Passkeys are just passwords that require a password manager - Dan Fabulich \ stacker news ~security

pull down to refresh

Passkeys are just passwords that require a password manager - Dan Fabulich danfabulich.medium.com/passkeys-are-just-passwords-that-require-a-password-manager-ebb7f2fdcadf

624 sats \ 18 comments \ @Scoresby 5 Aug security

To present a passkey, you have to use a password manager. This provides some anti-phishing protection. A passkey includes metadata, including the site/app that created it, and the password managers simply won’t provide the passkey to the wrong site/app. There’s no social-engineering technique someone can use to get you to copy and paste your passkey to an enemy.

Is the main advantage of a passkey that it won't let you copy and paste it or is it that it's tied to a specific app/url?

view all related items

202 sats \ 0 replies \ @WeAreAllSatoshi 5 Aug

I think the idea is fine, but in practice, I found the experience to be extremely confusing. It's hard because the passkeys are opaque and you don't really explicitly manage them like you do traditional passwords, so it's hard to wrap your head around what's happening

142 sats \ 0 replies \ @kepford 5 Aug

As they say in the article they are also a public / private key auth unlike passwords you don't have the ability to create a weak one. At least that is my understanding. Its new and many password managers and sites are still working out the kinks in their implementations. I haven't dove into them yet fully. Just been experimenting.

The problem with taking this critique out of context is that you have to realize that most people do not use a password manager and even though it is way easier to do so than not, people aren't doing it. They make bad passwords or reuse them or both. They enter their passwords in phishing sites. Users are more dumb when it comes to tech than most of us in bitcoin realize. If you are the tech person in your family you know what I mean.

We will see if they catch on. As Dan points out, lock in is a concern for me as well. Bitwarden seems to be the best option to avoid that so far but I don't know how well migration works to other passwords/passkey managers. For those that don't know you can self host Bitwarden or use a free account with them. I think most people will use Apple or Google though. That's not good but it is likely better than what they are doing now.

138 sats \ 5 replies \ @kepford 5 Aug

Is the main advantage of a passkey that it won't let you copy and paste it or is it that it's tied to a specific app/url?

Both. Its like using SSH keys if you know what those are except in a much more user friendly way.

If done right you can't get phished(as far as I know). You can't make a weak password. You can't forget your password. You don't have to reset it. In many ways for people that don't do passwords right it is better. Its hard for me to make a valid argument against them. Do I need them? No.

I don't like how it hides this stuff from you. I have trust issues. That said, I am not using it day to day. I need to try it with a few sites and get real world experience.

249 sats \ 4 replies \ @ek 5 Aug

Its hard for me to make a valid argument against them

Here's one: Not being able to export your passkeys makes you dependent on the password manager. If you want to switch, you now have to setup new passkeys for every website where you use them.

And if a password manager allows export (or other reasons in the future), it apparently might be possible to mark them as "insecure" and ban their passkeys if attestation will be mandatory, see this Github comment:

[...]

The unfortunate piece is that your product choices can have both positive and negative impacts on the ecosystem as a whole. I've already heard rumblings that KeepassXC is likely to be featured in a few industry presentations that highlight security challenges with passkey providers, the need for functional and security certification, and the lack of identifying passkey provider attestation (which would allow RPs to block you, and something that I have previously rallied against but rethinking as of late because of these situations).

[...]

and this one.

Just that this might become possible makes me want to stick to password+TOTPs.

55 sats \ 3 replies \ @kepford 5 Aug

Not being able to export your passkeys makes you dependent on the password manager.

Is it not possible to migrate between tools? I don't mean that companies aren't implementing this. I mean is it not allowed by the spec.

But again. The people that need this are not you and I. Its people that WILL export their keys in plain text on their desktop...

102 sats \ 2 replies \ @ek 5 Aug

There's a spec for import and export and a 1Password blog post about it

If that solves vendor lock-in, then I'm just worried about possible attestation stuff

77 sats \ 1 reply \ @kepford 5 Aug

For the record. I'm not SOLD on passkeys as the solution but there's a lot more right with it than wrong. And passwords are just far too easy for people to screw up. There have been other attempts to replace them in the past and who knows if passkeys will catch on.

100 sats \ 0 replies \ @kepford 5 Aug

One of the attempts was SQRL - Secure Quick Reliable Login

136 sats \ 0 replies \ @Artilektt 5 Aug

I tried making the switch-over to passkeys and found it mostly a jumbled mess that was definitely not ready for primetime. Gonna stick with Keepass for now.

102 sats \ 0 replies \ @bitcoingecko 6 Aug

I've been using them more and more with bitwarden and like it

102 sats \ 0 replies \ @DEADBEEF 5 Aug

My understanding is that the main advantage of passkeys is that the website doesn’t store anything that could be stolen in a hack. You have the private information in your password manager. So no more websites hacks compromising thousands of credentials.

102 sats \ 0 replies \ @BlokchainB 5 Aug

I hate passkeys

102 sats \ 1 reply \ @anon 5 Aug

I've been using passkeys for some time now. Once you have a working setup they are very handy, and highly secure. It's more than just a password - it's asymmetric authentication, just like SSH keys, Nostr keys, or bitcoin addresses.

IMO the biggest problem with passkeys is how difficult they are to properly back up. No deterministic backups like the classic BIP39 phrase. Each passkey is random and unique, so you have to keep them all backed up manually like Bitcoin used to require in the early days. Most passkey authenticators make it intentionally difficult to export passkeys.

Because of this, and because not everyone can get them working, we'll always need passwords as a backup authentication method.

0 sats \ 0 replies \ @Scoresby OP 5 Aug

yes, I'd feel more comfortable with an exportable standard I could restore in a number of different password managers. makes me a little nervous to be so dependent on one piece of software.

0 sats \ 1 reply \ @claos545 5 Aug

The main advantage is that it’s cryptographically tied to the app or site. That’s what prevents phishing, your device literally won’t sign a challenge from a different domain, even if it looks identical. The "can’t copy/paste" part is just a side effect of using secure hardware or a password manager to handle it. It's not about making it hard to share; it's about making it impossible to misuse.

0 sats \ 0 replies \ @Scoresby OP 5 Aug

right, but if that also means you get locked-in to using one particular password manager, isn't that a bad outcome?

0 sats \ 0 replies \ @d680ecaa8e 5 Aug

There is disadvantage you can't use your wallet in private navigation to pay something during working hours office unlike those wallet with login and password easier to manipulate like coinbase or spectrocoin

0 sats \ 0 replies \ @Akg10s3 5 Aug

I use BITWARDEN and I'm very happy with the results!

I've even taught my partner what to do if I'm not there at any time!

I showed him how to recover my Bitwarden account.

The password to log in is quite robust, and after all this time, I still can't remember it completely.

I think that's a good thing...