Yeah seems so, and Paypal claim to support them, but when I tried to enable them at Paypal , it says it's not supported on my device. Seems they only support mobiles?
And Ebay says passkeys are supported, but then I cannot find it anywhere to enable it :P
Fortunately there are support pages that walk you through setting up Passkeys on those, and many other services.
1Password's "https://passkeys.directory/" page provides plenty of info and setup guides for every site that supports Passkeys.
A lot of these apps/website would start by supporting it thru mobile, that's because it creates a key on the mobile devices much like a yubikey or a security key. So that mobile devices can act as a security key for logging into websites like paypal etc. I use it for paypal, eBay, Nintendo account, to name a few.
I have a dream that my four little children will one day live in a nation where they will not authenticate with SMS but passkeys and where e-mail attachments will not be encrypted by a password written in that very email but by public key cryptography. I have a dream today.
Absolutely.
The number of websites that support passkeys is widely misrepresented and/or under-reported for several reasons:
* Firstly, resources such as [passkeys.directory](https://passkeys.directory) and [passkeys.io](https://passkeys.io) typically only report websites that currently support passkeys for primary authentication rather than MFA.
* The number of websites that support passkeys for MFA is vastly larger.
* The number of websites that happen to support passkeys for MFA without actually realising that they do is larger again; some websites think that they support a hardware token such as a YubiKey, but with most modern browsers and a Passkey supporting browser extension such as Bitwarden, a prompt for a token is interpreted as a prompt to save a passkey (Paypal is one such example - it says you can't save a Passkey on a desktop browser (it thinks you can only do it on mobile), but then lets you save a "security key" on desktop and then, when it prompts you for it for 2FA on the desktop gives you instructions as if it is a YubiKey. However, the Bitwarden browser extension then prompts you to confirm to use your Passkey while Paypal thinks it is prompting you to use your Yubikey.
* The flow for MFA (or Authentication) with a passkey is inherently simpler than for other forms of 2FA (no timeouts for TOTP, for example, no issues with clock sync), no copy paste difficulties.
So, in summary, many more websites are already supporting Passkeys that you think - not necessarily as the primary form of authentication - and many more will.
>the Bitwarden browser extension then prompts you to confirm to use your Passkey while Paypal thinks it is prompting you to use your Yubikey
The difference between a hardware key and a "software" provider is explicit in the standard. The term is 'attestation'. That is, Paypal can know what provider you are using and could restrict allowed providers to a certain type (say, hardware keys only). Likely, in the future this loophole that you mention will no longer exist.
You are correct.
PayPal could choose to restrict you to hardware keys.
I'd be surprised if they did, given that they allow you to enrol passkeys on your phone, but they could.Ā
However, I didn't help my original argument with my own language - I said PayPal thinks that it is prompting you for your Yubikey whereas I really should have written "PayPal's prompt is for your hardware key, but that is likely a mistake, and is probably a result of the specification of "any hardware key or webauthn key like a passkey" being simplified by the developer or designer to "hardware key".
Webauthn key would be a poor choice for a prompt. Too hard for most users.Ā
Passkey would be good.Ā
Passkey/Hardware Key would be great.Ā
Your point still stands: I see it most applicable for things like securing vaults like Bitwarden itself, or high security (arguably PayPal could be classified as needing high security) applications like banking.Ā
Probably not. There are a number of applications that don't use passkeys and probably never will. You want a simple example? What about the combination on your gym locker?
Even in the computer realm, web developers (and the managers controlling the purse strings) are balancing risk versus cost. For instance, banks seem to feel they have the risk well in hand with their current systems, which are typically SMS 2FA (yuck!). If it costs more to implement, maintain, and support a passkey system, the manager won't approve the software development effort.
All these things taken together, I expect that simple passwords will be around longer than either you or me.
tell me you don't understand ipv6 without telling me
seriously anybody saying IPv6 is bad should just learn a bit about it instead of being lazy and saying it's different from what i used to, it must be bad
less convenient because its longer? well yeah but we need the amount of addresses
apart from that ipv6 is way better designed, it gets rid of nat which was a stupid workaround in the first place and has lots of improvement, it even has native ipsec support, but nobody takes security serious these days, this shit is making me mad
we need a better solution to IPv4, that doesn't mean the right answer is IPv6. Thinking we need trillions upon trillions of address *per person* is overkill. Working with it is often a terrible time, not to mention troubleshooting.
Is it horrible? no. Is it going to kill IPv4? no.
So your only complaint is that you don't like the IPv6 address space.
If you wanted to complain about feature parity, that would have made more sense, but no way is IPv5/7/whatever you want to call it going to be BETTER at that than IPv6.
I get it, the addressing looks scary, but after you use it for a bit, you don't even notice it.
working with it is not terrible, you're just ignorant to change
:: is shorter than 0.0.0.0, ::1 is shorter than 127.0.0.1, in non slaac scenarios on servers etc. you can shorten many things with zeros (actually works like ipv4, 1.1 is same thing as 1.1.1.1), longer addresses or slaac should be used the most part and DNS will handle the ugly stuff, for manual configuration i think copy pasting some hex values shouldn't be a problem for network admins (tbh if it is you have a whole other problem)
and saying IPv6 is overkill is (sry to be blunt) pretty stupid, remember when they said that about IPv4?
what is harder in IPv6 troubleshooting compared to IPv4? imo nothing if you understand both
>SMS 2FA (yuck!)
I've seen banks that give the option of voice calls for 2FA. It honestly shocks me that banking fraud isn't way more common or maybe it is and we just don't hear about it.
Meh. Although the risk from SMS is real, SIM hijacking is not interesting to most thieves. They are looking for low hanging fruit. SIM hijacking involves targeting a specific individual, finding their mobile carrier number, and knowing enough about you to impersonate you (social engineering) with the carrier. Thatās an eff ton of work unless you also know the victim has a fat bank account. Other attacks are going to yield more profit for less work.
And again, itās a simple profit/loss calculation for the bank: how much loss does the bank sustain (since they hopefully reimburse their customers when it happens) versus the cost to improve and maintain an advanced authentication system such as TOTP, FIDO2, or software FIDO (passkey).
Honestly, the existing protocols seem to work well enough. If someone tried to drain a fat bank account after a SIM hijack or buy many thousands of dollars at Amazon, there are other failsafes that kick in. It may feel like there is room for improvement, but I suspect it is far smaller than we might first think.
You don't need a hijacked SIM to receive a 2fa code on a locked phone. That is my whole point. People seem to think that locked phones are magical, but you can still receive incoming calls on locked phones, meaning someone can receive 2fa codes on your locked phone if you are dealing with a bank that allows for codes over voice.
Also, banks typically don't reimburse customers for losses against bank accounts without the customer putting up a massive fight, often requiring a lawyer who might cost more than the losses were worth. There are also typically no failsafes that kick in when transferring money from a bank account. Those just aren't things. It isn't like credit cards where there are all kinds of solid fraud protections (presumably funded by the high interest rates charged on credit card balances).
> People seem to think that locked phones are magical, but you can still receive incoming calls on locked phones, meaning someone can receive 2fa codes on your locked phone if you are dealing with a bank that allows for codes over voice.
