Passkeys Are Finally Here (arstechnica.com) 96
An anonymous reader quotes a report from Ars Technica: Generically, passkeys refer to various schemes for storing authenticating information in hardware, a concept that has existed for more than a decade. What's different now is that Microsoft, Apple, Google, and a consortium of other companies have unified around a single passkey standard shepherded by the FIDO Alliance. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks.
On Monday, PayPal said US-based users would soon have the option of logging in using FIDO-based passkeys, joining Kayak, eBay, Best Buy, CardPointers, and WordPress as online services that will offer the password alternative. In recent months, Microsoft, Apple, and Google have all updated their operating systems and apps to enable passkeys. Passkey support is still spotty. Passkeys stored on iOS or macOS will work on Windows, for instance, but the reverse isn't yet available. In the coming months, all of that should be ironed out, though.
Passkeys work almost identically to the FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication. Just like the FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. There's no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack. Even if an adversary was able to extract the cryptographic secret, they still would have to supply the fingerprint, facial scan, or -- in the absence of biometric capabilities -- the PIN that's associated with the token. What's more, hardware tokens use FIDO's Cross-Device Authentication flow, or CTAP, which relies on Bluetooth Low Energy to verify the authenticating device is in close physical proximity to the device trying to log in. "Users no longer need to enroll each device for each service, which has long been the case for FIDO (and for any public key cryptography)," said Andrew Shikiar, FIDO's executive director and chief marketing officer. "By enabling the private key to be securely synced across an OS cloud, the user needs to only enroll once for a service, and then is essentially pre-enrolled for that service on all of their other devices. This brings better usability for the end-user and -- very significantly -- allows the service provider to start retiring passwords as a means of account recovery and re-enrollment."
In other words: "Passkeys just trade WebAuthn cryptographic keys with the website directly," says Ars Review Editor Ron Amadeo. "There's no need for a human to tell a password manager to generate, store, and recall a secret -- that will all happen automatically, with way better secrets than what the old text box supported, and with uniqueness enforced."
If you're eager to give passkeys a try, you can use this demo site created by security company Hanko.
On Monday, PayPal said US-based users would soon have the option of logging in using FIDO-based passkeys, joining Kayak, eBay, Best Buy, CardPointers, and WordPress as online services that will offer the password alternative. In recent months, Microsoft, Apple, and Google have all updated their operating systems and apps to enable passkeys. Passkey support is still spotty. Passkeys stored on iOS or macOS will work on Windows, for instance, but the reverse isn't yet available. In the coming months, all of that should be ironed out, though.
Passkeys work almost identically to the FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication. Just like the FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. There's no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack. Even if an adversary was able to extract the cryptographic secret, they still would have to supply the fingerprint, facial scan, or -- in the absence of biometric capabilities -- the PIN that's associated with the token. What's more, hardware tokens use FIDO's Cross-Device Authentication flow, or CTAP, which relies on Bluetooth Low Energy to verify the authenticating device is in close physical proximity to the device trying to log in. "Users no longer need to enroll each device for each service, which has long been the case for FIDO (and for any public key cryptography)," said Andrew Shikiar, FIDO's executive director and chief marketing officer. "By enabling the private key to be securely synced across an OS cloud, the user needs to only enroll once for a service, and then is essentially pre-enrolled for that service on all of their other devices. This brings better usability for the end-user and -- very significantly -- allows the service provider to start retiring passwords as a means of account recovery and re-enrollment."
In other words: "Passkeys just trade WebAuthn cryptographic keys with the website directly," says Ars Review Editor Ron Amadeo. "There's no need for a human to tell a password manager to generate, store, and recall a secret -- that will all happen automatically, with way better secrets than what the old text box supported, and with uniqueness enforced."
If you're eager to give passkeys a try, you can use this demo site created by security company Hanko.
securely synced across an OS cloud, (Score:5, Insightful)
Re: securely synced across an OS cloud, (Score:2)
AFAIK iOS is the only platform that makes cloud storage mandatory. Every other platform they either are or can be stored non-exportable in a hardware enclave.
Re: (Score:1)
AFAIK iOS is the only platform that makes cloud storage mandatory. Every other platform they either are or can be stored non-exportable in a hardware enclave.
Are you sure? Checking my iPhone...
General Settings > iCloud > Log In. (it is not mandatory)
Oh you mean password sync? Well there are several options available in the App Store.
Oh you mean file sync? Again, several options.
Of you mean I cannot add a "local" storage device? I bluetooth and wifi sync my iPhone to a laptop.
You mean using Apple's App Store is mandatory? Gotcha. That is true.
