsoft, I’m a happily paying user of Proton’s products.
People are perfectly within their rights to be rubbed up the wrong way.
Find another way to try and bring people to your point of view
Thanks for your great example of condescension for clarity. A little unsolicited feedback though… other people, unaware of your virtuous intent, might view it as a petty attempt to belittle a stranger on the internet. Other than that, a solid comment. B+
… that’s condescending.
People are perfectly within their rights to be rubbed up the wrong way.
Except in Florida and Texas. That shit gets you arrested these days.
Or so I hear.
If you’re the sort of person that is convinced your requirements need some custom covert ops pagan voodoo self hosted data center in an old cold war era bunker, don’t let me stop you. You crack right on mate and good luck
Can you give an actual example of this or are you just making a broad accusation against anyone that uses something other than Proton?
The initial point wasn’t against supporting these services or them making money, it’s the aggressiveness of the advertising. It shows a degree of disrespect for the users when they refuse to leave them alone.
You get ads to subscribe to a service while using the free tier? Huh, that’s weird…
When I set up my account, then during setup they asked if I wanted to get email notifications about their products and later it is also available and clearly marked in the account settings. I’d assume that if I turned those setting off, I’d stop getting those emails.
That being said, I have gotten 8 notifications from them over the last 3 months. I have all newsletters and promotional content enabled. This isn’t much imo
I haven’t noticed much beyond emails about general product news.
That’s compared to Feedly which actively would popup “hey! have you considered paying us like… 2k/yr (or maybe it was 2k/month) for some service you don’t care about that really should be part of our normal RSS product that you’re already paying like 200/yr for? Also there’s no way to turn these notifications off and we’re going to keep sending them periodically. Oh! And we’re not going to work on anything you might find interesting or reasonably priced, so … have fun!”
And yet I missed their announcement about their passkeys. In today’s competitive world, I think any company that does not advertise in some way, is really not going to survive (as much as I don’t like ads either). Maybe I don’t see that much as I am paying.
I was getting these advertisements, even as a paid user, just before Christmas. Multiple other people have complained about it both here and on Reddit too. It seems to have gotten better now, but I know a few people have been quite turned off by this.
You can disable it from proton mail settings
Are you talking about the emails?
Yes
I wasn’t 🙃
Oh yeah the UI stuff was a bug, they’ve fixed it already
Do you have emails from them disabled? I got an email about the launch, but yeah, I haven’t seen much mention of it elsewhere.
No just have “Proton for Business newsletter” disabled but I see many of their mails say only once a quarter etc. So seems they don’t send out every month.
This is simply not true. If your products are good your customers will do the marketing for you.
Is this an ad?
No, an ad would have come out when it was launched, and an ad would try to sell something?
an ad would try to sell something?
You’re trying to sell people on Proton over Bitwarden.
Firstly, the point was made that the passkey functionality in Proton Pass is free (no account needed or “selling”) and that is for unlimited logins. Anyone can just use it. I pay for, and am still using Bitwarden. I posted about this because it is interesting that Pass has implemented passkeys for mobile, while I still wait for Bitwarden, so I’m interested in testing this out with Proton Pass. I post about all sorts of things that I find interesting, and sometimes I do switch my services across if I find it can match or better what I already use. That’s the bottom line.
I was just as interested when I was considering moving from LastPass to Bitwarden, but then I was accused of “selling” free Bitwarden to people. Everyone must make up their own minds as their circumstances are different. But if no-one posted about what they found interesting, we’d have no Lemmy, and we’d all forever just stay stuck on whatever we personally know. Certainly Bitwarden and Proton Pass are not the only good password managers out there, but this week I was interested to see an article about Proton Pass, and I had not even known they’d rolled out passkeys yet. It seems like quite a few others did not either.
I’m sure others also post about what new stuff 1Password has just rolled out, and I’d be interested to hear about that too. That is how I decide whether I want to try something better.
If I wanted to try to sell something, I’m sure Proton Pass probably has some loyalty link for paid accounts, but no, you did not see me sharing anything like that. I mentioned the access was free.
Passkeys seem like mtls…so much so that I’m not sure what the difference is.
MTLS is for transport layer security, not authentication security. This is closer to those RSA keys where there is an RSA server keeping track of all the fobs that can be queried to figure out what number they are currently showing. Acting as a something you have factor of authentication, proving you are who you say you are.