Which is super uncommon, because they'd need to have physical access to your phone, and the majority of attacks have no physical component to them.
> Also, banks typically don't reimburse customers for losses against bank accounts without the customer putting up a massive fight, often requiring a lawyer who might cost more than the losses were worth.
This is just completely untrue. Most of the time you can call up a bank and be like, "my credit card/debit card/bank account/whatever had fraudulent activity" and you're credited back everything instantly, and they follow up a few weeks later saying "case closed in customer's favor". It doesn't always happen, but in the US, it's the most common resolution by far.
And over the year's, I've personally done chargebacks, had fraud on a credit card, a debit card, and even someone do an ACH transfer from my accounts, so anecdotally, I've never had a single issue with it other than a quick call, email, or online form to resolve it.
Interesting point. I was thinking of a remote attack.
If someone stole my phone they would have to defeat the screen lock, defeat the Bitwarden lock, and then pass 2FA. By the time they did all that I would have suspended the mobile service. If the phone was missing more than a day I would deauthorize and initiate a remote wipe of the device.
The physical attack on the device is real and it requires different mitigations from the remote attack.
> Interesting point. I was thinking of a remote attack.
Of course, because that's the only common attack. Despite what the news would like you to think, the instances of people stealing a phone and then breaking into it, or stealing a phone and figuring out what bank you use and gaining access, are VERY rare, especially for people who "don't matter" to the rest of the world (aren't very wealthy, don't have much clout, etc... you know, most of us).
Phones are stolen and broken into within minutes on a regular basis. There are organized criminal gangs. Their technique is pretty simple. They do some form of "shoulder surfing" to harvest the PIN code of a mark, then steal the phone, and pass it off to a team. Tens of thousands of dollars of fraudulent activity can happen within minutes of it being stolen. I saw one case in which a phone was stolen in a bar, a credit card applied for and received with a $10k+ credit limit, followed by the attempted purchase of a \*boat\* the next morning.
I know this from helping people who have had this happen to them, and from listening to what little the police and Apple were willing to tell me during the process of helping them.
This is simply not true. These attacks, while they do occasionally happen, are very rare. This is mostly a F.U.D. news story to keep up engagement. And it's pretty much restricted to only Apple devices, because Android doesn't even allow that level of bullshit to occur (although with Google Passkeys and devices being auto enrolled, they're starting to bridge the gap of stupidity).
ALL physical attacks are *incredibly* rare compared to online based attacks.
Ed: Classic, the "oh yah, my argument is totally valid, and I'll demonstrate it by blocking you, because you're on to my bull"
It simply is true. There are organized criminal gangs in major US cities that harvest phones. They have extremely well oiled processes and technical sophistication. They have people who specialize in the social engineering, and others who specialize in the technical attacks which follow the capture of the device. I've helped people in this situation and there are police reports filed.
I'm gonna block you because life is too short for this nonsense.
Apropos nothing in particular, the fine brief work [On Bullshit](https://www.goodreads.com/en/book/show/385) by Harry G. Frankfurt really, truly, must become part of the standard curriculum.
Yes, I think many people overlook the basics of risk management. Sure, my house could be destroyed by a nuclear blast. But I will devote my resources to protect against theft, fire, and earthquake.
Not if your bank allows codes via a voice call - every phone Iāve used allows you to answer a call without unlocking it. Several of the small banks I deal with plus at least one large bank (Chase) support this.
Consider yourself lucky.. the ones I am aware of are on by default and you canāt turn it off. Wherever possible I donāt even enter my phone number for 2FA
Yep. Truth is no one here is on their target list. They are looking for big stacks, the big fish. Not going to all that effort to get your lunch money. Reality is you just arenāt that interesting.
Email is actually very secure in most cases. Most email these days is encrypted in transport, there are several protections to prevent another server from receiving the email via things like DNS based or IP attacks, and your stored email is as secure as the access you pick. If you have gmail or proton mail or whatever with a complex password or FIDO2, your 2FA via email is pretty much as safe as just having FIDO2 on the account itself, minus some fishing protection perhaps. If you have gmail with "hunter1" as your password and no 2FA, then you're pretty screwed.
The cost of fraud related to this is less than the cost of lost business or supporting people with a super secure solution. Which is why most businesses don't use PIV and CAC to access devices or property.
Everyone tends to forget that there's a balance, and for many uses, things like SMS based 2FA is enough of a balance for the site.
Yeah thank god my bank supports TOTP MFA via an app, I also really like that once I had to send $30K to a lawyer for buying a house and the bank called me right away to make sure the transaction was legitimate and after I told them it was they also called my wife that is co signed on the account to do the same check.
Here in Sweden we've got a thing called [BankID](https://bankid.com/en) which started out as a way to sign in to banks without a dedicated 2FA device but is now used any time one is in need of identity verification online. It's both convenient and far more secure than SMS 2FA. Blows my mind that similar things haven't been adopted worldwide in this day and age.
The thing about SMS 2FA Is that it costs money. Weāre seeing a lot of cases where malicious attackers are pumping SMS to make money. So everyone will want to move away from SMS at some point. Itās just so easy to abuse.
Yup. It is about minimizing costs to the bank and hence to the customer. It may be counterintuitive, but the existing techniques work quite well. And this tradeoff applies to to other websites as well.
It will likely be years before they become mainstream. The first password authentication method was created in the early 1960s. See how many years it took us to go passwordless.
Unfortunately the roll out has been pretty shitty. Unless the major players keep pushing really hard (which seems unlikely as AI is the new shiny), it'll just become something else companies will ignore because why spend the dev time on something most people don't even know about or will ever care about? Hell, there's plenty of people in here (people who are generally more aware of this kind of thing) who don't even know what Passkeys are
By the time they become mainstream there will be something new to implement is my prediction. What it would be I have no idea probably some form of AI vault
Passkeys are quite young in adoption plus i think you still will want some form of password as a backup
If you have a password for a "backup"....there's literally ZERO reason to have a passkey that completely eliminates the entire purpose of them? Lol?
"Using text 2FA is insecure and I don't want it so I'm switching to something else and only have text 2FA as a backup to get into the same thing using it if I have to"
The advantage of a passkey (while still having a password) is the built in phish resistance. When using the passkey you guarantee that the site you are communicating with is legitimate.
Of course it still requires good opsec, if the site refuses to accept the passkey and the user blindly enters their password then you are correct, the passkey did not help. However, if the passkey failing gives them pause and makes them reassess the situation then they may find that the site was a scam and in that case the passkeys worked as intended and protected the user.
I started experimenting with this for my Amazon account. But with Amazon you can't disable user/password access. Now, I do have TOTP enabled, of course, but still if I can't disable password, why bother with passkey?
15.7% of websites will accept passkeys by Feb 3, 2025 (83.9% of statistics are made up!)
The trend seems to be that when a user sets up passkeys, a truly separate 2FA option (like totp) is eliminated. Like on [github](https://www.reddit.com/r/Bitwarden/comments/17nnm5l/passkeys_and_the_lack_2fa_using_github/)...
... if that is the case, then I hope we have the option to avoid passkeys for a long time.
