Posted by todsacerdoti 7 days ago
Since it's been a few days, sometimes I am logged out of either bank/traders and also the password manager.
So it's open the bank site, click on login/password, password manager browser extension asks to login. Type password manager password. It asks for 2FA. Unlock phone with face. Find app, open app, unlock app with face. Approve password manager login. Click on bank login/password again. I am in! No, bank wants to 2FA with mobile. Unlock phone with face. Open bank mobile app, unlock with face. Get code or approve login. Back to computer, type code or click approve.
Repeat that 12 times for all the accounts, and by the end of it I have neck pain with all the "pick up phone to face unlock" motions.
I am a bit paranoid so I turn on 2FA and passkeys and whatnot, but all of this makes me want to use `123password` everywhere and never change it.
Instead we've got Passkeys and the general promise by omission that I will be banned from using Keepass to store and backup my passwords as I see fit on my own devices.
People want me to trust the corporate overlords who at every turn have practiced lock in and rent seeking tactics.
Take a look:
I use bitwarden, Google and a yubikey for passkeys. Which of these am I locked into?
You’re still not platform locked…
That said, if you have a mac with a fingerprint scanner they sure are very convenient option.
And don't get me started on terrible vendors like Rippling that only support a single passkey! Madness.
The default, built-for-the-masses implementation of passkeys is called "synced passkeys". They are designed to sync between all your enrolled devices, ideally using end-to-end encryption.
You authenticate with whatever device you happen to be using at the time - phone, tablet, laptop, desktop - doesn't matter. If you lose one, you replace that device and re-enroll - then all your passkeys magically re-appear on the new device.
If you're cross-platform, modern password managers work across ecosystems - for example, 1Password syncs passkeys between Mac, Windows, iOS, Android, and Linux. If you're all-in on Apple, their native passkey implementation syncs passkeys between all your Apple devices. I thought Google and Microsoft do something similar now.
It's a real mystery why people believe passkeys have to be stored on your phone only.
For machines you don't control, such as your employer Mac, well that's a special case. In theory you can use "FIDO Cross-Device Authentication", which is a passkey flow designed specifically for authenticating on one device using a passkey stored on a different device, and involves scanning a QR code.
I've never tried this though. Personally I tend to avoid mixing personal stuff with work stuff, so the problem rarely arises.
Passwords I can bring anywhere.
Why do you say that? There are billions of synced passkeys being used by users with some of the largest sites and services in the world.
To my credit I think yubikey uses the term that way and webauthn has a different definition but in the context of passkeys you’re right.
The security property you care about is that the plaintext key is only ever processed in use within the secure enclave (transiently, during authentication).
That doesn’t preclude syncing or backing up the encrypted key via a cloud service - if the device allows the application to do that.
How do the decryption keys for the encrypted passkeys get shared between devices?
I wasn't referring to hardware keys (like YubiKeys), but rather on-device secure enclaves, TEEs, or TPMs.
Also I said "protecting a key using the secure enclave", which is perhaps a bit of a sleight of hand :-)
By that I mean a key that is wrapped (encrypted) using a parent key stored in the secure enclave. The key itself is not stored in the SE. But since it is wrapped using a parent key that is stored in the SE, that means it can only be decrypted in the SE. I believe this is how iCloud Keychain works, for example.
Digging into this further, it looks like I might have been wrong to imply that a credential manager app can instruct the SE itself to perform the proof of possession calculations needed for passkey authentication using a private key that is "protected" in this sense. When the app asks the SE to decrypt a passkey private key, it looks like the SE might return the passkey private key in plaintext to the app, and then the app itself performs the proof of possession calculation transiently outside the SE. I'm not sure about that, but I'd love to know.
> How do the decryption keys for the encrypted passkeys get shared between devices?
They get established as part of the device enrolment process. I suspect this simply adds another layer to the key hierarchy, so that your passkey private keys are encrypted under a sync key (parent) which is encrypted under a SE key (grandparent).
In that case, you could still claim that your passkeys are "protected by the SE" since they are encrypted at rest and in transit, and they cannot be decrypted anywhere except in the SEs of your enrolled devices.
Stored in an authenticator/credential manager in general, not specific to a security key, secure enclave, or TPM.
Apple's native passkey implementation doesn't require doesn't require you to install extra software, and the passkeys sync by default. I thought Google's and Microsoft's were similar - but I haven't tried them.
> And even if you do, it’s discouraged
Really? Where is it discouraged? I thought synced passkeys are intended as the solution for consumers.
> the spec is allowed to deny you access
Yeah but I thought that's for enterprise use cases, not consumer. E.g. employers that want to enforce device type restrictions on their employees.
& I think it is mostly being used for enterprises for now ,but much like TPM and remote attestation running on “my” computer, I don’t like that it’s an option
1. First I get redirected to a special sign-in page.
2. Then I sign-in with my email only.
3. Then it finally asks me for a password, even for services that would never reasonably use SSO or have another post-email receive process.
4. Then I get redirected again to enter 2fa.
5. Then these websites ask if I want to create a passkey. No, I never want to create a passkey, and you keep asking me anyway.
6. Then, and only then, do I get to finally go back to using the service I wanted, and by then, you've lost whatever my `?originalUrl=` was, and I have to find it again.
No, don't send me a magic link. Because then I have to go do 4 more steps with Gmail or another mailbox provider and now signing in has become 10 or more steps.
No, don't tell me getting rid of passwords will help most of the population, and then force all of us to do the above, and blatantly lie to us that it's better.
Stop it. Get some help.