Passkeys: A Shattered Dream \ stacker news ~security

Passkeys: A Shattered Dream fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/

570 sats \ 6 comments \ @nym 26 Apr security

At around 11pm last night my partner went to change our lounge room lights with our home light control system. When she tried to login, her account couldn't be accessed. Her Apple Keychain had deleted the Passkey she was using on that site. This is just the icing on a long trail of enshittification that has undermined Webauthn. I'm over it at this point, and I think it's time to pour one out for Passkeys. The irony is not lost on me that I'm about to release a new major version of webauthn-rs today as I write this.

view all related items

16 sats \ 0 replies \ @justin_shocknet 26 Apr

Apple user, not following best practices, blames protocol, for shitty Apple software simply so they had an opportunity to tell you how cool they are because they use Rust

I think that Passkeys will fail in the hands of the general consumer population.

Authentication always fails in the hands of users... it's not passkey specific.

Hell, even grizzled old Unix admins who's life revolves around SSH and PGP keys haven't come up with any great solutions- and have been at it since at least the 1980's

It's like blaming UX issues on Bitcoin/Nostr, when really that key management sucks and passwords are too insecure to be relied on for anything critical

Personally I've started messing with YubiKeys, they're taking off everywhere that manages critical systems and are the correct way to use Passkeys... but doing what I wanted with it took quite a bit of thought and debugging, there's no way your average user could have done it.

You can have something easy(ish), or something secure(ish). Pick one.

16 sats \ 0 replies \ @freetx 26 Apr

Summary: I wanted to cede control of everything in my life to 3rd parties (ie. The Cloud). Now I'm surprised and frustrated that I cannot access those things. I've decided to place the blame on some specific authentication protocol, instead of realizing that "logging into a service to change the lounge lights" was in fact the problem.

This entire story reads like a Onion-mock-HackerNews article.

6 sats \ 0 replies \ @DEADBEEF 26 Apr

I had hoped that SQRL would take off but then Passkeys happened.

https://www.grc.com/sqrl/sqrl.htm

6 sats \ 1 reply \ @_vnprc 26 Apr

Just gonna point out that LUD-04, the LNURL authentication protocol is beautifully simple and free of corporate influence. Also, the user generates their own private keys. I don't understand why anyone would use an auth method where a 3rd party generates the private keys. shudder

27 sats \ 0 replies \ @justin_shocknet 26 Apr

Having been one of the first services to implement it, it was a nightmare... users forget which lightning wallet they used to auth among other things. Conceptually the workings wouldn't be bad but the root key needs to be something specific (would be ideal for a brain wallet imo)

6 sats \ 0 replies \ @Satosora 26 Apr

that sucks, sorry to hear. You either need to write stuff down or memorize it.