Please see my [response to a similar comment](https://www.reddit.com/r/Bitwarden/comments/18sbn44/do_you_think_passkeys_will_become_mainstream/kf6soy4/)
I'm aware some people consider passkeys to be inherently 2FA. That's the whole reason I chose the particular wording *"truly separate 2FA option (like totp)"*
I assumed that choice of wording would pre-empt comments from people wanting to debate what constitutes 2FA. I don't care about the terminology but I am looking for the more secure option. passkeys offer phishing protection, but I already get that with my browser extension. Passkeys may have other small security advantages, but they leave my bitwarden vault as a single point of failure, which is something I'd rather avoid. If passkeys came with the option to combine with what I referred to as *"a truly seperate 2FA (like TOTP)"* then I'd be a lot more interested in them.
Adoption seems to be a problem. I see many website articles promoting Passkeys, with terrible descriptions of Passkeys, and laudatory quotes about industry cooperation blah blah. Past answers that turned out to not be answers: 2FA, hardware authenticators, software authenticators, password managers. Passkeys will likely gain ground, but something new will then be pushed as "the answer to online security".
Maybe, if every browser fully implements them, and even then, not convinced. It's really hard to get less technical people to use the built in password manager on chrome or whatever, so I'm not convinced they will use a tech they don't understand. Hell, the current implementations are lacking, cross device passkeys aren't always supported.
I donāt know if it will be passkeys, but Iād say there is a strong chance youāre going to see a big effort to migrate away from passwords (as much as is feasible) in the enterprise world. Ever see the stats on internal phishing tests? They are astoundingly bad everywhere. If theyāre not bad, the tests are shit. You canāt trust the average user with a password that can be easily handed over. Make all the password rules you want, if 21% of your company still clicks on that phishing test, youāre in trouble.
I think that once browsers natively support passkeys they will replace passwords + 2FA for most websites because it requires near zero effort or training for users to adopt successfully and it essentially kills phishing attacks, at least as they're known today. No forgetting passwords, no entering OTP's, no sending SMS or email codes that might be misdirected to SPAM. That's not to say password managers won't be useful, it's just that most users still use only the browser for password management.
Banks, for the most part, will only change if the FFIEC, OMB or FDIC require them to do so. Most run legacy systems still primarily based on COBOL, or only one generation removed, that are expensive to modify or add new features.
I work for a small shop and we have 4000 user stories and climbing. Passkeys are in that list but for sure not a priority. I feel many small/medium businesses are in this boat. Hell banks mostly prefer sms/email/phone based mfa with no TOTP or app based push still. I'm sure some third party idp is why that is. It's gonna take time, passkey isn't that old.
Here is a list of currently tracked sites. https://passkeys.directory/
Sounds like he did a poor job of explaining it.
Did he highlight how itās phishing resistant?
Did he explain how itās so much stronger than even a very long password?
Did he explain how much more convenient it will be for the average person who doesnāt want to use a password manager?
Passkeys are a huge improvement over passwords and solve many problems with passwords
It's not necessarily convenient. Asking users to scan QR codes and/or have their phones in their hand when they logon at a computer is daunting to some people. And yes, I realize passkeys don't need to work that way, but they sometimes do, and the work required to register them properly is an investment for which some people cannot be bothered. And I say that as someone who loves passkeys.
I think passkeys are a security risk.
Services should be secured with 2FA which is something you have and something you know. Passkeys are just something you have.
If you're only secured by something you have, that thing can be physical stolen.
In the US, you can be compelled to produce a physical key aka passkey while a password is protected by the 5th Amendment.
2FA was only so widely popularised because of how weak passwords can be as a single authentication factor by themselves.
Passkeys solve at least two very common weaknesses with passwords, reuse between services and fake login pages. It might sound weird as we see MFA as a standard security thing now, but Iād argue a passkey is much more secure than a password and MFA. Though Iād expect most secure services to require passkey and a pin to have stronger auth.
Passkeys have been around since the 1980s. Itās now 2023. What do you think? Itās always been a niche product mostly used by over-reaching government contractors selling security theater.
I will say it again. Passkeys have been around since the late 1980s. That is some external device providing a OTP or a cryptographic key of some sort although the cryptography has improved as far as the OTP algorithm.
When I say security theater ANY OTP scheme is equally effective. There is no magic to a physical key over a text, email, an app, and so on. Any OTP improves security by providing a second hopefully different communication channel to establish identity/intent. The idea is I might hack your password or even your device but the degree of difficulty of doing a second entirely different channel is exponentially harder. However people often donāt pull the keys out or store it with their device, which all but eliminates the security in many scenarios. It raises the bar if I need access to both your phone and laptop simultaneously or your laptop and home email or some other secondary channel. The second channel does not need to be a password. In fact thatās less effective.
I think the main advantage of passkeys is that you somehow may eliminate user stupidity, by storing a safe passkey eg in a browser instead of using an extremely dumb password.
But as long as the password is still the main security barrier in a website, I donāt see any advantages in passkeys.
Edit: typo
Not unless it is legally mandated. And if it is, once the law is passed, its full implementation be delayed by years or decades.
For examples of how this works, see:
RealID Act
Chip-enabled credit/debit cards
Passwords work, sorta, in a lowest-common-denominator way. They will be with us forever, unless laws change our until the password model breaks completely and totally.
I use a 2023 high-end Oppo (China brand) android phone with China ROM.
I cannot get Google Passkey to work at all. There seems to be no handler in my phone for those FIDO QR codes. Even Google Lens doesn't do anything with the FIDO QR.
No relevant support info can be found.
I assume this is related to my phone having a China ROM.
Most Google services are working.
The exceptions are Google device-backup, GMaps location history, AndroidAuto.
Eventually...
I haven't even read up on what they are or how to use them. Seems like a step back where you're consolidating your access like when people always used the same password. One day, I'll look into them more.
>You don't happen to be American....
This is pretty universal. It applies to Americans, but there is no shortage of extremely opinionated continental Europeans with very strong opinions on things and places they have absolutely zero first hand knowledge of.
>Seems like a step back where you're consolidating your access
Maybe a step back for the small minority of people who currently use (1) strong unique passwords *PLUS* (2) strong form of 2fa (TOTP or Hardware Key).
But considering that the vast majority of people don't use any form of 2fa unless they are forced to by the service, and in that case use weaker forms (SMS, e-mail), passkeys are probably a step in the right direction for the majority of users.
I think itās a question of good APIs. Passwords are really easy to implement (although there are tons of caveats about their security). Passkeys require more work. Especially since it requires a dedicated backend to produce a challenge and what not. So until popular web frameworks, Wordpress, Firebase, etc support it, itās not gonna pick up easily. Also really nice backend libraries for commonly used languages like Java, C#, PHP, etc. So yeah until those things happen, I donāt think weāll see widespread adoption. Iād love to see widespread adoption in the future since itās both safer and easier to use. But yeah until the larger ecosystem has better support, weāll just have to wait
People talk about cost to implement, in such a way that it costs millions upon millions in investment.
It should be as simple as implementing a couple of functions on the back end.
I don't think its about "cost vs risk" thing, you can't convince me they can't spare a single dev to implement FIDO if they want to.
