Wow, I got a headache reading this article, way too much information. And that's probably also the problem with passkeys, too complex. What I don't understand is why they don't simply improve 2FA authenticators, to make them work a bit more like passkeys. So you still need to fill in your password, and the real website (not controlled by scammers) will send you a request for the passkey (with 2FA code or not). If you go to a fake phishing website, then this website won't be able to communicate with the 2FA authenticator, since it doesn't have the private key. And if someone steals your password and goes to the real legitimate website, then they still need your passkey/2FA code. Does this make any sense?
I thought this was an interesting and quite clear article. But I honestly still don't understand how passkeys are considered to be 2FA, if hackers who can steal the passkeys don't need your passwords any longer. While if you combine passwords with passkeys, they need to steal both of them. https://www.ncsc.gov.uk/blog-post/passkeys-not-perfect-getting-better
the article contains the usual hype... Arguably, they are still viable today - if long enough! I know I keep repeating myself but this is just another step in the long road of convenience over security.
Anything that relies on having an (extra) phone and bluetooth and similar stuff will never see wide adoption. Passwords don't suck - short, reused passwords are a bad policy, but long passwords not repeated more than once are perfectly fine. It's not your password that's the problem, it's this or that company that keeps your data "in the cloud" that will get hax0red or leak your data that will be the problem. Passkeys being faster than passwords - it's not a time competition, if anything one should be slow and careful when doing any sort of authentication. Finally, calling something passwordless when it uses public/private keys is just mincing words. The private key is the password, except it's no longer human readable, and you're 100% at the mercy of your phone, which can be hacked or run out of juice, as opposed to say your memory or even a slip of paper that cannot. Mrk
No, that’s not necessarily the case. There are password managers which support passkeys. E.g., I‘m using Proton Pass and I can use my passkeys with it both on my iPhone/iPad and on my Linux system (without the need of a second device).
It's installed on all my devices anyhow (as I need it regardless if I use passkeys or not). So where is the problem?
The "problem" is in having to have the password manager installed on every device and have it with you at all times. Mrk
I must be missing something here. Isn't that the idea, having it installed on every device so that you can use it on every device?
My feelings exactly! More convenience = less security. Tavis Ormandy of Google Project Zero https://googleprojectzero.blogspot.com/ has this to say. https://lock.cmpxchg8b.com/passmgrs.html
It looks like Google and Microsoft might be forcing the issue: https://www.forbes.com/sites/zakdof...-upgrade-why-you-need-to-change-your-account/
Well, apart from being non-memorable by typical human, private/public keys certainly have additional properties that allow things like zero-knowledge proofs etc... To put it another way: if you order a human to create two passwords on the spot, they won't have properties needed for public-key cryptography, even if their lengths match key length...
But I don't want to have all of my passwords on every device. I want to use them very selectively, one here, three there, etc. Mrk
Well, I respect Tavis Ormandy but this site is rather old. It's not mentioned when it was last updated but I remember that I read it years ago. It's true that there have been vulnerabilities in password managers - Lastpass is perhaps the best known example of a careless implementation (Wladimir Palant wrote several times about this disaster). But reputable makers of password managers have learnt from these incidents. Naturally, I'm not familiar with all of them but I'm using Proton Pass and I think they have a strong security model which was audited by the renowned security firm Cure53. Hence, I don't think that it is appropriate to generalize Tavis' old statements. Creating strong passwords and managing them does not work without a password manager for most people. If you think you can without, your passwords are probably weak.
The site's age has no bearing on the strength of his arguments. Extensions are inherently less secure than a browser's built-in features, like password managers. And how could you possibly know the strength of my passwords and how I use them? Your post smacks of presumption.
That's disputable. There are password managers like KeePass which can be used without extensions. So why don't you tell us how you use them? We all want to learn from each other.
Bitwarden on Android uses accessibilty functionality which is also not an browser extension. Personally I use KeePassXC to store everything and use it only on laptop. Database report says it was created in 2010 and has 881 records to date. Good luck memorizing it all! I don't like to carry all eggs in one basket everywhere so I also store frequently used, non-critical (no banking) passwords and lunch debit card info in Bitwarden which I use mostly on Android phones. I store 2FA tokens separately in Authy. I acknowledge that Travis concerns Are valid but It is worth to mention that Travis has clear conflict of interest as his employeer is browser maker when he says to use browser password manager as solution
Guys, cool discussion, but what about post #2? Wouldn't this make sense to replace the password + 2FA code with password + passkey? https://www.wilderssecurity.com/thr...tely-not-usable-security.455825/#post-3220327
No thanks, this sounds very vague at the moment! And BTW, about combining passwords with passkeys, it would be mostly useful for speeding up adoption of passkeys. And apparantly passkeys can't be stolen from devices, because they are stored in the TPM chip, I didn't know this, see first two links. But how the heck do password managers then interact with these passkeys? I guess this is explained in the third link. https://www.corbado.com/faq/can-passkeys-be-stolen https://www.corbado.com/blog/passkeys-product-design-strategy/password-passkey-authentication https://passage.1password.com/post/eli5-how-does-a-tpm-work
