And then…
The password manager can’t fill the form. You’ve got to change your 10-word, unique passphrase because it’s 3 months old. And you have to verify with a text.
Oh and then you have to type it in on your TV with a remote and on-screen keyboard.
That’s the one good thing about just-eat leaving Denmark, no more having to deal with that BS.
More people should use passkeys
Passkeys get undeserved hate
nah, too cumbersome and mistic
Yubikey. Done.
The pin system implementation is terrible at least for Windows, because it forces you to make a pin but not all websites do that so it’s easy to make a pin for one website but not realize that if you forget the pin and misenter it 10 times it locks the key permanently and you have to reset it, but that deletes everything and so you can end up in a situation where the yubikey is on your site account login but you dont have it now and you can get locked out.
Passkeys ❤️
Is that FIDO? What’s the difference?
If they arent on a USB stick, protected against being copied, they are only a single factor that instill false safety.
Depends on the system. The thing where your password manager is managing your passkeys? That’s a single factor unless it’s doing something tricky that none of them do.
When it’s the tpm or a Bluetooth connection to your phone? That’s actually two factors, and great.Can it be copied from your phone? (e.g. by migrating your phone via a backup)
Then it can be compromitted and is essentially a single factor (because some website permit you to login via the key only).
Only if you’d need to completetly renew the key, then it’s truly secure.There are secure ways to transfer the key that preserve the properties that make it useful as two factors in one.
Basically, the device will only release the key in an encrypted fashion readable by another device able to make the same guarantees, after the user has used that device to authenticate to the first device using the key being transferred.
A backup works the same way.
Website wants you to make a passkey, go to login but the entry form only accepts the user name, then you have to click next to password which may or may not accept the passkey.
Magic link only is the wirst kind of login systems. However, I don’t know any big real companies that use this.
If you don’t like passwords, just use passkeys.Booking.com (at least in Germany) only useagic links for some time now. I hate it.
Home depot does
Slack (except when with SSO). You have to go out of your way to find the settings page outside of the client to set a password.
Wasn’t passkeys basically “passwords, but Google has control of them”?
Not even close.
Passkey is a generic technology not specific to any vendor. While there are a few versions of it, the long story short is it uses an encryption key you have to authenticate you rather than a password. This makes phishing extremely difficult if not impossible.
There’s lots of passkey implementations. All the major browsers have one built in with their included password managers. Most good password managers like BitWarden or 1Password also support pass keys. And if you want to be extra secure, the passkey can be an actual hardware token like a YubiKey.
So yeah you see Google pushing passkeys a lot, and if you use Google password manager it will store your pass keys. But you also see Apple pushing it, and Microsoft also.
dont think so. what i gatherd passkeys is a public/private key scheme, much like pubkey auth in ssh logins.
Its still just a single factor if some body steals your private key.
Its never transmitted, can be stored in HSMs. Anything that’s handled wrong is unsafe
Steals it from your system I meant. Which has even happened to security pros.
Yes, buts it’s not something that can be easily guessed or found on a post it on the monitor
True dat. But if they compromise your computer the first thing the look for is key files.
Like my ssh keys are in a root permission file. Protected from general sight, but if somebody compromises my PC with a CVE on then goodbye keys.
At least with hardware key it is removable and requires a button press.
So accessing becomes physical access or quantum computer cracking
Phew!
God I hate those stupid magic links. They’re WAAAAYYY slower than just using my password manager.
AND they kinda contribute to locking you into Big Tech. I sometimes have problems with those stupid links because I don’t have a Gmail account. Somewhere along the stupid chain there’s probably some stupid check that delays or blackholes emails to non-big-tech domains.
Based.
Email is terrible. It’s an unreliable communication system. You cannot depend on sent emails arriving in the recipient’s mailbox—even the spam folder.
People incorrectly assume that all emails at least get to their spam folder. They don’t. There are multiple levels of filters that prevent most emails from ever making it that far because most email traffic is bots blasting phishing links, scams, and spam. Nobody wants phishing and scam emails, but the blocks that prevent those are being used by big tech to justify discriminating against small mail servers.
I can’t remember the site, now, but I literally couldn’t log into one this week because the email never arrived.
I can’t remember the site, now, but I literally couldn’t log into one this week because the email never arrived.
Well, email allows you to solve that issue by self-hosting. But what you can’t solve is that if you do self-host, gmail will drop your emails to spam or just discard them completely, just because it feels like it, even if you do the whole dance with DMARC and have used the domain for a good few years. It’s frustrating as shit.
I had an email never arrive because I used Firefox for Linux. It worked on my phone in a different browser. God knows what went on there. I suppose their website never really registered I even made a request from my desktop even though it told me the email was on the way. Really strange.
I can imagine that the sites want to validate that you still have access to the email associated with the account, and asking people to check their settings is annoying, and they know no one will do it. I can also imagine that sites want to know as much about you as possible, don’t want you to be using burner email addresses, and are probably selling the fact that your email address can still receive email to marketing firms who compile that info.
