Adversary-in-the-middle attacks can strip out the passkey option from login pages that users see, leaving targets with only authentication choices that force them to give up credentials.

  • trevor
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    6 months ago

    I’m not an expert, so this is an oversimplification, but:

    Passkeys are essentially like authenticating the same way you do via SSH, but with websites. The site will use a public key for your account. Your passkey holds the private key. That’s it, as I understand it.

    The advantages are that your accounts secured by passkeys will be inherently more difficult to crack than even the most complex, random passwords and it can’t be phished (if you’re using a physical passkey).

    The disadvantage is that the standard is still being worked on, and bad actors (MS, Apple, Google, etc.) are eager and willing to sucker people in to using their vendor lock-in software implementations of them. If you want to avoid this, either use real, physical FIDO-capable hardware authentication keys, or use a FOSS password manager that is capable of emulating them.

    • xyguy@startrek.website
      link
      fedilink
      English
      arrow-up
      4
      ·
      6 months ago

      You also get additional protection because rather than each website holding onto a hashed (hopefully) copy of the user passwords that can be stolen in bulk, stealing the public keys for a passkey from a site wouldn’t compromise the account. Someone would have to get access to your physical device or hack your password manager individually to get access to your passkey.

      And and, the magic for most people is no more passwords and 2 factor stuff to deal with. The standard is still new, and in the cases where you want to use physical keys, its always best to keep 2 in case one gets smushed or goes through the washer. Some sites that have passkeys enabled only let you have 1 passkey. So in that case its kind of risky to make a passkey the only way to sign in.

    • TheButtonJustSpins@infosec.pub
      link
      fedilink
      English
      arrow-up
      2
      ·
      6 months ago

      Okay, so it’s just like Yubikey-type stuff? I’ve thought about that before but it seems very risky - they recommend you get two and set both of them up so you have a backup, but that would require all websites to support that, right?

      I’m down for using BitWarden, though, if I can substitute it for physical keys.

      • trevor
        link
        fedilink
        English
        arrow-up
        3
        ·
        6 months ago

        Okay, so it’s just like Yubikey-type stuff? I’ve thought about that before but it seems very risky - they recommend you get two and set both of them up so you have a backup, but that would require all websites to support that, right?

        Pretty much. I suppose that’s a very real disadvantage to using physical passkeys. If you lose it, unless you have multiple passkeys configured, or have access to an account recovery method, you lose that account.

        But, like you mentioned, using Bitwarden would sidestep that issue, and they do support passkey emulation.