#passkeys

danie10@squeet.me

Passkey portability is what the password-less future needs: FIDO Alliance standard coming

Smartphone show bold blue, red, yellow and green diagonal bars across the screen. In the centre is a pop-up window stating "You can now use your passkeys to sign in". Below it is a graphic showing a yellow key on a keyring, and a blue tick symbol.
Just like your house key, passkeys are unique to the lock they go in, at whatever service they were set up to unlock. That could be your bank, your social media account, your email provider, or a website like XDA. Unlike passwords, there’s nothing to remember, nothing to type into a fake website in a phishing attack, and nothing that could be reused across several accounts. Given what we know about users and their security hygiene, this can only be a good thing.

Passkeys aren’t the only way toward a passwordless, more secure future, but they’re one of the best ways to reduce user error completely. They won’t work on any website other than the one they were generated for, they can’t be copied or reused, they won’t work on a stranger’s device, and they can’t currently be moved between users. That last point is also one of the issues because they’re currently locked to the operating system or password manager that created them.

That’s a problem, because you might have generated it on the wrong device, or want to move it to your new password manager, and that’s just not possible right now. There are standards for the passkeys, but the easiest way currently to move a passkey to another storage provider is to delete it and make a new one with the new service.

Yes, this is pretty essential to passkeys being adopted as mainstream. It’s an advantage that passwords have, as they can be exported from one service to another quite easily. So, although for example Bitwarden is fully cross-platform, what if you want to leave Bitwarden and have your passkeys in a different password manager? Or if you want to leave the Apple ecosystem and take your passkeys to an Android device?

This is why Apple, Google, Samsung and some others rushed to get passkeys out as quickly as possible, because they knew it would lock users into their ecosystem. Many of us waited for cross-platform services to adopt passkeys, but even so, you can’t easily leave that service with all your passkeys.

So an open and secure standard for transfer of passkeys is really important. Such a standard will mean not only being able to export (and backup) but to also import elsewhere.

See xda-developers.com/passkey-por…
#Blog, #passkeys, #security, #technology

danie10@squeet.me

Proton Pass now supports passkeys on all devices and plans: Beating Bitwarden to mobile devices

Popup window with title Passkey, and itemises information underneath such as username, domain, key, and created date.
Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing attacks and make your online experience smoother and safer.

Unfortunately, Big Tech’s rollout of this technology prioritized using passkeys to lock people into their walled gardens over providing universal security for everyone (you have to use their platform, which often does not work across all platforms). And many password managers only support passkeys on specific platforms or provide them with paid plans, meaning you only get to reap passkeys’ security benefits if you can afford them.

They’ve reimagined passkeys, helping them reach their full potential as free, universal, and open-source tech. They have made online privacy and security accessible to everyone, regardless of what device you use or your ability to pay.

I’m still a paying customer of Bitwarden as Proton Pass was up to now still not doing everything, but this may make me re-evaluate using Proton Pass as I’m also a paying customer of Proton Pass. It certainly looks like Proton Pass is advancing at quite a pace, and Proton has already built up a good reputation for private e-mail and an excellent VPN client.

Proton is also the ONLY passkey provider that I’ve seen allowing you to store, share, and export passkeys just like you can with passwords!

See https://proton.me/blog/proton-pass-passkeys
#Blog, #opensource, #passkeys, #ProtonPass, #security, #technology

danie10@squeet.me

Bitwarden begins adding passkey support to its password manager

Woman typing on a silver colour laptop
Although Bitwarden now supports storing and logging in using passkeys from its browser extensions, it’s not currently possible to store passkeys in the company’s mobile app. According to Bitwarden’s FAQ, this feature is “planned for a future release.”

Finally, it arrived for me today on Bitwarden. Seems to work seamlessly enough, as the extension pops up automatically when you choose to add a passkey on a website. For sites with multiple logins, it prompts you to select which one to use.

The theory, for me at least, is that I can use these passkeys across all my OS’s and devices (when mobile support is finally added). In the meantime, for mobile, the normal ID and password still work as before.

See https://www.theverge.com/2023/11/2/23943173/bitwarden-passkey-support-released-browser-extension
#Blog, #bitwarden, #passkeys, #technology

danie10@squeet.me

Password manager Bitwarden will too soon be able to store passkeys, but here’s why you may want to wait a bit with passkeys

A padlock with 1's and 0's in numbers behind it
I did a post a few weeks back speculating around the same issues but listening now to Steve Gibson talking on the Tech News Weekly episode 284 podcast at https://twit.tv/shows/tech-news-weekly/episodes/284 has reinforced my thinking about passkeys.

Yes, Google, Apple, etc are trying to get their users to adopt THEIR passkey management systems as quickly as possible, as it essentially locks you into their authentication (and eco) system for now. Even these two companies are implementing passkeys slightly differently (single synced key vs per device), and unlike today where you can easily export your passwords from one password manager to another one (migration) it is not at all clear yet how this may happen with passkeys (if at all). I have over 700 passwords and there is little chance of me migrating those one by one to a different authentication system.

