Post
So I think I'll need to read up on it a bit. I understand that "Passkeys" try to do something similar as SSH pubkeys.
But do you know a good technical explainer of what's going on and how it works?
(Yes, I could search myself but I am looking for recommendations of articles you have read that you found helpful and clear.)
EDIT: https://passkeys.io did make some things clearer.
@tante an addendum to the enshittification that has taken place with passkeys from someone with first-hand knowledge: https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/
@tante however, the compatibility chart (https://www.passkeys.io/compatible-devices) makes me doubt the „usable anywhere“ claim
@tante Ich habe auf https://karl-voit.at/FIDO2-vs-Passkeys/ zu #Passkeys und #FIDO2 gebloggt und u.a. auch erklärt, weshalb Passkeys in immer mehr Situationen leider nicht mehr gänzlich gegen #Phishing schützen, FIDO2 meiner Meinung nach aber sehr wohl.
D.h. die Hardware-Tokens liefern aktuell den einzig wasserdichten Schutz gegen Phishing. Trotzdem haben Passkeys viele Vorteile gegenüber den üblichen Methoden wie #TOTP, #TAN via #SMS oder #Email, ...
@tante I may have written about it (from a user perspective, though, not very technical): Abschied vom Passwort: wie man sich in Zukunft einloggen wird https://www.nzz.ch/technologie/abschied-vom-passwort-wie-man-sich-in-zukunft-einloggen-wird-ld.1701475?gift=34OENPvY
@tante The major problem with passkeys is that Google, Apple and Microsoft abuse(d) them as a method to enforce a vendor lock-in: "Here, have this nice convenient feature as long as you stick with our accounts and devices." Now, it looks like we will be able to export passkeys from their accounts but passkey management needs to become convenient for everyone to make them an attractive alternative.
And we still lack truly free options to manage them across all devices. #Bitwarden / #Vaultwarden can do it but there is no point in using KeePass if not all platforms have at least one #KeePass client supporting passkeys.
Kind of reminds me of PGP keys, which are still a pain in the ass to manage across multiple devices, even after all these years.
@tante ich hab das hier mal versucht mit bildchen zu erklären:
https://media.ccc.de/v/gpn22-303-passkeys-login-ohne-passwort-#t=1434
@tante But how to transfer them to a different device? For backup purposes, or just to not need to use the phone when at the desktop? I don't see anything about that there.
@wonka I think that largely depends on the provider you use. like if you store them in bitwarden/vaultwarden, they should sync but if your browser/OS pushes them into the TPM layer on your device that's obviously harder.
@tante @wonka KeePassXC and its browser extension have Passkey support. Mobile App support is still not universal, though.
With KeePassXC, you have all your passwords in a regular boring old file (encrypted, of course) and it's very easy to avoid getting locked into one of the shiny proprietary cages.
@tante @wonka bitwarden/vaultwarden can handle that, but you generally shouldn't need to. Create a backup Passkey instead of backing up the Passkey. You can have more than one.
Passkeys aren't a 1:1 replacement for passwords. They link your established trusted environment with your account. If that trusted environment stretches over multiple devices (vaultwarden, your iCloud or whatever), great. But if not, don't compromise that security by moving the passkey around.
@antijingoist From what I gather about passkeys, that's not "passkeys done right" then.
One absolutely MUST be able to have a backup passkey / trusted environment. Smartphones do get unavailable (defective, lost, robbed, ...), only being able to have one is a hard fail.
A space for Bonfire maintainers and contributors to communicate
