WingNews logo WingNews
top | item 39732313

(no title)

dyml | 1 year ago

You make a valid point about “non-resident” WebAuthn 2FA being great 2FA. However, passkeys are also great, and they depend on your context…. Most people are in the passkey context.

For people who are not knee-deep I think we can explain it a bit better, why passkeys replaces passwords:

With non-resident (2FA keys) you need to identify your account first. Since you don’t want to have account enumeration, this means doing a primary authentication, e.g. passwords.

With passkeys, the website can just ask your browser) to sign in with any of the accounts it has passkeys for; which result in a one click sign in.

While hardware backed Security Keys for 2FA is great 2FA, there’s a tangible cost, both in UX and $ that leaves many users left out (not everyone can afford $20 for a security key)

Source: I work at Bitwarden building our Passkey API for developers. We support both 2FA and passkeys, both in the API service and in our password manager. Feel free to ask my anything related.

discuss

order

Borealid|1 year ago

You don't need a password to prevent account enumeration; you can send people who choose a nonexistent account a bogus credential that the token won't accept.

You have to display the password prompt for invalid accounts to avoid enumeration without webauthn too...

ivlad|1 year ago

> Since you don’t want to have account enumeration, this means doing a primary authentication, e.g. passwords.

Nothing prevents site from sending a blob of random data when real key is not found.

> While hardware backed Security Keys for 2FA is great 2FA, there’s a tangible cost, both in UX and $ that leaves many users left out (not everyone can afford $20 for a security key)

Both major desktop operating systems come with WebAuthn support - Windows via Windows Hello and macOS with Secure Enclave backed key store. That not a problem at all in corp environment. Buying a Yubikey (or two) for each employee in the company is minimal cost comparing to laptop, desk, chair, software licenses

We use WebAuthn as the first factor, and we love it because it completely eliminated password brute force problem. Password attacks (brute force and stuffing) is a much bigger problem, than account enumeration, especially in corp environments where usernames follow a name-based pattern and everybody is on LinkedIn.

BTW, we are paid Bitwarden customer, and our Helpdesk was not too happy when Bitwarden update resulted unexpected prompt interrupting WebAuthn authentication flow for users. )

TomatoDash|1 year ago

A bit of a tangent but do you have a view on prices for hardware security keys like YubiKey? For private use they're a pricey option, especially if you get a few backup keys. Could a big actor like Google, if they wanted, scale up production, sell at cost and get prices down to say $2 each? Or is the components and manufacturing inherently more costly? Is there anything on the horizon that likely will bring much lower prices?

arccy|1 year ago

This is why they're pushing passkeys in phones' secure element with cloud account sync: getting people to keep a separate set of hardware keys is nigh impossible at scale.

lxgr|1 year ago

There is actually a path to $2 keys:

Most modern smartphones support contactless smartcards (a.k.a. "NFC"), which can be used as FIDO credentials. It should be possible to produce these for around $2 at scale.

They wouldn't work at computers, unfortunately (not even with an adapter, since desktop browsers and OSes don't expect to speak FIDO-over-ISO-7816-over-CTAP-over-USB), but with QR-based cross-platform flows now part of the specs, phones could pretty straightforwardly serve as readers for other devices.

If large issuers of ISO-based smart cards (e.g. banks or government authorities for biometric ID cards and passports) could be convinced to just throw a FIDO implementation on there (there's open-source ones available!), people could even use the cards they already own.

crote|1 year ago

Yubikey used to sell a simple Webauthn-only key for $10-$15. USB-only, no NFC or anything. It was blue instead of the standard black. That one was essentially killed when Passkeys became popular, because it didn't support resident keys. I believe some companies (Google? Github?) were giving them away for free.

Its replacement is $25, which is expensive enough to be an issue for poor people.