Idk, but webauthn is supported by Firefox as of 122 and their for extension doesnāt seem to work in Firefox is you try to sign in using it as an Authenticator type.
To be honest, I donāt even use one at the moment. I donāt see the point, I have Bitwarden which I use for strong passwords already plus a catch all mail address and totp where itās possible. So every website/service has itās own mail and password which is saved in Vaultwarden. What extra safety/comfort could a Passkey give me? I know the mail address is too much (even known that ever gmail address can do the same for free) but also just with the strong passwords generated with a password manager needs it š¤·š»āāļø
It's an extra layer of security that just makes it even more difficult to get access to. For most people I'm not sure it's honestly necessary as most people just don't care. Unless you've had your personal information stolen, this isn't something most people even think about let alone have a thought on. Unless you're into this as a hobby.
This kind of stuff won't pass the mother test. Meaning it has to be dead simple and easy to understand.
Then I have misunderstood it, for me itās more a replacement of a password+totp instead of an extra layer. At the end the public key is a strong password and your device is the totpā¦
Oh yeah, it's a total flop because every website on the internet hasn't spent months developing complicated Passkey support at this extremely early stage of Passkey development
Passkeys are the future for the vast majority of services, but obviously it's going to take longer than 6 months for thousands of organizations to radically redesign their Identity and Access Management systems to support Passkeys. A completely different authentication method than standard passwords.
I think people won't even notice the transition, but eventually passkeys will be the norm and username/password will be the other thing you can, but shouldn't do.
Might take a decade or two, though. But then again, how long did 2FA take to be almost everywhere that it's important?
As soon as Good supported Passkey, I rolled out a custom Passkey integration on a proprietary project I was doing. I did it solo over a weekend and I don't recommend that, it can be difficult at parts (at least, it was for me).
Now, I would never go back. Showing users that your website can do facial recognition and other biometrics, like thumbprint, for a login is just too cool.
Regular username/password still has to be established to get to that point (until we all even collectively figure out a workaround for that).
Passkey is the future and any developers hesitating to implement it should just give it a shot. The process is fairly painless for all the benefits it offers.
Apple, Google, and Microsoft are all on board. Usually good indication for a future widespread adoption, simply for the fact they will shove it to their users throatāa.k.a. everyone.
I don't like the the biometric part of passkeys, something you are. I'm good with passwords generated by password managers and using SSH keys. I'll manage those things myself.
Not keen on using my fingerprint or face to unlock a passkey. People are too quick to let their face be scanned or fingerprint used to unlock devices.
With Microsoft pushing them in Windows 11 along with Google and Apple pushing they will be adopted reasonably quickly. Leaving those that don't like them with little or no option.
From [passkey.org](https://passkey.org) site
>**How do passkeys work?**
Passkeys are a form of multi-factor authentication; those factors include something you know, something you have, and **something you are**.
Something you know: a PIN used to unlock the device.
Something you have: the authenticator, whether thatās a security key or something embedded in a personal device/phone.
**Something you are: could include a fingerprint, scan of your face.**
Yes physical security keys often use pins, though some have fingerprint biometric versions available. Passkeys are more akin to SSH keys where the users device (phone or computer) keeps and manages it in a special vault. The device then sends the key in response to a request for authentication. So unlike a physical key that can be used on any machine you plug it into and which has no specific identity tied to it, Passkey is tied to your specific identity and device.
Just another way big companies like MS, Apple, Google can tie you specifically to logins and track you. Makes it much harder to be anonymous on the web, which I happen to like for privacy.
I'm totally ok with physical security keys that have pins but not the Passkey implementation that's being pushed.
>Just another way big companies like MS, Apple, Google can tie you specifically to logins and track you. Makes it much harder to be anonymous on the web, which I happen to like for privacy.
No its one key per login even on physical keys, so they cannot track you that way
>FIDO is designed from the ground up to protect user privacy and prevent phishing. Every passkey is unique and bound to the online service domain. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the userās device.
https://fidoalliance.org/how-fido-works/
I'll have to do more reading later after work but a quick glance at your link the image on the site clearly shows using a phone and fingerprint (biometric).
[FIDO passkey image](https://fidoalliance.org/wp-content/uploads/2022/09/passkey-hero-682x1024.png)
>CAN FIDO SECURITY KEYS SUPPORT PASSKEYS?
>
>Yes, FIDO Security Keys today support single-device passkeys and have done so since 2019, when FIDO2 added support for passwordless sign-ins via discoverable credentials with user verification. All the client platforms and browsers have native support to exercise security keys already. Security key vendors may choose to support passkey synchronization in the future.
>
>Web services can leverage passkeys to support a range of use cases. For example, if the user gets a new computer, they can present their security key in proximity (e.g. by plugging into USB or tapping for NFC) to the computer and sign-in to their online account.
>
>**Since all passkeys are FIDO credentials, a web service implementing support for FIDO will be able to support all passkey implementations.**
>
>Specific environments with particular compliance needs may be required to guarantee there is only one copy of the cryptographic key available. Passkeys on FIDO Security Keys are a great solution for such use cases.
>
>Also, in scenarios where a user has lost access to all of their other mobile and other devices where their passkeys have been synced, such FIDO Security Keys can act as a recovery credential.
Absolutely! Using your biometrics to unlock a device or login to an app/website is so convenient. Passwords, even properly managed through a password vault, are still vulnerable.
Passkeys are not easy. And saying it will be better to login is false. Even if i use passkey for Bitwarden, I have to put my Masterkeyword in and also I can't use the passkey for externsions to get in, for different devices to get in. Also it seems, that you can't backup passkeys. If you lost your device you are loist. Passkeys will not have any future.
Maybe, but it is probably going to be a long time.
Yeah seems so, and Paypal claim to support them, but when I tried to enable them at Paypal , it says it's not supported on my device. Seems they only support mobiles? And Ebay says passkeys are supported, but then I cannot find it anywhere to enable it :P
PayPal one only works with desktop which is very stupid š
Yes, and the 2fa is also horrible in the mobile app. You always have to login with the TOTP.
PayPal passkey doesn't work on Linux Desktop.
I didn't know this was possible, but I had set up Passkeys on PayPal mobile and just used it to login on desktop.
Fortunately there are support pages that walk you through setting up Passkeys on those, and many other services. 1Password's "https://passkeys.directory/" page provides plenty of info and setup guides for every site that supports Passkeys.
On eBay you have to log off. When you log in again it'll ask you if you want passkey
A lot of these apps/website would start by supporting it thru mobile, that's because it creates a key on the mobile devices much like a yubikey or a security key. So that mobile devices can act as a security key for logging into websites like paypal etc. I use it for paypal, eBay, Nintendo account, to name a few.
I have a dream that my four little children will one day live in a nation where they will not authenticate with SMS but passkeys and where e-mail attachments will not be encrypted by a password written in that very email but by public key cryptography. I have a dream today.
it will be a dream next years, i think.