Re: securely synced across an OS cloud, (Score:2)
Dude...none of those things are on topic. Read about passkey, then come back here.
You're a total Kevin.
https://youtu.be/qF6pgI8I0QY?t... [youtu.be]
Re:securely synced across an OS cloud, (Score:5, Informative)
It's proven secure thus far. Chrome has been syncing passwords via Google Cloud since the very early versions, and no reports of them being hacked that way.
You can set a password for Chrome data, which is separate from your Google account password. It is encrypted before being uploaded. Your password is never transmitted to Google, and you can't view or recover the data without it.
Lots of people store their password databases for things like Keepass in the cloud too. Again, encrypted client side. It's proven technology.
Re: (Score:1)
Yea but this effectively means that you can't casually log into a service through a browser any more. A major part of the "Web As OS" paradigm is that devices are disposable dumb terminals, and you can just log in anywhere. You don't need to have a carefully set up desktop of your own any more, you just log into whatever service you want in any web browser and you're at your workspace.
This arbitrarily makes that really hard.
Here, do this. Go to that demo site, and create an account and passkey.
Now, try to l
Re: (Score:2)
That's true, assuming they don't support security keys.
The thing is, unless you use a really crappy password then it's also not an issue, because you won't be able to remember your secure password anyway. If you can remember it, it's not secure.
Most people have phones now so on balance it's probably too much of an edge case to justify having a weak password.
Re: securely synced across an OS cloud, (Score:2)
Logging in to a web service on a device you don't own is an "edge case"? That'll be news to:
- Corporates with shared PCs
- Internet cafes
- Parents with kids who visit
- School computer labs
Heck, people who only log in to web services on their own devices? THAT'S the edge case.
Re: (Score:2)
In those scenarios how do people find their long, random, and unique password?
In corporations and schools there will be a network login, and the user's Passkey will be stored as part of their profile.
In other places you can use a security key like a Yubikey, or choose to have a memorable password if you really think that's a good idea. For family another option is to just log into Firefox or Chrome, which will sync the Passkey, and then log out again when finished.
Re: (Score:2)
Here, do this. Go to that demo site, and create an account and passkey. Now, try to log into that account from your friend's laptop.
The upgrade in TFA is that Google/whoever will sync your device authentication through the cloud, so if you login to your Google account on your friend's laptop (with 2FA hopefully) then you can validate the friend's laptop as a trusted device. It basically ties your logins to your cloud provider, but lots of people were doing that anyway somehow and this method makes it ultra-secure (for sites that support it).
PayPal? What's that? (Score:1, Interesting)
Not sure why anyone would need to log into PayPal now, which can simply steal $2500 from you [reason.com] for either sending to, or receiving money from people PayPal deems to be "intolerant".
(it was originally described as also for "misinformation" but as the arctic explains PayPal backtracked on that).
Regardless of how you feel about intolerance or how PayPal even judges that, that's way too much financial exposure for me to be comfortable when I can't be sure of what every single person I transact with on PayPal thin
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
I'm not the parent.
My PayPal isn't linked to my bank account. I've used it to 'tip' software writers who only took Paypal. And while I used to remove my credit card after every transaction, these days I have a separate card with a very low limit I use for Paypal and other online purchases.
Do you think there's a problem with that?
Re: How sure are you really though... (Score:2)
Seems pretty good to me (Score:1)
these days I have a separate card with a very low limit I use for Paypal
That's probably as safe as you can get but again, how sure are you that deleting a credit card from the PayPal database has really removed it...
Though at least you only use a low limit CC so I commend you for that.
Now myself, I did have a bank linked for a while because I used to receive payment from eBay sales, and after that was gone still used it for a few other transactions here and there.
But even having removed that and a card lin
Re: (Score:2)
Re: Makes PayPal risky for all use (Score:2)
Re: (Score:3)
Re: (Score:2)
But you're fine using a company that does that to others.
Re: (Score:2)
Re: (Score:2)
It's not just "other people", it's also companies PP deems "incorrect". So it simply does apply.
Re: PayPal? What's that? (Score:1)
Okay, I understand the shady business practices of paypal.
But why are you sending money to hate groups?
Re: PayPal? What's that? (Score:5, Insightful)
But why are you sending money to hate groups?
I don't send money to hate groups - that I know of.
The problem is more that someone from a hate group may send money to me, say to pay for an item I'm selling online.
Or maybe I'm buying something like an action figure from someone who (unknowingly to me), is in fact running a hate group.
Do you see the problem here? There is not one person I can safely transact with on PayPal going forward because I cannot control what other people do.
