top | item 47190414

(no title)

arjie | 1 day ago

Passkeys have way too many footguns for me. If I use my phone to sign in I'm going to accidentally create a passkey there on iOS embedded webview. When I use Google Chrome, the website won't give me any information for me to find where I stored the passkey. Was it in iOS keyring? Chrome? My Bitwarden? If I had any discipline around this it would make sense but if I accidentally double tap on the screen I've got a passkey and it's stuck on my phone.

I'm sure it's of use to many people but it's been no end of pain for me and it has really signaled to me what it's like to grow into an old man unable to use computers when I was once a young man who would find this easy.

discuss

snailmailman|1 day ago

I like the concept of them, and I want them to work well purely so people stop using bad passwords. But nearly everywhere does it differently and weirdly and likely wrongly.

When I log into my Amazon account with a passkey, it then asks me for a 2FA code. The 2FA code is stored on the same device as a passkey, that step literally does nothing. After I do the 2FA code, it then prompts me to create a passkey. No! I have one. I signed in with one.

Some devices give me the option to use a QR code. I like that option usually, I can easily use my phone to authenticate. But sometimes i can’t get the QR code to appear. Support varies by OS, browser, and set of installed extensions. And there’s no easy way to control which of those three handles the passkey when something decides wrongly.

I had to troubleshoot something on someone else’s computer, and saw that they logged in to windows with a passkey and QR code. I’ve looked, and I can’t seem to set that up on my windows computer. There isn’t an option to and I have no idea why.

trueismywork|1 day ago

Passkeys IMO will only work with dedicated U2F/FIFO keys like Yubikeys.

nerdsniper|9 hours ago

> I'm sure it's of use to many people but it's been no end of pain for me and it has really signaled to me what it's like to grow into an old man unable to use computers when I was once a young man who would find this easy.

My only "good" solution for passkey UX is to make sure all my devices are Apple. Apple's password/keychain integrates reasonably well enough with Chrome, I can share passkeys with my cofounder easily in shared folder (he is also all-in on Apple ecosystem) and I can share passkeys with my work computer (different AppleID) for low-stakes things like news websites or Amazon.com (I work in IT security for the org, so I know exactly how much I can trust my employer)

I do also use Linux and Windows personally, and the passkey story is much worse there, particularly for Linux which doesn't seem to play well with my Yubikeys. Luckily, a lot of websites seem to have a "Scan this QR code with your iPhone" feature to complete the passkey authentication.

lxgr|1 day ago

Passkeys on iOS and macOS actually work quite well in that regard. They get stored in your provider of choice across the web, web views, apps etc., at least in my experience.

Mine is Bitwarden, and that's available on pretty much all platforms, natively where available (except on macOS currently), as a browser extension otherwise.

For the rare instance in which I need to authenticate using a passkey on a computer where I'm not logged into Bitwarden, there's the cross-device CaBLE flow where I can scan a QR code with my phone and use Bitwarden to authenticate. This works across OSes and browsers.

Cyph0n|1 day ago

The problem with passkeys is that they aren’t exportable (at least from Bitwarden).

freeopinion|1 day ago

> This works across OSes and browsers.

It doesn't work for me in Firefox on Linux. I'm very curious to know how it works for you.

javier2|1 day ago

except... i store my password for work in bitwarden, so I dont want to also keep my work passkeys in the same place. For my personal stuff, that is a risk I can live with so far, but for work it seems dumb.

duxup|1 day ago

Yup. I hate them. I get the problem they're trying to solve, it just seems like I have more work to do... and I honestly don't even follow what is going on sometimes.

I recently moved to a new computer and it's just an AUTHHELLSCAPE.

shaky-carrousel|1 day ago

I truly don't see the advantage of passkeys over a password manager like bitwarden, with random passwords.

pibaker|1 day ago

The main benefit is you will never put your passkey on a phishing site. Password managers provide some protections against it because if they do not work automatically on a website you know something is fishy, but sadly many websites have botched their password input so even with a password manager you may still need to manually copy and paste (or even type, if pasting is disabled) the password.

The problem is whether or not the benefit outweighs the additional risks introduced — losing account access when you lose a device, furthering device lock down, difficulty transferring the passkey between devices, UX degradation due to bad implementation. In my opinion the answer is no and I am sticking with my passwords.

bryantwolf|1 day ago

The advantage is that the password never leave the device. It has a public key and signs challenges with the private key but nothing sensitive goes over the wire on every login

brikym|23 hours ago

The benefit is that they aren't phishable.

red_admiral|1 day ago

They're more accessible to people who don't understand computer security?

