Are Passwords Dead? What Are Passkeys, and Why Everyone's Talking About Them
- Thread starter David Matthews
- Start date
mbrowne5061
Posts: 2,219 +1,417
Yeah, it sounds like you ran into a similar bug that I did. If you save the passkey to Windows, its tied forever to your Windows account. If you save it to iOS/Android/Browser, its tied forever to those accounts. So I tried to pick an OSS service that operated across all of these - Bitwarden - so that it could operate across OSes, devices, and even organizations (if Bitwarden ever goes south). But the combo of Bitwarden on Firefox only let you save passkeys from Google, but not utilize passkeys from Google. And, unfortunately, all three (Mozilla, Google, Bitwarden) were pointing fingers at the others when it came to blame for the bug. Each was 'sure' that their implementation of passkeys was 'good' and it the someone else' fault for why the keys couldn't be passed back out of the vault to Google.
FaTaL
Posts: 501 +686
messy
Posts: 39 +57
So far, we have learned that the easiest way to mass harvest passwords is to hook people on password saving apps. At this point, I am confident that 100% of those apps are 100% breakable with just enough dedication and some knowledge.
I dont trust it because there are several glaring problems with it:
1. Passkeys are still stored in the cloud. They are not local only. The bit about private key not being stored there is not much comfort if my private key is lost/stolen. How do I recover that if the cloud supposedly stores only public key database and is protected by standard methods that are easier to bypass than passkey protection itself. It's a weak link.
2. Passkey database is protected by standard 2FA that can be bypassed by either fake towers and SIM swapping (SMS 2FA) or session stealing (App 2FA).
3. Even if the "one passkey for multiple sites" is true it's worse, because now the attacker requires one passkey to access multiple sites where as with regular password (assuming you invested time to make them unique) can compromise only one site, when lost.
4. Biometrics are not secure method of securing anything as others have pointed out. We leave fingerprints everywhere and in public places our face is always monitored. Beating biometrics is timeconsuming and difficult today and makes sense only for targeted attack against one wealthy/important person. But will it always be like this or will this tech get cheap and easy to use like has happened with everything else? Im betting on the latter.
5. As others have commented - poor cross OS/ecosystem compatibility. Manufactures cant even agree on something as simple as universal chat or file transfer protocol and you would have me believe they will agree on implementing passkeys the way they're fully interchangeable?
I have much more faith in this:
1. Passkeys are still stored in the cloud. They are not local only. The bit about private key not being stored there is not much comfort if my private key is lost/stolen. How do I recover that if the cloud supposedly stores only public key database and is protected by standard methods that are easier to bypass than passkey protection itself. It's a weak link.
2. Passkey database is protected by standard 2FA that can be bypassed by either fake towers and SIM swapping (SMS 2FA) or session stealing (App 2FA).
3. Even if the "one passkey for multiple sites" is true it's worse, because now the attacker requires one passkey to access multiple sites where as with regular password (assuming you invested time to make them unique) can compromise only one site, when lost.
4. Biometrics are not secure method of securing anything as others have pointed out. We leave fingerprints everywhere and in public places our face is always monitored. Beating biometrics is timeconsuming and difficult today and makes sense only for targeted attack against one wealthy/important person. But will it always be like this or will this tech get cheap and easy to use like has happened with everything else? Im betting on the latter.
5. As others have commented - poor cross OS/ecosystem compatibility. Manufactures cant even agree on something as simple as universal chat or file transfer protocol and you would have me believe they will agree on implementing passkeys the way they're fully interchangeable?
I have much more faith in this:
ZedRM
Posts: 2,857 +1,886
Short answer, no.
No thank you. I can't even begin to tell you how much of a headache this would be for a lot of normal users.
Last edited:
Au Contraire
Posts: 26 +40
Face ID and Fingerprint ID is easily overcome; in fact, there are documented cases where it has already been done.
PINs are nothing more than a password by another name.
Using a device id is also not all that secure. Does anyone remember the use of MAC ids to authenticate, or prevent authentication? And how easily MACs are faked?
Though the passkey method does allow tying individuals, by name, etc., to specific devices, and thus locations. Where will that data be stored, backed up, and "secured"?
Now, pray tell, what happens when a device is broken, forgotten, lost, stolen?
Don't think that Google's just announced policy of auto-reboot after 3 days will make any difference. There are and have been for some time methods to overcome security during reboot.
PINs are nothing more than a password by another name.
Using a device id is also not all that secure. Does anyone remember the use of MAC ids to authenticate, or prevent authentication? And how easily MACs are faked?
Though the passkey method does allow tying individuals, by name, etc., to specific devices, and thus locations. Where will that data be stored, backed up, and "secured"?
Now, pray tell, what happens when a device is broken, forgotten, lost, stolen?
Don't think that Google's just announced policy of auto-reboot after 3 days will make any difference. There are and have been for some time methods to overcome security during reboot.
Au Contraire
Posts: 26 +40
What provides the encryption? TLS (Transport Layer Security) ? Who or which machine holds the keys?
Similar threads