Return to Sender (Score:1)
Ah look, it's an adult infant.
Oh man, and that was gonna be your Christmas present!
I'll send it back, and just give you a gift card so you can buy your Hentai.
Re: (Score:2)
Re: PayPal? What's that? (Score:2)
Yeah fair and reasonably explained . I'm not going to justify PayPal's theft and shitty practices, although I don't think it's news at this point.
Re: (Score:2)
Why are you assuming anybody that gets blocked is actually a hate group?
(In my world, assuming and stating someone is really rotten is a hate comment. You have pretty much crossed that threshold. You see how easy it is to be defined as hateful by someone else's rules?)
Re: (Score:2)
Define "hate group"? Biden claims the entire Republican party is a hate group. I don't send them money, but it seems paypal could call anyone a hate group. Or is it only the SPLC's definition of hate group? ...Many of which I disagree with.
Re: (Score:2)
Define "hate group"? Biden claims the entire Republican party is a hate group. I don't send them money, but it seems paypal could call anyone a hate group. Or is it only the SPLC's definition of hate group? ...Many of which I disagree with.
Hate crime is a completely nebulous concept. There are obvious hate crimes, ant there are not so obvious ones. A dark skinned person of African descent killed by the KKK - Yeah, that's pretty much hate.
Using hateful language is an area where it gets kind of gray. And it gets really gray when the claim is that 54 percent of hate Crime victims do not report it.
It is defined as “crimes that manifest evidence of prejudice based on race, gender or gender identity, religion, disability, sexual orienta
Re:PayPal? What's that? (Score:4, Informative)
Not sure why anyone would need to log into PayPal now, which can simply steal $2500 from you [reason.com] for either sending to, or receiving money from people PayPal deems to be "intolerant".
Let them try that in Europe. They will have the book thrown at them so fast they will not know what hit them. They may even lose their banking license over something like that because banks are very much not allowed to fine their customers. They can report people to the police, but that is it.
Re: (Score:3)
It is really simple: Complain to the regulator. PayPal has their European banking license in Luxembourg. The regulator there is the CSSF: https://www.cssf.lu/en/ [www.cssf.lu]
But it will not come to that. PayPal will not suicide in this stupid way.
Incidentally, are you so timid that you think your freedoms and rights do not merit taking a small risk and that you are willing to bow to even to a not-credible and now retracted threat? Well, then know this: PayPal can just keep all funds you have with them without any reason
I am not timid, and also not stupid (Score:1)
Incidentally, are you so timid that you think your freedoms and rights do not merit taking a small risk
How is it protecting my rights to put my head in the mouth of a lion? Wow so brave! And stupid.
Protecting rights is about being vigilant, about exactly what I am doing - seeing a company trying to abuse my rights and me in turn removing all connection to them. How is that timid? That is simply being vigilant to understand the danger, and wise in having a realistic response.
What you are proposing, just c
Re: (Score:2)
Be careful though, even in Europe PayPal is quite slippery. For example, normally if you pay on credit card in the UK you have various protections. There is Section 75 that makes the card issuer equally liable as the vendor, and there are chargebacks.
PayPal is just a middleman though, and will argue that the transaction was with them and it went according to their terms and conditions. Therefore if you have an issue with what you bought, you can't use Section 75 or do a chargeback because PayPal didn't scre
Re: (Score:1)
Thanks for the tip, still a problem... (Score:1)
I had scoured and removed all cards and any subscription related items, though I have to admit I've not removed contacts so I'll do that.
However I think I have something else going on. When I tried to use the AI help system it noted (A) I have a PayPal credit card, so I have to figure out how to close that first. Moderately understandable, though the PayPal help system also claims you can keep a PayPal credit card without an account so....
But anyway, it says I have a second problem and when I ask it to te
Re: PayPal? What's that? (Score:2)
Re: PayPal? What's that? (Score:4, Informative)
You can always count on SuperKenDoll for letting you know the daily right wing talking points.
Re: (Score:3, Informative)
1. violate any law, statute, ordinance or regulation.
2.
(f) the promotion of hate, violence, racial or other forms of intolerance that is discriminatory or the financial exploitation of a crime,
(g) items that are considered obscene
(i) certain sexually oriented materials or services
(j) ammunition, firearms, or certain firearm parts or accessories, or (k) certain weapons or knives regulated under applicable law.
Emphases are mine.
These "may subje
Re: (Score:2)
If you can't close your account, you can at least remove all your cards and bank accounts from it. Change your address to a fake one, ditto your phone number.
