Things I learnt about passkeys when building passkeybot
#HackerNews #passkeys #passkeybot #cybersecurity #techlearning #softwaredevelopment
Yep, Passkeys Still Have Problems
https://fy.blackhats.net.au/blog/2025-12-17-yep-passkeys-still-have-problems/
#HackerNews #Passkeys #Problems #Security #Authentication #Cybersecurity #TechNews
Cassidy James :rr: :gg: :fh:
and 1 other
boosted
Hey y'all 👋 I'm Emily, but friends call me Em — spelled like the dash! Guess it's time for an #intro post.
I'm a software engineer by day, and I lead a team working at the intersection of digital identity and usability.
Functionally, this means I grew up playing around in Macromedia Fireworks and learning to make websites with the middle school librarian, and nowadays I know far too much about #SAML, #MFA, #OIDC, #Passkeys, and go to lots of meetings 😮💨
I love music (playing or listening), photography, and getting outdoors! Teaching makes me incredibly happy.
I'm also a diehard #avgeek, licensed #amateurradio operator, uhhhh, I know a lot about transit busses? Tell me about your special interests plz!
Currently learning C++ because I'm insane, and learning to draw with #Krita because it makes me happy.
Hey y'all 👋 I'm Emily, but friends call me Em — spelled like the dash! Guess it's time for an #intro post.
I'm a software engineer by day, and I lead a team working at the intersection of digital identity and usability.
Functionally, this means I grew up playing around in Macromedia Fireworks and learning to make websites with the middle school librarian, and nowadays I know far too much about #SAML, #MFA, #OIDC, #Passkeys, and go to lots of meetings 😮💨
I love music (playing or listening), photography, and getting outdoors! Teaching makes me incredibly happy.
I'm also a diehard #avgeek, licensed #amateurradio operator, uhhhh, I know a lot about transit busses? Tell me about your special interests plz!
Currently learning C++ because I'm insane, and learning to draw with #Krita because it makes me happy.
My family tech support season has begun.
For elderly people, modern tech is brutal: websites keep breaking password managers (multi-step SSO forms, JS overload, domain changes). Native apps aren't any better.
"Forgot password?" links almost always bypass password managers. The PW manager ends up with an outdated password, breaking trust in the solution, and even gets accounts locked for failed login attempts.
#Passkeys don't solve the password mess for my elderly relatives.
The "scan QR code" fallback that pops up sometimes is a dead-end. They've been told to click "Deny" whenever sites suddenly ask for permissions, so they block Bluetooth access too.
They don't know or don't remember how to scan a QR code, or are baffled why something for "viewing restaurant menus" is used to log in.
Sites use inconsistent terminology for "passkey/security key/try other method", even worse in non-English.
@publicvoit @renchap @gracjan Nice try. Please watch my explanation that I sent to Renaud.
@rmondello @renchap @gracjan To my understanding, some implementations that allow migration of #passkeys to other accounts are prone to #Phishing.
https://arxiv.org/abs/2501.07380
"Another concern could be #socialengineering, where a user is tricked into sharing a passkey with an account controlled by an attacker." -> classic phishing, I'd say.
Convenience vs. #security, the usual trade-off.
According to that, roaming authenticators (classic #FIDO2 USB/NFC devices that are able to handle passkeys) are the only phishing-resistant method.
Still, Passkeys are much better than anything else (except FIDO2 HW tokens, of course) but it seems to be the case that the slogan that passkeys are 100% protecting against phishing isn't true any more.
What are your thoughts on that angle?
I gave an opening keynote at the FIDO Alliance’s “Authenticate” conference a few weeks ago! Although it featured timely strategies and tips for professionals deploying passkeys, my primary goal was to explain, as clearly as I can, why passkeys are important and how we should use them to reduce the harm that passwords cause.
YouTube link: https://www.youtube.com/watch?v=otObbUSxcqs
I’m really proud of this talk and I hope you’ll watch it and share it with others. I put care in to making it approachable while still delivering my perspective and insights to security professionals. If you don’t get the “why” behind passkeys, this talk will help fill that gap.
@rmondello great talk!
It leads to the obvious question how and when Apple is dropping the password and especially SMS 2FA for Apple Accounts. It seems to be a weak point when storing #Passkeys in the Apple Keychain. Unfortunately quite many processes are asking for a password still (without 2FA 😮) and using a Passkey for the Apple Account itself is missing.
I know you can’t comment, just to mention it… maybe it will increase some internal priority counters or something 🙃
Passkeys: They're not perfect but they're getting better
https://www.ncsc.gov.uk/blog-post/passkeys-not-perfect-getting-better</a><
#HackerNews #Passkeys #PasskeySecurity #Cybersecurity #Authentication #TechTrends #Innovation
@iMeddles the problem is not the nature of any of the authentication devices but rather the fact that you're losing the multi in multi-factor authentication.
With multi-factor authentication, if someone steals my security key, they still need to guess my #passwords. If someone cracks my passwords, they still need to get their hands on my key.
