“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

  • nevemsenki@lemmy.world
    link
    fedilink
    English
    arrow-up
    139
    arrow-down
    8
    ·
    2 months ago

    If the passkeys aren’t managed by your devices fully offline then you’re just deeper into being hostage to a corporation.

    • unskilled5117
      link
      fedilink
      English
      arrow-up
      39
      arrow-down
      3
      ·
      edit-2
      2 months ago

      The lock-in effect of passkeys is something that this protocol aims to solve though. The “only managed by your device” is what keeps us locked in, if there is no solution to export and import it on another device.

      The protocol aims to make it easy to import and export passkeys so you can switch to a different provider. This way you won’t be stuck if you create passkeys e.g. on an Apple device and want to switch to e.g. Bitwarden or an offline password manager like KeyPassXC

      The specifications are significant for a few reasons. CXP was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. […] CXP aims to standardize the technical process for securely transferring them between platforms so users are free […].

      • nevemsenki@lemmy.world
        link
        fedilink
        English
        arrow-up
        18
        arrow-down
        2
        ·
        edit-2
        2 months ago

        That’s between platforms though. I like my stuff self-managed. Unless it provenly works with full offline solutions I’ll remain sceptical.

        • darklamer@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          15
          ·
          2 months ago

          I like my stuff self-managed.

          Bitwarden / Vaultwarden is a popular available working solution for self-hosting and self-managing passkeys (as well as passwords).

          • EngineerGaming@feddit.nl
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            2
            ·
            2 months ago

            TBH I don’t see a reason why something as simple as a password manager needs a server, selfhosted or not. I don’t get the obsession with syncing everything, so would rather stick with normal KeepassXC.

            • Synestine@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              7
              arrow-down
              1
              ·
              2 months ago

              Have you never lost your password device (phone, laptop, etc) suddenly and unexpectedly? That’s when you really want that file synced somewhere else. But then it’s too late. Bonus on many password vault servers is shared folders, so one can share their garage door code with the family but keep the bank account details to oneself.

              • EngineerGaming@feddit.nl
                link
                fedilink
                English
                arrow-up
                5
                arrow-down
                1
                ·
                edit-2
                2 months ago

                No, but this is very unlikely because I do keep regular backups manually. I just don’t feel the need for it to be a constantly-online server.

      • RecluseRamble@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        And who forces all the corps to correctly implement that protocol? Getting you locked in is in all of their interests, after all.

        • unskilled5117
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          2 months ago

          I think it‘s fair to remain skeptical but the big organizations were part of the development, so there seems to be some interest. And it‘s not always in their interest to lock users in, when it also prevents users from switching to their platform.

          Development of technical standards can often be a fraught bureaucratic process, but the creation of CXP seems to have been positive and collaborative. Researchers from the password managers 1Password, Bitwarden, Dashlane, NordPass, and Enpass all worked on CXP, as did those from the identity providers Okta as well as Apple, Google, Microsoft, Samsung, and SK Telecom.

      • umbrella@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        not the first time i hear this though. im skeptical until proven otherwise

    • Draconic NEO@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      2
      ·
      2 months ago

      That’s a great way to lose access if your device gets lost, stolen, or destroyed. Which is why I’m against and will continue to be against forcing 2FA and MFA solutions onto people. I don’t want this, services don’t care if we’re locked out which is why they’re happy to force this shit onto people.

      • nevemsenki@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        2 months ago

        Well yeah, that is true. Security and convenience are usually at odds… MFA has place, unless you don’t mind some guy from russia access your online bank account ; but I definitely wouldn’t use it on all my accounts.

        • Draconic NEO@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          2 months ago

          Yeah and since Online bank accounts can also almost always be reset if you lose the 2FA/MFA key by calling customer support, or going to your bank and speaking with themt in person, there’s almost no risk of losing access completely. It’s a service you have access to because you’re you. Something that isn’t the case with Reddit, Github, Lemmy accounts, or Masotodon. I’m not able to regain access after losing those 2FA solutions by virtue of being myself, they treat you just like the attacker in those cases. Really not worth it there, both since what is being protected isn’t worth it, and the risk far outweighs it.

          • kiagam@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            2 months ago

            Access to my main email account (outlook) is currently blocked because someone decided to try a password from some earlier leak and locked it. It can only be unlocked with SMS MFA, which I can’t use because I’m travelling abroad. There is no other way to do it. The other option they give you a form that only works if you don’t have MFA set up (it says so on the faq). I even asked someone to fill the form from my home computer so the location data matches earlier accesses, but didn’t work. You also can’t contact support without logging in. If I had lost/changed that phone number for any reason, I would lose access forever. Luckily I will be back home soon.

            • Draconic NEO@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              I had a similar scary situation like that before where the phone number linked to the account wasn’t mine anymore. Luckily I was able to get back because I was still logged in on another computer and it hadn’t kicked me out yet, I was able to go to account settings and remove the phone number, then google let me log into the account again. Had I been kicked out of the account, I would’ve lost it for sure.

      • EngineerGaming@feddit.nl
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 months ago

        In case the device gets lost/stolen, you should have a backup of the database that contained the passkeys. That’s why I would be only using the implementations that allow doing that easily.

    • rottingleaf@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      2
      ·
      2 months ago

      Y’all here talking so smart ignore another thing - the more complex your solutions are, the deeper you are into being hostage to everyone capable of making the effort to own you.

      Don’t wanna be hostage - don’t use corporate and cloud services for things you need more than a bus ticket.

      You are being gaslighted to think today’s problems can be solved by more complexity. In fact the future is in generalizing and simplifying what exists. I’m optimistic over a few projects, some of which already work, and some of which are in alpha.