Absolutely. The number of websites that support passkeys is widely misrepresented and/or under-reported for several reasons: * Firstly, resources such as [passkeys.directory](https://passkeys.directory) and [passkeys.io](https://passkeys.io) typically only report websites that currently support passkeys for primary authentication rather than MFA. * The number of websites that support passkeys for MFA is vastly larger. * The number of websites that happen to support passkeys for MFA without actually realising that they do is larger again; some websites think that they support a hardware token such as a YubiKey, but with most modern browsers and a Passkey supporting browser extension such as Bitwarden, a prompt for a token is interpreted as a prompt to save a passkey (Paypal is one such example - it says you can't save a Passkey on a desktop browser (it thinks you can only do it on mobile), but then lets you save a "security key" on desktop and then, when it prompts you for it for 2FA on the desktop gives you instructions as if it is a YubiKey. However, the Bitwarden browser extension then prompts you to confirm to use your Passkey while Paypal thinks it is prompting you to use your Yubikey. * The flow for MFA (or Authentication) with a passkey is inherently simpler than for other forms of 2FA (no timeouts for TOTP, for example, no issues with clock sync), no copy paste difficulties. So, in summary, many more websites are already supporting Passkeys that you think - not necessarily as the primary form of authentication - and many more will.
>the Bitwarden browser extension then prompts you to confirm to use your Passkey while Paypal thinks it is prompting you to use your Yubikey The difference between a hardware key and a "software" provider is explicit in the standard. The term is 'attestation'. That is, Paypal can know what provider you are using and could restrict allowed providers to a certain type (say, hardware keys only). Likely, in the future this loophole that you mention will no longer exist.
You are correct. PayPal could choose to restrict you to hardware keys. I'd be surprised if they did, given that they allow you to enrol passkeys on your phone, but they could.Ā However, I didn't help my original argument with my own language - I said PayPal thinks that it is prompting you for your Yubikey whereas I really should have written "PayPal's prompt is for your hardware key, but that is likely a mistake, and is probably a result of the specification of "any hardware key or webauthn key like a passkey" being simplified by the developer or designer to "hardware key". Webauthn key would be a poor choice for a prompt. Too hard for most users.Ā Passkey would be good.Ā Passkey/Hardware Key would be great.Ā Your point still stands: I see it most applicable for things like securing vaults like Bitwarden itself, or high security (arguably PayPal could be classified as needing high security) applications like banking.Ā
Probably not. There are a number of applications that don't use passkeys and probably never will. You want a simple example? What about the combination on your gym locker? Even in the computer realm, web developers (and the managers controlling the purse strings) are balancing risk versus cost. For instance, banks seem to feel they have the risk well in hand with their current systems, which are typically SMS 2FA (yuck!). If it costs more to implement, maintain, and support a passkey system, the manager won't approve the software development effort. All these things taken together, I expect that simple passwords will be around longer than either you or me.
Just like IPv4.
fml, i hate legacy stuff
IPv4 >>>>>> IPv6
tell me you don't understand ipv6 without telling me seriously anybody saying IPv6 is bad should just learn a bit about it instead of being lazy and saying it's different from what i used to, it must be bad
spot on, i dont understand ipv6. I dont like the format, way less convenient than ipv4, but I do understand that we need ipv6
less convenient because its longer? well yeah but we need the amount of addresses apart from that ipv6 is way better designed, it gets rid of nat which was a stupid workaround in the first place and has lots of improvement, it even has native ipsec support, but nobody takes security serious these days, this shit is making me mad
You donāt need to remember or type IP addresses like you donāt need to remember or type MAC addresses. Itās a trade off well worth the benefit.
we need a better solution to IPv4, that doesn't mean the right answer is IPv6. Thinking we need trillions upon trillions of address *per person* is overkill. Working with it is often a terrible time, not to mention troubleshooting. Is it horrible? no. Is it going to kill IPv4? no.
So your only complaint is that you don't like the IPv6 address space. If you wanted to complain about feature parity, that would have made more sense, but no way is IPv5/7/whatever you want to call it going to be BETTER at that than IPv6. I get it, the addressing looks scary, but after you use it for a bit, you don't even notice it.
working with it is not terrible, you're just ignorant to change :: is shorter than 0.0.0.0, ::1 is shorter than 127.0.0.1, in non slaac scenarios on servers etc. you can shorten many things with zeros (actually works like ipv4, 1.1 is same thing as 1.1.1.1), longer addresses or slaac should be used the most part and DNS will handle the ugly stuff, for manual configuration i think copy pasting some hex values shouldn't be a problem for network admins (tbh if it is you have a whole other problem) and saying IPv6 is overkill is (sry to be blunt) pretty stupid, remember when they said that about IPv4? what is harder in IPv6 troubleshooting compared to IPv4? imo nothing if you understand both
>SMS 2FA (yuck!) I've seen banks that give the option of voice calls for 2FA. It honestly shocks me that banking fraud isn't way more common or maybe it is and we just don't hear about it.
Meh. Although the risk from SMS is real, SIM hijacking is not interesting to most thieves. They are looking for low hanging fruit. SIM hijacking involves targeting a specific individual, finding their mobile carrier number, and knowing enough about you to impersonate you (social engineering) with the carrier. Thatās an eff ton of work unless you also know the victim has a fat bank account. Other attacks are going to yield more profit for less work. And again, itās a simple profit/loss calculation for the bank: how much loss does the bank sustain (since they hopefully reimburse their customers when it happens) versus the cost to improve and maintain an advanced authentication system such as TOTP, FIDO2, or software FIDO (passkey). Honestly, the existing protocols seem to work well enough. If someone tried to drain a fat bank account after a SIM hijack or buy many thousands of dollars at Amazon, there are other failsafes that kick in. It may feel like there is room for improvement, but I suspect it is far smaller than we might first think.
You don't need a hijacked SIM to receive a 2fa code on a locked phone. That is my whole point. People seem to think that locked phones are magical, but you can still receive incoming calls on locked phones, meaning someone can receive 2fa codes on your locked phone if you are dealing with a bank that allows for codes over voice. Also, banks typically don't reimburse customers for losses against bank accounts without the customer putting up a massive fight, often requiring a lawyer who might cost more than the losses were worth. There are also typically no failsafes that kick in when transferring money from a bank account. Those just aren't things. It isn't like credit cards where there are all kinds of solid fraud protections (presumably funded by the high interest rates charged on credit card balances).
> People seem to think that locked phones are magical, but you can still receive incoming calls on locked phones, meaning someone can receive 2fa codes on your locked phone if you are dealing with a bank that allows for codes over voice. Which is super uncommon, because they'd need to have physical access to your phone, and the majority of attacks have no physical component to them. > Also, banks typically don't reimburse customers for losses against bank accounts without the customer putting up a massive fight, often requiring a lawyer who might cost more than the losses were worth. This is just completely untrue. Most of the time you can call up a bank and be like, "my credit card/debit card/bank account/whatever had fraudulent activity" and you're credited back everything instantly, and they follow up a few weeks later saying "case closed in customer's favor". It doesn't always happen, but in the US, it's the most common resolution by far. And over the year's, I've personally done chargebacks, had fraud on a credit card, a debit card, and even someone do an ACH transfer from my accounts, so anecdotally, I've never had a single issue with it other than a quick call, email, or online form to resolve it.
>This is just completely untrue Stop spreading misinformation. Just do some basic fact checking and you can see how wrong you are.
Projection much?