Just based on how Apple’s and Google’s approaches to passkeys differs, we can also see some differences in how we’d use them, so I’d like to make a more informed decision before I just jump in. As Steve says, passwords are still going to be here for quite a long time, so there is no rush to jump into using passkeys (as long as you use secure and unique passwords, along with good 2FA). While backup passwords still exist for passkey sites, they are still as secure as that weakest link.

So, yes, Bitwarden too will be rolling out their passkey implementation in 2023 (see https://www.ghacks.net/2023/05/24/password-manager-bitwarden-will-soon-be-able-to-store-passkeys/ without any firm date) and I’ll first have a good look at how they plan to implement it too. I do prefer something like Bitwarden (or similar) where it is a purely cross-platform implementation not tied to a particular vendor (apart from Bitwarden yes, but then you can also host their open-source solution yourself if you really wanted to). Personally, I would not use Apple’s system as I have twice switched away from using an iPhone, and I’m not getting locked into an ecosystem specific solution for that reason.

Bottom line though is there is no rush, and jumping in now with whoever you choose, is going to be your bed fellow for the foreseeable future, unless you only have 5 site passkeys to worry about. Passkeys are certainly an excellent step forward for online authentication, but it is about when and with whom I’m more concerned about.
#Blog, #bitwarden, #passkeys, #security, #technology

rixty_dixet@squeet.me

#ThisWeekinSecurity: #Oracle #Opera, #Passkeys, and #AirTag #RFC

Bild/Foto

There’s a problem with Opera. No, not that kind of opera. The Oracle kind. Oracle OPERA is a Property Management Solution (PMS) that is in use in a bunch of big-name hotels around the world. The PMS is the system that handles reservations and check-ins, talks to the phone system to put room extensions in the proper state, and generally runs the back-end of the property. It’s old code, and handles a bunch of tasks. And researchers at Assetnote found a serious vulnerability. CVE-2023-21932 is an arbitrary file upload issue, and rates at least a 7.2 CVSS.

https://hackaday.com/2023/05/05/this-week-in-security-oracle-opera-passkeys-and-airtag-rfc/

danie10@squeet.me

Google accounts now support passkeys to replace your password and 2FA: Expect teething problems though

Phone held in the hand with a large G symbol on the screen, denoting Google
Starting today, Google users can switch to passkeys and ditch their passwords and two-step verification codes entirely when signing in.

Passkeys are a safer, more convenient alternative to passwords being pushed by Google, Apple, Microsoft, and other tech companies aligned with the FIDO Alliance. They can replace traditional passwords and other sign-in systems like 2FA or SMS verification with a local PIN or a device’s own biometric authentication — such as a fingerprint or Face ID. This biometric data isn’t shared with Google (or any other third party), and passkeys only exist on your devices, which provides greater security and protection since there’s no password that could be stolen in a phishing attack.

I’m still holding off on this until my own password manager has a working solution (Bitwarden announced today their solution is being worked on). But for me numerous questions still remain, despite this undoubtedly being a more secure solution:

  • What happens if your passkeys are on your primary device, and you lose that? Hopefully everyone has their passkeys backed up and are able to retrieve and actually use them.
  • How do you log into the service to disable lost passkeys, if the passkey is your access to the service?
  • Users get locked into a specific passkey service and then want to leave for another one, e.g. an iPhone user decides to move to Android.
  • If passwords are the weakness, they should be completely removed from a service, otherwise they remain just as risky as if you were using them still. Passkeys will only be as secure as any fallback method, e.g. if a provider uses SMS for backup, then you are running the same risks having SMS as if you were using SMS 2FA.
  • Security has always been a trade-off against convenience, so a lot of basic user education is going to be needed otherwise we run the risks of either having risky fallbacks, or many users will be locked out of their accounts. An account is either secure, or it is not. ‘Marketing messages’ don’t create the security.

See https://www.theverge.com/2023/5/3/23709318/google-accounts-passkey-support-password-2fa-fido-security-phishing
#Blog, #passkeys, #security, #technology

danie10@squeet.me

1Password, Dashlane, LastPass, and now also NordPass, already have support for Passkeys

Hand holdinga smartphone. On the screen is the NordPass app listing a few websites.
NordPass explains that using Passkeys with its system is superior to using “alternative systems,” because it allows for syncing between cross-platform devices, offers better passkey-sharing options, and grants instant portability between operating systems. This means that if you use multiple devices in different ecosystems, such as a Windows Laptop and an iPhone, you can use your Passkeys more easily.

They are dead right about needing cross-platform support for passkeys (unless you know for sure you’ll never be moving off your existing OS, or even sometimes using a different one), but they won’t be the only ones supporting cross-platform.

You will have a challenge with cross-platform support though if it is a solution that only works on iOS or Windows for example. Passkeys are not like passwords, where you can just retype them into a different machine. So you certainly want to give a bit of thought before making your choice as to what to use as your passkeys manager.

If you are already on Bitwarden, for example, just wait a bit until they release their passkeys solution. There is no immediate urgency.

See https://www.reviewgeek.com/148532/another-password-manager-announces-support-for-passkeys/
#Blog, #NordPass, #passkeys, #security, #technology