With #passkeys, this is no longer true and all your authentication and identity is rolled into one device that if compromised, compromises everything. #MFA
This week in #FDroid (TWIF) is alive:
* website categories fixed
* calls by e-mail? #DeltaChat #ArcaneChat
* we caught up with #Catima
* last #FOSS version #DOOM #Wolfenstein #RPG
* sorry Android 5,6 and 7, #Fennec now needs 8+
* #Passkeys by #KeepassDX
* time flies, 10 years of #NewPipe
+ 8 new apps
& 131 updates
- 2 archived apps
Start reading: https://f-droid.org/2025/10/24/twif.html
So I think I'll need to read up on it a bit. I understand that "Passkeys" try to do something similar as SSH pubkeys.
But do you know a good technical explainer of what's going on and how it works?
(Yes, I could search myself but I am looking for recommendations of articles you have read that you found helpful and clear.)
EDIT: https://passkeys.io did make some things clearer.
@tante Ich habe auf https://karl-voit.at/FIDO2-vs-Passkeys/ zu #Passkeys und #FIDO2 gebloggt und u.a. auch erklärt, weshalb Passkeys in immer mehr Situationen leider nicht mehr gänzlich gegen #Phishing schützen, FIDO2 meiner Meinung nach aber sehr wohl.
D.h. die Hardware-Tokens liefern aktuell den einzig wasserdichten Schutz gegen Phishing. Trotzdem haben Passkeys viele Vorteile gegenüber den üblichen Methoden wie #TOTP, #TAN via #SMS oder #Email, ...
maco
boosted
Seriously, the issue in this thread is why I think #passkeys are a ticking time bomb. Most people don't understand how they work, or that they're linked to a single device, or that they need to maintain a backup login method. Websites that support passkeys don't do enough to communicate and enforce good habits. If we continue down the passkey path, people losing access is going to be a much bigger problem in the future, and we're not ready for it. #infosec
Seriously, the issue in this thread is why I think #passkeys are a ticking time bomb. Most people don't understand how they work, or that they're linked to a single device, or that they need to maintain a backup login method. Websites that support passkeys don't do enough to communicate and enforce good habits. If we continue down the passkey path, people losing access is going to be a much bigger problem in the future, and we're not ready for it. #infosec
Alex Akselrod
boosted
On weekend I managed to connect all my selfhosted services that support it to the #Keycloak#SSO (single sign on).
Namely #Mastodon#Peertube#NextCloud #FreshRSS#Matomo and #grafana
Why to bother with such complication for apps serving only a couple of users?
First it's quite easy nowadays.
And second, because I want to get rid of passwords and just use #passkeys .
This is one of many examples showing that good apps should just focus on one task and just use standards to cooperate with other apps focusing on other tasks.
Peertube for example focuses on videos, not user management. I am very OK that they don't support passkeys, because they implemented OpenId Connect standard to allow me use Keycloak for better login options.
On the other hand, I am quite sad that SSO is often the one feature, that is proprietary and reserved only for paying customers. SSO is not for huge corporations anymore. It's also usefull for us, selfhosters with couple of users.
❤️ 
On weekend I managed to connect all my selfhosted services that support it to the #Keycloak#SSO (single sign on).
Namely #Mastodon#Peertube#NextCloud #FreshRSS#Matomo and #grafana
Why to bother with such complication for apps serving only a couple of users?
First it's quite easy nowadays.
And second, because I want to get rid of passwords and just use #passkeys .
This is one of many examples showing that good apps should just focus on one task and just use standards to cooperate with other apps focusing on other tasks.
Peertube for example focuses on videos, not user management. I am very OK that they don't support passkeys, because they implemented OpenId Connect standard to allow me use Keycloak for better login options.
On the other hand, I am quite sad that SSO is often the one feature, that is proprietary and reserved only for paying customers. SSO is not for huge corporations anymore. It's also usefull for us, selfhosters with couple of users.
❤️
#Passkeys working on #GrapheneOS with #Vanadium and #Bitwarden 🌻
Support for #keepassDX in progress 🌱 https://github.com/Kunzisoft/KeePassDX/issues/1421
- Inici de sessió: quan vols entrar, el servidor envia un repte que el teu dispositiu signa amb la clau privada (sense revelar-la).
3. Verificació: el servidor comprova la signatura amb la teva clau pública i, si coincideix, et dóna accés.
Avantatges respecte a les contrasenyes
✅ Més segures: no es poden robar.
✅ Més còmodes: no has de recordar contrasenyes.
✅ Sincronització: es poden emmagatzemar en el núvol (amb xifratge) per usar-les en diferents dispositius.
Tant de bo tinguessin #Passkeys arreu, en tots els servidors, bancs, oficines virtuals de les administracions etc. No hi haurien robatoris de contrasenyes perquè no hi hauria cap per robar!
Les claus d’accés (#Passkeys) són una forma moderna i segura d’iniciar sessió sense necessitat de contrasenyes tradicionals. Funcionen amb autenticació biomètrica (digital o facial) i utilitzen criptografia de clau pública per verificar la teva identitat.
Com funcionen?
1. quan crees una passkey, el teu dispositiu genera un parell de claus:
- Clau privada (emmagatzemada de forma segura al teu dispositiu).
- Clau pública (enviada al servidor del lloc web o app).