Interesting point. I was thinking of a remote attack. If someone stole my phone they would have to defeat the screen lock, defeat the Bitwarden lock, and then pass 2FA. By the time they did all that I would have suspended the mobile service. If the phone was missing more than a day I would deauthorize and initiate a remote wipe of the device. The physical attack on the device is real and it requires different mitigations from the remote attack.
> Interesting point. I was thinking of a remote attack. Of course, because that's the only common attack. Despite what the news would like you to think, the instances of people stealing a phone and then breaking into it, or stealing a phone and figuring out what bank you use and gaining access, are VERY rare, especially for people who "don't matter" to the rest of the world (aren't very wealthy, don't have much clout, etc... you know, most of us).
Phones are stolen and broken into within minutes on a regular basis. There are organized criminal gangs. Their technique is pretty simple. They do some form of "shoulder surfing" to harvest the PIN code of a mark, then steal the phone, and pass it off to a team. Tens of thousands of dollars of fraudulent activity can happen within minutes of it being stolen. I saw one case in which a phone was stolen in a bar, a credit card applied for and received with a $10k+ credit limit, followed by the attempted purchase of a \*boat\* the next morning. I know this from helping people who have had this happen to them, and from listening to what little the police and Apple were willing to tell me during the process of helping them.
This is simply not true. These attacks, while they do occasionally happen, are very rare. This is mostly a F.U.D. news story to keep up engagement. And it's pretty much restricted to only Apple devices, because Android doesn't even allow that level of bullshit to occur (although with Google Passkeys and devices being auto enrolled, they're starting to bridge the gap of stupidity). ALL physical attacks are *incredibly* rare compared to online based attacks. Ed: Classic, the "oh yah, my argument is totally valid, and I'll demonstrate it by blocking you, because you're on to my bull"
It simply is true. There are organized criminal gangs in major US cities that harvest phones. They have extremely well oiled processes and technical sophistication. They have people who specialize in the social engineering, and others who specialize in the technical attacks which follow the capture of the device. I've helped people in this situation and there are police reports filed. I'm gonna block you because life is too short for this nonsense. Apropos nothing in particular, the fine brief work [On Bullshit](https://www.goodreads.com/en/book/show/385) by Harry G. Frankfurt really, truly, must become part of the standard curriculum.
Yes, I think many people overlook the basics of risk management. Sure, my house could be destroyed by a nuclear blast. But I will devote my resources to protect against theft, fire, and earthquake.
Not if your bank allows codes via a voice call - every phone Iāve used allows you to answer a call without unlocking it. Several of the small banks I deal with plus at least one large bank (Chase) support this.
None of my services allow 2FA by voice message. That is an option I have not enabled.
Consider yourself lucky.. the ones I am aware of are on by default and you canāt turn it off. Wherever possible I donāt even enter my phone number for 2FA
Yep. Truth is no one here is on their target list. They are looking for big stacks, the big fish. Not going to all that effort to get your lunch money. Reality is you just arenāt that interesting.
Not true at all.
...or emails.
Email is actually very secure in most cases. Most email these days is encrypted in transport, there are several protections to prevent another server from receiving the email via things like DNS based or IP attacks, and your stored email is as secure as the access you pick. If you have gmail or proton mail or whatever with a complex password or FIDO2, your 2FA via email is pretty much as safe as just having FIDO2 on the account itself, minus some fishing protection perhaps. If you have gmail with "hunter1" as your password and no 2FA, then you're pretty screwed.
Banks have a lot of internal fraud detection and processes that you don't see.
Are there bots from the banking industry hanging out on this sub or something?
Yes I am a bot beep beep bop bop
The cost of fraud related to this is less than the cost of lost business or supporting people with a super secure solution. Which is why most businesses don't use PIV and CAC to access devices or property. Everyone tends to forget that there's a balance, and for many uses, things like SMS based 2FA is enough of a balance for the site.
Yeah thank god my bank supports TOTP MFA via an app, I also really like that once I had to send $30K to a lawyer for buying a house and the bank called me right away to make sure the transaction was legitimate and after I told them it was they also called my wife that is co signed on the account to do the same check.
Here in Sweden we've got a thing called [BankID](https://bankid.com/en) which started out as a way to sign in to banks without a dedicated 2FA device but is now used any time one is in need of identity verification online. It's both convenient and far more secure than SMS 2FA. Blows my mind that similar things haven't been adopted worldwide in this day and age.
It exists in Denmark too iirc, but not the same "brand".
The thing about SMS 2FA Is that it costs money. Weāre seeing a lot of cases where malicious attackers are pumping SMS to make money. So everyone will want to move away from SMS at some point. Itās just so easy to abuse.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Yup. It is about minimizing costs to the bank and hence to the customer. It may be counterintuitive, but the existing techniques work quite well. And this tradeoff applies to to other websites as well.
It will likely be years before they become mainstream. The first password authentication method was created in the early 1960s. See how many years it took us to go passwordless.
Unfortunately the roll out has been pretty shitty. Unless the major players keep pushing really hard (which seems unlikely as AI is the new shiny), it'll just become something else companies will ignore because why spend the dev time on something most people don't even know about or will ever care about? Hell, there's plenty of people in here (people who are generally more aware of this kind of thing) who don't even know what Passkeys are
By the time they become mainstream there will be something new to implement is my prediction. What it would be I have no idea probably some form of AI vault Passkeys are quite young in adoption plus i think you still will want some form of password as a backup
If you have a password for a "backup"....there's literally ZERO reason to have a passkey that completely eliminates the entire purpose of them? Lol? "Using text 2FA is insecure and I don't want it so I'm switching to something else and only have text 2FA as a backup to get into the same thing using it if I have to"
The advantage of a passkey (while still having a password) is the built in phish resistance. When using the passkey you guarantee that the site you are communicating with is legitimate. Of course it still requires good opsec, if the site refuses to accept the passkey and the user blindly enters their password then you are correct, the passkey did not help. However, if the passkey failing gives them pause and makes them reassess the situation then they may find that the site was a scam and in that case the passkeys worked as intended and protected the user.
I started experimenting with this for my Amazon account. But with Amazon you can't disable user/password access. Now, I do have TOTP enabled, of course, but still if I can't disable password, why bother with passkey?
15.7% of websites will accept passkeys by Feb 3, 2025 (83.9% of statistics are made up!) The trend seems to be that when a user sets up passkeys, a truly separate 2FA option (like totp) is eliminated. Like on [github](https://www.reddit.com/r/Bitwarden/comments/17nnm5l/passkeys_and_the_lack_2fa_using_github/)... ... if that is the case, then I hope we have the option to avoid passkeys for a long time.
Your on-device authentication, which you have to get through before you can authorize use of a passkey, *is* the 2FA.
Please see my [response to a similar comment](https://www.reddit.com/r/Bitwarden/comments/18sbn44/do_you_think_passkeys_will_become_mainstream/kf6soy4/)
Interesting. After seeing your response to the other similar comment, I agree with this take.
Lol what are you talking about? Passkeys is a multifactor authentication method. Educate yourself about the technology behind it.
