- cross-posted to:
- protonprivacy
- cross-posted to:
- protonprivacy
- Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security
- Passkeys were developed to replace passwords for better account security, but their rollout by Apple and Google has limited their potential
- Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
like an encryption key? or cookies? I’ll try to look up how they work
They’re the private half of a public/private key pair, much like how you make encrypted connections to websites.
The gist of passkeys are that the secret you’re using to login to your accounts is stored on your device (Or in your password manager) and is never sent to or stored on the server. So if a website you have an account on is breached, unlike with a password, your passkey can’t be stolen, because they don’t have it.
Similarly, your passkey can’t be phished. If a malicious actor directed you to a fake login page and you didn’t notice and entered your password into the fake login form, they now have stolen your password. But because your passkey is not sent to the server like a password, the fake login page wouldn’t get anything.
And because your passkey isn’t something you have to remember, you can’t create an insecure one like with a password, and you can’t reuse the same one for different accounts.
I can wrap my head around the secret being stored in your device, but what happens when you go to a different device?
Let’s say for example, I am at my friend’s house, and for one reason or another, I don’t have my phone. My Gmail account is passkey locked, but I need to check my email from my friend’s laptop. Would that require that I install passkey on their laptop, and log in to my passkey account? Does that also mean that if I forget to log out of passkey, they can access all of my accounts correlated with my passkey account? If that’s the case, what happens if my passkey account is compromised? All of my accounts are linked to a single point of failure?
A friend of mine had to break out some kind of USB dongle to log into his Google account on a new machine the other day. Is that a form of passkey? What happens if that dongle gets lost/stolen/broken? Or what if you just forgot it at home? Are you SOL?
I am all for more security and less password remembering, but I hop around a lot of computers.
If you need to log into your friend’s laptop to check your email, you would need your phone or some other passkey you had set up for your account, yes, as long as that was the only login method you have setup on your account. If you don’t have your phone, you might not be able to pass the two-factor steps or account login location checks many accounts. If Google finds the new login attempt suspicious for some reason, it will ask for additional checks like a code sent to your email or through a text and you may not be able to log in with just the password anyways. Just because you have the right username and password, it doesn’t mean that a service may let you log in without access to some kind of other trusted information accessible on an existing device.
Overall though, think of it like forgetting your physical keys.
Yes, the same as if you had left your physical keys there and those keys provided access to all your accounts. There may be some technical protections like the timeout until it locks on a password manager but that’s up to the password/passkey manager app to implement and for the OS to guarantee the security of. It’s no different from loading up your password manager on the device. If you don’t trust the device or the owner of the device, you should not access your password/passkey manager on it.
The same thing that happens if your password manager is compromised: you secure it (rotate encryption, create a new database, however you want) and then you set about updating new passwords and passkeys for your accounts. That’s why it’s recommended to only have your actual password/passkey manager on something you trust (your phone, your computer, etc) and use that device as the passkey for whichever other device your logging into rather than loading up your password/passkey manager on each device you’re logging into.
It’s a form of WebAuthn credential most likely, yes. Passkeys aren’t actually entirely new in how they can be used with accounts, the standards have been there for a while now. It’s mainly just a unified marketing from the big players as well as developing an ecosystem around it the standard such as the protocols for using a phone via Bluetooth as a passkey on a desktop/laptop to log in and other things like syncing the passkeys between devices using their existing password manager services for user convenience (so that the average person can actually use them). Under the hood it’s still WebAuthn for the actual authentication. Hardware security keys that connect via USB, Bluetooth, or NFC have been around for a while but have usually operated in nonresident key mode where they’ve been used for second factor authentication. Nonresident key mode has the advantage of storing the private key in an encrypted format with the website or service your logging into, meaning that the actual hardware key doesn’t need to have any storage capacity and can work with an infinite number of sites. This has the disadvantage that you have to provide a username (and typically a first factor like a password) to lookup which keys should be used (ie the ones associated with a specific account). That is probably how your friend logged in with a USB dongle. WebAuthn credentials that operate in resident key mode like passkeys do on the other hand store both the information related to identity and authentication, meaning that all you have to do is select the account you want to log into. This requires that they are stored on a trusted device like a phone, a laptop, or a hardware security key dongle that has storage.
Again, the same thing that happens when you forget your physical keys for your car or home. You can’t access the thing protected by them until you go get them. The alternative is to bypass the normal authentication workflow and work around it, such as with an account recovery process (similar to getting a locksmith to get back into your car or home).
Then you’d probably like being able to log in by just unlocking your phone and confirming things, rather than having to go through a password lookup and one time code entering process each time.
Cool, thanks for the info. This is something I have wanted to setup for a little while now, I just didn’t understand all of the nuances.
Yes but you would not want to do that. I can’t imagine a scenario where you could make it to your friends house without your phone, and also need to check your email so bad that you borrow their laptop, but in that case you would not be able to log in. Unless your passkey for that service is stored in your password manager, in which case you’d have to log in to that first.
There is no “Passkey account”, it’s not a service or an app. It’s a file stored either on your device or in your password manager.
I already brought up that you have no “passkey account” to compromise, but if your passkey was somehow stolen, the only thing compromised would be the service that passkey is for.
You can get hardware devices to store passkeys on, yes.
If it’s lost or stolen you’d want to make new passkeys yes. If you forgot it at home, you wouldn’t be able to log in if the hardware device was the only thing you had a passkey stored on.
I wonder how often you truly forget important every day articles at home, despite you needing to get connected to things at a moments notice. I don’t think I’ve forgotten my phone anywhere once in the last 15 years.
The thing is, all these scenarios you’re coming up with are no different for passkeys than they are for complex, unique, secure passwords. It sounds like your usual MO is being able to recall your password (In the case you’ve forgotten your phone and are in a borrowed device), which means your passwords likely aren’t secure, and you’re probably reusing them, which is more of a “single point of failure” than passkeys ever could be.
Honestly, my advice to you is before you even start considering passwords vs passkeys, you need to fix yourself up man. You need to get your shit together a lil bit.
Exactly like an encryption key. Here’s a video from Security Now with Steve Gibson (a well known security researcher) who explained it in a fairly approachable fashion. That link should start at the beginning of that segment, about 1:31:00 in.
Here is an alternative Piped link(s):
Security Now with Steve Gibson
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
Asymmetric cryptographic signing keypairs. An ECDSA variant is used to create and validate signatures. Your device creates a unique keypair per domain you register on. It only sends signatures, which doesn’t reveal what the secret key is, and each signature is based on a single use challenge value.