this post was submitted on 09 Apr 2024
503 points (92.7% liked)

Technology

59345 readers
6024 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 
  • Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security
  • Passkeys were developed to replace passwords for better account security, but their rollout by Apple and Google has limited their potential
  • Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
you are viewing a single comment's thread
view the rest of the comments
[–] answersplease77@lemmy.world 7 points 7 months ago (13 children)

what are passkeys? like biometrics fngerprints or facisl recognition you mean?

[–] Spotlight7573@lemmy.world 19 points 7 months ago* (last edited 7 months ago) (2 children)

Passkeys are a way of doing public/private key-pair crypto to prove that you are in possession of the private key that corresponds to the public key that was registered with a site or service when you added the passkey to the account. The use of the passkey is often protected by biometrics like the fingerprint or facial recognition systems on your device but it doesn't necessarily need to use biometrics at all if you don't want to and you can instead use a passcode to unlock your device or password/passkey manager.

Basically instead of the normal way with passwords:

  • You ---password---> website
  • Website verifies password matches, either directly to an actual stored password (bad) or through a hash they have stored

With passkeys you have:

  • You <---challenge--- website
  • You sign the challenge with a private key that only you have
  • You ---signed challenge ---> website
  • Website verifies that the signed challenge corresponds to the public key you provided when you set up the passkey

In the password scenario, the website could be following best practices and hashing the password or it could just be storing them directly and insecurely. You have no idea what really goes on inside their systems. This also means that due to reused passwords, a security breach at one site can mean problems for other sites, even if they didn't do anything wrong.

In the passkey scenario, you're not sending anything particularly sensitive to each site so it's more secure.

[–] SniffDoctor@lemmy.ml 2 points 7 months ago* (last edited 7 months ago) (1 children)

If I use a password manager with long random passwords, and use 2FAS to generate those 6-digit two factor authentication codes whenever possible (as opposed to SMS/email 2FA), is there any advantage?

Is it just that you don't actually have to type anything, just press "I approve" on your phone after entering your username?

Or is it more just designed to improve security for people like my family members who use the same ~10 digit passwords for everything?

[–] Spotlight7573@lemmy.world 1 points 7 months ago

It's definitely trying to be user friendly enough that non-technical users like the family members you mention can use it to replace passwords. For your use case with a strong password and 2FAS to generate a code, it still gets rid of the phishing potential. The main advantage for the other people like your family is that they don't have to type or autofill anything, just select an account to log into or click approve on their phone. A main advantage for the service is that the user's diligence is taken out of the equation for a lot of it and they don't have to worry about a user giving their password and 2FA codes to a phisher. If a user tries to use a passkey at the wrong site (like a phishing site), it won't pop up as an option to select because the domain is wrong.

Passkeys can also help anyone who is using a service in an indirect way. The 23andMe "breach" was due to stolen credentials from other actually breached sites being used to log into accounts that have data shared with them. That 23andMe data was shared to those compromised users by people who may have actually had all their security turned up to the highest settings like 2FA but was nonetheless scraped and obtained by the bad actors anyways. If 23andMe had been using passkeys (or even magic login links in an email), there would have been no credentials from other sources to use against their 23andMe's users. Moving everyone to more secure authentication methods is in the best interest of everyone involved, it's just that typically it was a hassle to have to setup an authenticator app or a password manager for 2FA. Passkeys, when everything is working properly, finally provide both more security and more convenience for the average person than just a password and so people might actually adopt them.

load more comments (10 replies)