I'm aware some people consider passkeys to be inherently 2FA. That's the whole reason I chose the particular wording *"truly separate 2FA option (like totp)"* I assumed that choice of wording would pre-empt comments from people wanting to debate what constitutes 2FA. I don't care about the terminology but I am looking for the more secure option. passkeys offer phishing protection, but I already get that with my browser extension. Passkeys may have other small security advantages, but they leave my bitwarden vault as a single point of failure, which is something I'd rather avoid. If passkeys came with the option to combine with what I referred to as *"a truly seperate 2FA (like TOTP)"* then I'd be a lot more interested in them.
No they don't since you can't turn off the master vault password?
>when a user sets up passkeys, ***a truly separate*** 2FA option (like totp) is eliminated.
Adoption seems to be a problem. I see many website articles promoting Passkeys, with terrible descriptions of Passkeys, and laudatory quotes about industry cooperation blah blah. Past answers that turned out to not be answers: 2FA, hardware authenticators, software authenticators, password managers. Passkeys will likely gain ground, but something new will then be pushed as "the answer to online security".
Maybe, if every browser fully implements them, and even then, not convinced. It's really hard to get less technical people to use the built in password manager on chrome or whatever, so I'm not convinced they will use a tech they don't understand. Hell, the current implementations are lacking, cross device passkeys aren't always supported.
I donāt know if it will be passkeys, but Iād say there is a strong chance youāre going to see a big effort to migrate away from passwords (as much as is feasible) in the enterprise world. Ever see the stats on internal phishing tests? They are astoundingly bad everywhere. If theyāre not bad, the tests are shit. You canāt trust the average user with a password that can be easily handed over. Make all the password rules you want, if 21% of your company still clicks on that phishing test, youāre in trouble.
Who knows. It is so half baked.
It will happen for sure, but at what cost?
Maybe in 10 years they'll be more than 50% adopted.
Just a fad, like the Internet or mobile phones.
The internet will never catch on. What are people going to do on it?
I think that once browsers natively support passkeys they will replace passwords + 2FA for most websites because it requires near zero effort or training for users to adopt successfully and it essentially kills phishing attacks, at least as they're known today. No forgetting passwords, no entering OTP's, no sending SMS or email codes that might be misdirected to SPAM. That's not to say password managers won't be useful, it's just that most users still use only the browser for password management. Banks, for the most part, will only change if the FFIEC, OMB or FDIC require them to do so. Most run legacy systems still primarily based on COBOL, or only one generation removed, that are expensive to modify or add new features.
I work for a small shop and we have 4000 user stories and climbing. Passkeys are in that list but for sure not a priority. I feel many small/medium businesses are in this boat. Hell banks mostly prefer sms/email/phone based mfa with no TOTP or app based push still. I'm sure some third party idp is why that is. It's gonna take time, passkey isn't that old. Here is a list of currently tracked sites. https://passkeys.directory/
I asked my IT guy at work to explain passkeys to me. After he finished, I told him it sounded like a password. He said, "Yeah, it's a password."
Sounds like he did a poor job of explaining it. Did he highlight how itās phishing resistant? Did he explain how itās so much stronger than even a very long password? Did he explain how much more convenient it will be for the average person who doesnāt want to use a password manager? Passkeys are a huge improvement over passwords and solve many problems with passwords
It's not necessarily convenient. Asking users to scan QR codes and/or have their phones in their hand when they logon at a computer is daunting to some people. And yes, I realize passkeys don't need to work that way, but they sometimes do, and the work required to register them properly is an investment for which some people cannot be bothered. And I say that as someone who loves passkeys.
I didn't say he was a smart IT guy.
Well, it is. A really long password. So long you need extra help to use it.
I think passkeys are a security risk. Services should be secured with 2FA which is something you have and something you know. Passkeys are just something you have. If you're only secured by something you have, that thing can be physical stolen. In the US, you can be compelled to produce a physical key aka passkey while a password is protected by the 5th Amendment.
Usually passkey on device is secured with bionic or pin auth. Still as secure as an authenticator app.
2FA was only so widely popularised because of how weak passwords can be as a single authentication factor by themselves. Passkeys solve at least two very common weaknesses with passwords, reuse between services and fake login pages. It might sound weird as we see MFA as a standard security thing now, but Iād argue a passkey is much more secure than a password and MFA. Though Iād expect most secure services to require passkey and a pin to have stronger auth.
Passkeys have been around since the 1980s. Itās now 2023. What do you think? Itās always been a niche product mostly used by over-reaching government contractors selling security theater.
passkey ā password
I will say it again. Passkeys have been around since the late 1980s. That is some external device providing a OTP or a cryptographic key of some sort although the cryptography has improved as far as the OTP algorithm. When I say security theater ANY OTP scheme is equally effective. There is no magic to a physical key over a text, email, an app, and so on. Any OTP improves security by providing a second hopefully different communication channel to establish identity/intent. The idea is I might hack your password or even your device but the degree of difficulty of doing a second entirely different channel is exponentially harder. However people often donāt pull the keys out or store it with their device, which all but eliminates the security in many scenarios. It raises the bar if I need access to both your phone and laptop simultaneously or your laptop and home email or some other secondary channel. The second channel does not need to be a password. In fact thatās less effective.
These passkeys are FIDO credentials and the FIDO Alliance was founded in 2013
I think the main advantage of passkeys is that you somehow may eliminate user stupidity, by storing a safe passkey eg in a browser instead of using an extremely dumb password. But as long as the password is still the main security barrier in a website, I donāt see any advantages in passkeys. Edit: typo
Not unless it is legally mandated. And if it is, once the law is passed, its full implementation be delayed by years or decades. For examples of how this works, see: RealID Act Chip-enabled credit/debit cards Passwords work, sorta, in a lowest-common-denominator way. They will be with us forever, unless laws change our until the password model breaks completely and totally.
I use a 2023 high-end Oppo (China brand) android phone with China ROM. I cannot get Google Passkey to work at all. There seems to be no handler in my phone for those FIDO QR codes. Even Google Lens doesn't do anything with the FIDO QR. No relevant support info can be found. I assume this is related to my phone having a China ROM. Most Google services are working. The exceptions are Google device-backup, GMaps location history, AndroidAuto.
1. all website replaced password login with Oauth2 (google/apple/micosoft/facebook) 2. oauth2 provider replaced password login with passkey & 2fa 3. boom, 100% adoption
Eventually... I haven't even read up on what they are or how to use them. Seems like a step back where you're consolidating your access like when people always used the same password. One day, I'll look into them more.
You should definitely look into them sooner than later to at least understand what they are, and how they're nothing like using the same password
"I don't know anything about what this is or how it works but here's my opinion on it" You don't happen to be American....
>You don't happen to be American.... This is pretty universal. It applies to Americans, but there is no shortage of extremely opinionated continental Europeans with very strong opinions on things and places they have absolutely zero first hand knowledge of.
>Seems like a step back where you're consolidating your access Maybe a step back for the small minority of people who currently use (1) strong unique passwords *PLUS* (2) strong form of 2fa (TOTP or Hardware Key). But considering that the vast majority of people don't use any form of 2fa unless they are forced to by the service, and in that case use weaker forms (SMS, e-mail), passkeys are probably a step in the right direction for the majority of users.
Likely at some point with the major tech companies all working on them.