There is a difference but right now as long as one uses a good password with a 2FA it is probably good enough. Too many services with passkeys are still quickly offering password resets via e-mail or text, so they, as sites, are not secure. And unless you can move your passkeys with you, like you can with passwords, you don’t want to get locked into a single device or OS.
Everyone should downvote ads type post if you want to keep the community clean.
I really really like proton pass, was using Google password manager prior but I primarily use Firefox and Firefox’s password syncing is just bad. Proton pass has been a surprisingly reliable password manager.
It does seem to have innovated quite quickly. I’m still using Bitwarden as I have the paid access to biometrics etc, and it has a nice tweak also to add unique e-mails for every login, etc. But I’m interested to see where Proton Pass will be in another few months, seeing I’m already paying for their service, and maybe I can consolidate my expenses a bit. I actually got drawn into paid Proton by leaving ExpressVPN, which I needed for Netflix, and then found Proton (with one or two others) were the only one’s handling Netflix’s geofencing quite well. Looking at options is always good.
Vaultwarden is completely in my hands though
True, just hope they eventually get passkeys for mobile.
Has anyone used pass keys? I have been hesitant to try them out. Using them, do they basically keep you logged in all the time to a given site?
I use passkeys for some sites, but have been reluctant to go all in until I’m sure all my devices can support them. I’m not always going to have my desktop with me, and likewise my phone’s battery can be flat, etc. I’ve always wanted passkeys to first sync across all my devices, and ideally to be exportable and brought into a different service. Right now you can export your 900+ passwords, and import them into a different service if you want to move. You can’t do that with Apple or Google passkeys.
I have a question that is kind of off topic. If I use a password manager and generally use randomized secure passwords, do passkeys offer any additional security?
By practicing good password behavior, I have struggled to see how the benefits of passkeys out weigh the hassles.
Yes, passkeys are public private keys, so a site only ever sees your public key. Your device does the match with the private key. So in that way, no-one can hack the service site and steal your password. But your private key on your device has to stay very private, and should be synced to another device, because if you lose your private key then essentially you can’t login in. If a site offers a backup “password reset via e-mail” then they have rubbish security anyway.
Yes, passkeys are not brute-forcible, and are phishing resistant.
Whether or not they provide more security depends on how fully they’re implemented. A service that’s fully implemented them, like PlayStation for example, will remove the password from your account after activating your passkey.
Some websites have half-assed their implementations where you can use a passkey or a password to log in. In that scenario, your account isn’t really any more secure, it’s just a more convenient way to log in.
Are sufficiently long passwords susceptible to brute force attacks?
Don’t passkeys get that feature by just being longer?
Are sufficiently long passwords susceptible to brute force attacks?
Yes. Thought obviously the odds of success go down the longer and more complex that password.
Don’t passkeys get that feature by just being longer?
Put simply… no. Passkeys aren’t just ”longer passwords” sent to the same place. Unlike passwords, Passkeys aren’t a “shared secret” that you’re sending to the service you’re authenticating to. Passkeys use asymmetric encryption and are neither sent to nor stored on the server you’re authenticating to. Your passkey is a private key stored on your device and secured by biometrics, the paired public key for which lives on the server you created the passkey to authenticate to.
In a traditional brute force operation, you’re sending guesses to a server that knows your password. If you send the correct guess, you get in. It’s also possible to steal the password from the server and brute force that offline.
With a passkey on the other hand, the server uses your public key to encrypt a string in a challenge message, this string can only be decrypted by your passkey. You then send a response that’s encrypted by your private key, which can then only be decrypted by the public key on the server. So the thing you’re sending to the server to authenticate isn’t your passkey, and it’s unique every time you log in.
So could you perform some kind of operation that would technically still be a kind of brute force? Theoretically yeah. But even so you’d be limited to brute forcing against the server, which isn’t very effective even against passwords. However you would not at all be susceptible to offline brute forcing based on the capture of a passkey either in flight by breaking encryption, or by breaching the server, because your passkey never leaves your device.
Thank you, that was a really helpful explanation that I haven’t seen elsewhere. It helps a lot and I think I now understand the difference between passwords and passkeys.
I still don’t like the hassle inherent in passkeys, but at least I understand it now.
Oh yeah no problem. The internet is flooded with high level answers that don’t really explain it in any detail.
I wonder what hassle you’re having? Passkeys should be much less hassle than passwords.
The hassle is that I have to have a second device to login with, and I have to keep that device with me and functioning at all times.
Obvious answer is of course my phone, but I’ve had a few situations where I needed to access an account on a new system and didn’t have a 2nd device available.