Re: (Score:2)
Re: (Score:1)
you can at least remove all your cards and bank accounts from it. Change your address to a fake one, ditto your phone number.
Yeah already did that, my concern is how permanent is that delete really. I don't trust PayPal not to dig up older database records (though I admit that is kind of far-fetched, but I also would have said PayPal charging money for thought crimes was far-fetched as well and here we are).
Emails all the way down... (Score:2)
Demo site in TFS basically just mails you a one-time password to the email you used to register for the demo site.
Which is basically just "recovery email" password recovery path.
Which is fine, I guess - until your email provider implements the same scheme and now you need an email for your email. Rinse and repeat.
Just make sure you write down ALL the passwords and keep them where you can easily find them when they're needed.
By you or anyone else with eyes.
Not exactly... (Score:4, Insightful)
There's no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack.
For iOS, apple forces you to also store them on iCloud, which we all know never gets hacked because apple is perfect, and they also can't be provisioned as non-exportable, meaning they can be shared over airdrop. Apple had the courage to weaken the security model.
Re: Not exactly... (Score:1)
So don't use Apple.
Re: (Score:2)
There's no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack.
For iOS, apple forces you to also store them on iCloud, which we all know never gets hacked because apple is perfect, and they also can't be provisioned as non-exportable, meaning they can be shared over airdrop. Apple had the courage to weaken the security model.
Yeah, that one kind of got to me. There should be no way of getting the cryptographic secrets short of disassembling the device (for a value of "disassembling" that includes the use of a scanning electron microscope. Jailbreaking or rooting should, at best, possibly allow a man in the middle attack, but there should be absolutely no possible software method whatsoever of getting the keys themselves off the device. They should be write once, read never.
Re: (Score:1)
Surely you meant write once, read only under very specific circumstances. I only say this because write once/read never technology has been around for quite a while. Even my 2 year old showed mastery over it when he found a bunch of important post it notes on my desk.
Re: (Score:3)
And /dev/null is also a great write-once read-never solution. I've been writing cron output there for decades, with no increase in file size!
Best lossy compression method there is.
Re: (Score:2)
Nope, I meant write once, read never. To be clear, I don't mean that it would never be read, I mean that it would never be read from outside the hardware. In other words, all of the logic required for cryptography is performed in microcode on a small sub-processor inside a chip on the storage device. So, the key is stored and it is read, but only by an internal component. There would be no way to externally access the memory containing the keys. So, the only way to read it would be to remove the chip (which
Not private. (Score:4, Insightful)
These are being pushed because they provide a way for these companies to uniquely identify you and they assume that you trust the company with who you are authenticating against. Any smart person does NOT automatically trust any company they create an account with and it should always remain possible to use a companies free services in a way that does not uniquely identify you. Passwords CAN be less secure but they also allow you to be in control of how, who and where your account is accessed from. If I choose to give my wife access to my account I can do it. If I choose to create a shared account, I can do it. I will be in control of my own security and privacy, thank you. Take your biometrics and passkeys and gtfo. It should be an OPTION, not a requirement.
Re: (Score:2)
Re:Not private. (Score:5, Insightful)
They are already uniquely identifying you based on insistence of using weak shit SMS MFA. If they can send you an SMS with a 6-digit code in it, then they have your phone number and can look up subscriber info.
Don't you think it's odd that a lot of these companies don't implement the free-as-in-beer AND free-as-in-speech TOTP MFA that is far more secure and reliable than SMS?
Re:Not private. (Score:4, Insightful)
I never said that I use SMS. I try very hard not to for exactly that reason. I use passwords and passwords only unless there is no tie to a unique real world identity. I don't mine a company knowing that is a unique individual as long as it cannot be tied to a real world identity of me.
Re: (Score:2)
My point is that a lot of services don't give you a choice. It's SMS or you don't log in. And the worst offenders are exactly who you would like it not to be: banks and health care / insurance.
Re: (Score:2)
What do banks and health insurers do for customers who do not subscribe to mobile phone service?
Re:Not private. (Score:5, Informative)
Passkeys use Webauthn cryptographic keys, which cannot be used to track a user between websites. The key that the website gets is unique and there is no known correlation attack. If such an attack was found it would immediately be a huge problem not just for Passkeys/Webauthn, but for a lot of other similar crypto systems that we rely on daily.
Even if you don't trust these companies, Passkeys are a good thing because you can use something like a Yubikey with sites that support it. There are even open source security keys that you can build yourself and validate the firmware of, in case you think there is a secret modem built into them or something.
Re: (Score:2)
Re: (Score:3)
No, they are not being pushed for that reason. In fact that's so wrong it borders on a conspiracy theory.