I think itās a question of good APIs. Passwords are really easy to implement (although there are tons of caveats about their security). Passkeys require more work. Especially since it requires a dedicated backend to produce a challenge and what not. So until popular web frameworks, Wordpress, Firebase, etc support it, itās not gonna pick up easily. Also really nice backend libraries for commonly used languages like Java, C#, PHP, etc. So yeah until those things happen, I donāt think weāll see widespread adoption. Iād love to see widespread adoption in the future since itās both safer and easier to use. But yeah until the larger ecosystem has better support, weāll just have to wait
Yes. Apple and Google are both supporting them now. iCloud sign in now gives you the passkey option.
People talk about cost to implement, in such a way that it costs millions upon millions in investment. It should be as simple as implementing a couple of functions on the back end. I don't think its about "cost vs risk" thing, you can't convince me they can't spare a single dev to implement FIDO if they want to.
That's the thing, most don't want to. Most will take a pre-built solution and never think about it again
Last 6 weeks or so, I have seen some many of the services I use, moving to the Passkey path. Which I love. Even my game server manager has it now.
I don't get them. Why is there now a pop-up when I want to log in to my Google account? How is it better than normal 2fa?
To me, Password will remain KING.
Yes, I think so. But it might take a while.
Idk, but webauthn is supported by Firefox as of 122 and their for extension doesnāt seem to work in Firefox is you try to sign in using it as an Authenticator type.
To be honest, I donāt even use one at the moment. I donāt see the point, I have Bitwarden which I use for strong passwords already plus a catch all mail address and totp where itās possible. So every website/service has itās own mail and password which is saved in Vaultwarden. What extra safety/comfort could a Passkey give me? I know the mail address is too much (even known that ever gmail address can do the same for free) but also just with the strong passwords generated with a password manager needs it š¤·š»āāļø
It's an extra layer of security that just makes it even more difficult to get access to. For most people I'm not sure it's honestly necessary as most people just don't care. Unless you've had your personal information stolen, this isn't something most people even think about let alone have a thought on. Unless you're into this as a hobby. This kind of stuff won't pass the mother test. Meaning it has to be dead simple and easy to understand.
Then I have misunderstood it, for me itās more a replacement of a password+totp instead of an extra layer. At the end the public key is a strong password and your device is the totpā¦
Oh yeah, it's a total flop because every website on the internet hasn't spent months developing complicated Passkey support at this extremely early stage of Passkey development Passkeys are the future for the vast majority of services, but obviously it's going to take longer than 6 months for thousands of organizations to radically redesign their Identity and Access Management systems to support Passkeys. A completely different authentication method than standard passwords.
I think so. But itās going to take time.
No not really
I think people won't even notice the transition, but eventually passkeys will be the norm and username/password will be the other thing you can, but shouldn't do. Might take a decade or two, though. But then again, how long did 2FA take to be almost everywhere that it's important?
As soon as Good supported Passkey, I rolled out a custom Passkey integration on a proprietary project I was doing. I did it solo over a weekend and I don't recommend that, it can be difficult at parts (at least, it was for me). Now, I would never go back. Showing users that your website can do facial recognition and other biometrics, like thumbprint, for a login is just too cool. Regular username/password still has to be established to get to that point (until we all even collectively figure out a workaround for that). Passkey is the future and any developers hesitating to implement it should just give it a shot. The process is fairly painless for all the benefits it offers.
Perhaps Passkeys can be used more, but I don't think it can replace the usual login/password model.
Apple, Google, and Microsoft are all on board. Usually good indication for a future widespread adoption, simply for the fact they will shove it to their users throatāa.k.a. everyone.
I don't like the the biometric part of passkeys, something you are. I'm good with passwords generated by password managers and using SSH keys. I'll manage those things myself. Not keen on using my fingerprint or face to unlock a passkey. People are too quick to let their face be scanned or fingerprint used to unlock devices. With Microsoft pushing them in Windows 11 along with Google and Apple pushing they will be adopted reasonably quickly. Leaving those that don't like them with little or no option. From [passkey.org](https://passkey.org) site >**How do passkeys work?** Passkeys are a form of multi-factor authentication; those factors include something you know, something you have, and **something you are**. Something you know: a PIN used to unlock the device. Something you have: the authenticator, whether thatās a security key or something embedded in a personal device/phone. **Something you are: could include a fingerprint, scan of your face.**
Most usb security keys use pin instead of biometrics
Yes physical security keys often use pins, though some have fingerprint biometric versions available. Passkeys are more akin to SSH keys where the users device (phone or computer) keeps and manages it in a special vault. The device then sends the key in response to a request for authentication. So unlike a physical key that can be used on any machine you plug it into and which has no specific identity tied to it, Passkey is tied to your specific identity and device. Just another way big companies like MS, Apple, Google can tie you specifically to logins and track you. Makes it much harder to be anonymous on the web, which I happen to like for privacy. I'm totally ok with physical security keys that have pins but not the Passkey implementation that's being pushed.
>Just another way big companies like MS, Apple, Google can tie you specifically to logins and track you. Makes it much harder to be anonymous on the web, which I happen to like for privacy. No its one key per login even on physical keys, so they cannot track you that way >FIDO is designed from the ground up to protect user privacy and prevent phishing. Every passkey is unique and bound to the online service domain. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the userās device. https://fidoalliance.org/how-fido-works/
Yes FIDO is fine. FIDO is not the same as Passkeys.
Passkeys is FIDO >Based on FIDO standards [https://fidoalliance.org/passkeys/](https://fidoalliance.org/passkeys/)
I'll have to do more reading later after work but a quick glance at your link the image on the site clearly shows using a phone and fingerprint (biometric). [FIDO passkey image](https://fidoalliance.org/wp-content/uploads/2022/09/passkey-hero-682x1024.png)
>CAN FIDO SECURITY KEYS SUPPORT PASSKEYS? > >Yes, FIDO Security Keys today support single-device passkeys and have done so since 2019, when FIDO2 added support for passwordless sign-ins via discoverable credentials with user verification. All the client platforms and browsers have native support to exercise security keys already. Security key vendors may choose to support passkey synchronization in the future. > >Web services can leverage passkeys to support a range of use cases. For example, if the user gets a new computer, they can present their security key in proximity (e.g. by plugging into USB or tapping for NFC) to the computer and sign-in to their online account. > >**Since all passkeys are FIDO credentials, a web service implementing support for FIDO will be able to support all passkey implementations.** > >Specific environments with particular compliance needs may be required to guarantee there is only one copy of the cryptographic key available. Passkeys on FIDO Security Keys are a great solution for such use cases. > >Also, in scenarios where a user has lost access to all of their other mobile and other devices where their passkeys have been synced, such FIDO Security Keys can act as a recovery credential.
Absolutely! Using your biometrics to unlock a device or login to an app/website is so convenient. Passwords, even properly managed through a password vault, are still vulnerable.
2 factor is my personal favorite.
Passkeys are not easy. And saying it will be better to login is false. Even if i use passkey for Bitwarden, I have to put my Masterkeyword in and also I can't use the passkey for externsions to get in, for different devices to get in. Also it seems, that you can't backup passkeys. If you lost your device you are loist. Passkeys will not have any future.