Annual/routine email verification fills that need, though. For the sites i do support desk for, an email verification link is sent during account creation and then annually. If the email address is not verified then on login the account holder is prompted to either resend the verification link or change it and verify the new email.
alternatives to passwords are just excuses to harvest info
Not if it comes to hardware-based passkeys I would argue
true, but i would also argue that’s a much less utilised alternative. most people don’t even know what that is even though it’s a great redundancy.
they don’t need to know what’s happening when a panel pops up on their phone, says touch the fingerprint scanner, and enrolls a passkey. it’s on the companies
It is quite normal to ask for an email address at registration even when using password based authentication.
*it has been become quite normalized
It was more or less the default many moons ago, then just a username became more common, now it is back to email or some third party login
No email would be fine for most people, but then there would be the small number of folks who will cry all hell when they forget their passwords and/or secret questions and can’t get in…
Magic link is lazy 2fa.
Implement TOTP support, you lazy fucks.
What’s the 2nd factor? Email and what else?
Email is considered insecure as a 2nd factor. TOTP stands for Time-based One-Time Password. Usually you store a seed and that combined with the time generates a time based password. If someone intercepts it, it’s only valid for a certain time frame (I think about a minute or so), after which it’s invalid.
Just to add, SMS is also incredibly insecure as a 2FA
Yes but email is only a second factor when used in addition to a first factor (e.g. password). If it’s just magic link without password, then email is the only factor
Exactly
Just let me use passkeys at this point. The way that people typically use passwords is less secure anyway, why not just make it as simple as possible?
I would love to use my physical Yubikey, but all the websites I’ve seen that allow passkey login always deny both Yubikeys.
That’s a shame, yubikeys are a really neat tool. I’ve considered picking one up so many times
I forget. Are passkeys the access method that prevents you from logging in ever again if you lose access to a device?
No? My password manager holds them so they are available everywhere…
Only if you use the OS built-in saving.
Most password managers support them at this point, making them portable and secure.
Yes
Typically, no. You’re thinking of TOTP/Authenticator based 2FA. Those still come with backup codes in case you break the phone that has the TOTP codes warehoused. I always recommend keeping those backup codes saved in the notes of whatever password manager you’re hopefully using.
Passkeys are essentially just one half of a cryptographic key pair (like what you’d use for authenticating SSH without passwords). These allow you to authenticate once using password + 2FA, then use the generated passkey for future sessions. Since these are much more complex than passwords and remove the need to actually remember anything, they are significantly more secure.
There are also some other features that I’m forgetting, and that may not be a perfectly accurate description, but I think you can get the gist.
Passkeys are supposed to be bound to one device and protected by that device’s OS’s secure enclave. If you have a second device you’re supposed to create a second passkey.
That’s why many sites will flat out refuse to let you create a passkey with a desktop browser since a PC-stored passkey doesn’t fit the security model.
Websites should not get to dictate my security model. I’ll accept annoying me about being less secure because I get that people are dumb, but you’ve gotta choose somehow! Also, any passkey is safer than a password, so that’s still BS.
The logic behind it is that a smartphone-bound passkey represents two factors of authentication: what you have (the phone) and who you are (the fingerprint used to unlock the phone’s passkey store).
Anything on a PC is easily copied and can only ever be safely assumed to represent one factor: what you know (the password to unlock your password manager). Thus the benefit of getting a two-factor authentication in one convenient step falls away.
Of course it’s still super annoying, especially if you don’t really trust your smartphone OS vendor and use a portable password manager already.
Yeah, that’s how I understood it to work, as well. I didn’t mention it because I’ve seen a bunch of different implementations that don’t seem to work that way. I didn’t want to speak too much on that specific point, since I don’t have a very thorough understanding of it.
I always recommend keeping those backup codes saved in the notes of whatever password manager you’re hopefully using
Wouldn’t this undo some of the security of even having 2FA? If your password manager was somehow breached the attacker would have all your passwords and your 2FA codes, right?
My email uses greylisting which is where the first email received from a server gets a “busy” response - the idea being that spammers just fire and forget whereas real mailers will retry.
Unfortunately, some senders take so long to resend that it’s timed out. The second time will work though. Unless they have multiple servers. Some have so many servers that you have to do this a multitude of times until you lose the will to login or forget what you were going to do anyway.
It feels like the factors of authentication discussion misses one important aspect: can the factor be replayed. Passwords can be replayed indefinitely, while the email links you get or the OTP token only work for a short period of time.
I remember it from the bad days when I used LastPass. Suddenly I got a notification that the place had been compromised and I had to suddenly change hundreds of passwords. 90% of them were for sites that didn’t even exist any longer, but sifting through the long, long list to go change passwords was more work than I wanted to do.
Don’t have to do that if I need to use a one-time token via Aegis or email! I do agree, though, that for low risk sites, username/password is totally fine.
It’s a neat option, but should not be forced.
This post has the same number of likes it would on reddit
