- cross-posted to:
- technology@lemmit.online
- cross-posted to:
- technology@lemmit.online
Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won’t work on another device.
Now I don’t know if that key can be stolen or not, or if it’s really more secure or not, as people have really unsecure pins.
Am not buying the idea. It sounds great on paper but in reality it doesn’t feel better. So idea is you have private and public keys, like many other forms of encryption out there. Private is stored on your device, and public is stored on account holder, like Google. Since keys are mathematically linked anything signed with private key can be verified by public key and vice-versa.
This is great technology and has been proven for decades now. It essentially means your device and account holder can exchange data without anyone ever finding out your private key since it never leaves your device.
However, issues. Keys are backed up somewhere and still depend on password, be it pin or regular old password. Recovering lost key means using password still. That means attack vector has just shifted and they won’t try to steal your key but social engineer their way into phishing your original password, making the whole thing a bit pointless.
Another things that worries me is the possibility each device will have its own key, although they claim transferable. Depending on what data is used to authenticate and prove device is owned properly this can be used to fingerprint users. For example IMEI or some other unique id, etc. Something that’s not easily done with passwords.
Biggest one is the fact it will negate two factor authentication. Verifying code on your phone and knowing password is difficult to exploit since it requires a lot of effort… possession of the device and knowledge of password. But with passkeys, there’s no password to remember and everything boils down to owning a device. They are then relying on the OS and device itself not to leak sensitive information. Not something I’d rely on.
Also, private key being backed up on Google means should they ever leak data someone can get everything they need to access your account. Private keys being protected by simple pin or password means nothing and would probably be easily broken due to simple nature of the protection.
Am not convinced this will see such high adoption as so many are claiming it will have.
Most hardware today has what’s called a TPM. It’s a physical hardware chip that can store certificates in a way that can’t be extracted.
It’s way more secure than someone stealing a cer file.
I know what TPM is, am not talking out of my ass here. But chain is only as strong as its weakest link, which is backup certificates somewhere protected by a pin or simple password. If it still requires password to access certificate, than you have moved issues from one place to another. What good is iron front door when you leave your windows open.
It doesn’t feel better? Good thing security doesn’t care about feelings. The fact is it is more secure no matter what it feels like. Privacy is maintained since you use a new key with each site. There is no IMEI or anything like that in the passkey spec. Social engineering ranges from more difficult to impossible depending on if you use a synced, local software based, or hardware based passkey system.
You have a lot of incorrect assumptions. Read https://support.apple.com/en-us/102195 and https://fidoalliance.org/passkeys/#faq.
No I don’t. You either misunderstood what I wrote about or don’t understand how whole process works. There’s no denial that signing in with passkeys is more secure. Technology has been there for a while and it’s proven. But that’s only one part of the whole process.
However, even the site you linked states:
Problem is in biometric or PIN on device. Which is what I talked about, you replace 2 factors with a single point of authentication. No matter how secure data exchange between site and device is, getting hold of your device means there’s a potential to losing access.
They claim second factor and password can be fished, but so can your PIN, and it’s even easier since it’s usually short. Whole security idea they are proposing is removing human factor completely from the authentication process. Which in general is not a bad idea to get rid of bad habits people have but at the same time, those bad habits are just relocated elsewhere. There are number of YouTube videos showcasing how easy it is to bypass lock screen patterns and PINs. Not to mention huge amount of people who simply don’t want to have any sort of security on their phone.
They claim passkeys are multi-factor in essence, but that’s not true. Whole point of multi-factor authentication is to make it harder to posses all things needed to exploit the data. Access to ATM requires card and pin, one thing you posses other have in your head. OTP works the same way, user/pass for web and then device you posses generates one time password. Having everything in one place is like locking your door and leaving the key beneath the door mat. Key can be as elaborate as it wants to, if someone lifts the door mat, whole security goes away.
Use a pair of hardware tokens and a long pin if you want maximum security. If you want to use a sync-able software token do that and set a strong pin.
You like long passwords? Go ahead and put one on your passkeys. You don’t have to use a short pin.
It is two factor. Something you have, key in TPM or hardware token, and something you know: the PIN. Or if you choose to enable biometric it shifts to two things you have the: key and your face/fingerprint.
Remember you only have limited attempts to guess the PIN and biometric auth is subject to configurable timeout conditions before the PIN is required.
Any security conscious person will use a strong PIN. Many will choose to use biometrics as well for convenience. Most people are still setting their password to Sm3llyK@t42 on every website. A protected key and a 4-digit pin/finger print is a huge leap in security.
But that’s the whole thing we are trying to solve here. We are trying to eliminate human factor and by extension bad habits people have when it comes to security. So expecting people to use good passwords and pins for keys will be the same as expecting people to have good passwords for accounts. Perhaps even worse because of claims it’s better security so people might even relax more.
Also timeouts with pins and passwords mean very little once someone has your device. This is why I don’t consider it good two-factor. PIN might be in your head, but nothing is preventing someone brute forcing it. Once you image the device you can do whatever you want. With credit cards, you’d need ATM to keep doing it and lockout is a serious problem there.
It’s a step in right direction for sure, but I’d prefer if keys didn’t depend on PIN or password.
I feel like it’s 2001 and I’m trying to convince my users to switch from passwords to RSA keys for SSH. Yes there are potential weaknesses. Yes it’s still much better.
Even if all we’ve done is reduced potential attackers from everyone with an Internet connection to people with physical access to the device we’ve still massively increased the average user’s security. And we’ve done more than that.
Also unless you can clone the device somehow hitting max guesses and losing access just like an ATM is part of the design.
I lost track of your suggestion over the weekend but what was your suggestion for second factor other than a pin or password?
I didn’t have one, I just disliked the idea of having all that’s needed for auth in a single device which can be lost.
Thanks for the civil discussion. While my views haven’t changed I have learned a lot about possible objections from informed people.
Let’s hope this new auth standard is implemented responsibly by all the major parties and that weak passwords and phishing become relics of the past.
Hope is all we can have. Sadly time and time again there were companies who thought the were smarter than others and altered established protocols. Be it Telegram or OAuth with Facebook. But let us hope.