UltraSane|1 day ago

The main advantage is how strictly limited export of the passkey secret is. It is very unlikely for it to ever be phished or copied.

cedws|1 day ago

There’s another foot gun I wrote about recently:

https://cedwards.xyz/passkeys-are-not-2fa/

dwedge|1 day ago

I was reading your other blog post about storing them in bitwarden I have to disagree with this point:

> Unless you were forced to by some organisational policy, there’s no point setting up 2FA only to reduce the effective security to 1FA because of convenience features.

2FA both stored in your password manager is less secure than storing than separately, but it still offers security compared to a single factor. The attack methods you mentioned (RAT, keylogger) require your device to be compromised, and if your device is not compromised 2fa will help you.

To slip into opinion mode, I consider my password manager being compromised to be mostly total compromise anyway.

Also I really like the style and font of your blog.

JasonADrury|1 day ago

This isn't a footgun, you just have absurd security requirements.

>It should be pretty obvious that using a passkey, which lives in the same password manager as your main sign-in password/passkey is not two factors. Setting it up like this would be pointless.

You simply do not need two factors with passkeys. Using passkeys is not pointless, they are vastly more secure than most combined password+2fa solutions.

There are extremely few contexts where an yubikey would be meaningfully safer than the secure element in your macbook.

lxgr|1 day ago

> It should be pretty obvious that using a passkey, which lives in the same password manager as your main sign-in password/passkey is not two factors. Setting it up like this would be pointless.

If your password manager is itself protected by two factors, I'd still call this two-factor authentication.

FreakLegion|1 day ago

Passkeys are meant to replace passwords. Not being second factors is the point.

giancarlostoro|1 day ago

I just use iOS' wallet for all of it, the only exception being if its something I 100% need to open outside of my iphone / macs. Then I go for BitWarden, turns out I dont need any apps to open outside of that sandbox, I am okay only opening these up on Mac. I can always type my password on Linux. That's what bitwarden is for anyway.

weird-eye-issue|1 day ago

Embedded webviews are the stupidest thing ever. Yesterday I got halfway through a checkout process, had to go back to another app to check something, and then the webview simply disappeared so I didn't bother finishing the checkout. This was on Android

Usually I open it in Chrome but for some reason I didn't realize it was a webview this time

OptionOfT|1 day ago

Embedded WebViews are a way to track you:

https://news.ycombinator.com/item?id=32514793

mgrandl|1 day ago

I disable them on every app that lets me. It is in every way worse UX than simply opening the browser.

dgxyz|1 day ago

God yes that. Our VPN client fell over the other day because the auth popup opens an embedded web browser which throws a javascript error as it's bouncing through our ID provider pages. How the fuck we got there I don't know. Everything is a gigantic Heath Robinson contraption.

ezfe|1 day ago

The system always asks where you want to store it, and all passkey managers vend to the system prompt with labels so you can see where it is.

This is not an issue on iOS, I can’t tell how what you’re describing could happen.

zenmac|1 day ago

>If I had any discipline around this it would make sense but if I accidentally double tap on the screen I've got a passkey and it's stuck on my phone.

The problem is not with passkey rather system such as iOS keeps a tight lid on how files are uploaded and retrieved from the device. There is a real disconnect between desktop and mobile file system now days.

EnPissant|1 day ago

You can just use bitwarden everywhere if you are ok with it in the cloud.

arjie|1 day ago

I do use Bitwarden everywhere but a couple of times the passkey prompt doesn't show it. I think that's how I got the webview for one of my google accounts stored in iOS keychain.

mkehrt|1 day ago

Tell that to my mom who has created a bunch of passkeys all over the place without knowing what they are. I'm trying to unwind it but it's a mess.

rstat1|1 day ago

Doesn't need to be in the cloud for it work everywhere.

madduci|1 day ago

For this reason I am avoiding it like a plague. It is an additional way to fingerprint your activity and the scenarios where you migrate your passkeys from a device to another seems not really well "oiled"

lxgr|1 day ago

How can passkeys be used to fingerprint you? The WebAuthN extension goes to pretty great lengths to avoid fingerprinting.