They uniquely identify you by making you to create an account and forcing you log on before every interaction with them. It doesn't matter if you used passwords or FIDO2 to identify yourself - the horse had already bolted when you entered your unique user name, or email address, or whatever. The password or F
But can you fax it? (Score:1)
would some kind soul throw some light? (Score:2)
But what I worry about the security of the device where this authenticator is running. Something like the user has inadvertently installed a trojan
Biometrics - ugh (Score:5, Insightful)
passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. ... or -- in the absence of biometric capabilities -- the PIN that's associated with the token.
And, hopefully, users can rely on only a PIN if the they *choose* to not use biometrics, as the latter can be legally compelled under under the 4th and 5th Amendments: Compelled Biometric Access Legal Under 4th, 5th Amendments [bloomberglaw.com] (in the US).
Re: (Score:2)
Re: (Score:3)
...so they have to coerce or torture the PIN out of you instead?
That's where some sort of second "panic" PIN could come in handy. If you use it, it looks like everything authenticates properly, but a flag has gone up on the transactions and the police are brought in. Not a perfect system, but it could help.
Re: (Score:2)
Yeah, that's great, until the police are the ones trying to torture the PIN out of you. Calling the police when you use the duress PIN will tip them off to it.
Re: (Score:2)
Hence: "Not a perfect system..."
Re: (Score:3)
Android supports that. There is an open source app called Wasted, that is actually a little ecosystem of apps that provide various functionality. One of the possible functions is a duress pin that factory resets the device. On any device that uses encrypted storage (Google and Samsung devices do, probably many others) the data is not recoverable after a factory reset as the key is destroyed and regenerated.
Re: (Score:2)
I was thinking of something along those lines. Although I was thinking more for bank account access, etc. and not necessarily locking things out/deleting keys but rather allowing dummy banking sessions where, for example, thieves might see the transaction supposedly happen in the GUI for your account, but actually no money is moved and the police are alerted. This, of course, would require a lot of cooperation between banks on implementing a protocol for this. Honestly I don't think a lot of financial insti
Re: (Score:2)
"cold, dead hands" I think they call it...
Re: (Score:2)
These are for known REMOTE SERVICES (Score:2)
... not for your full disk encryption "you won't get my password even if you torture me" types.
Way, way, way, way before you get to any discussion about how they can compel you to use your face or fingerprint or whatnot to unlock your device they'd have all your data from all the services mentioned (Microsoft, Apple, Google, Kayak, eBay, Best Buy, CardPointers, WordPress, Paypal... really anything), with just a few clicks and possibly without you even knowing for a long time.
Re: (Score:2)
Ya, I agree. And if they don't get your client info directly from the service, they'll just get your passkey info from the cloud service storing/exchanging them by using a warrant or via the backdoors that probably exists -- depending on who's doing the getting ...
When can I (Score:2)
Lets see how long until practical attacks (Score:2)
Because there will be some. There is no way such a scheme could really be impervious.
Here is my prediction, assuming people actually start using this (if nobody cares, it will take longer):
1. First lab-breaks shown at some security conference: 2023
2. First breaks by attackers: 2024
3. Turns out to be worse than good passwords or 2FA: 2026-2028
Re: Lets see how long until practical attacks (Score:2)
Re: (Score:2)
This thing has a _four_ digit PIN? OMG.
Re:Lets see how long until practical attacks (Score:5, Informative)
Re: (Score:2)
It cannot be "fairly mature" until it's been very widely used for a few years. It's not even close.
Exactly. Let it survive 5 years in a large real-world deployment, and I will start to take it seriously. Before that, not so much.
Re: (Score:2)
FIDO 2, which is what you are commenting on, was deployed in 2015 [wikipedia.org]. 7 years ago. Google rolled it out aggressively after being phished for around $800M. Their Titan FIDO2 key was one manifestation of that. The were reportedly very happy with the results. I presume that counts as a "large real-world" deployment.
Re: (Score:2)
You are a) underestimating the inventiveness of the attackers and b) FIDO tokens are a niche tech. Or at least they were, so attackers did not invest effort. Also, phishing is not the only possible attack technique. In the end, it only matters whether people will get successfully attacked or not.
Re:Lets see how long until practical attacks (Score:4, Insightful)
This is not how private key works (Score:2)
Re: (Score:1)
One Ring to Rule Them All (Score:2)
"By enabling the private key to be securely synced across an OS cloud, the user needs to only enroll once for a service, and then is essentially pre-enrolled for that service on all of their other devices."
I might be willing to get a dedicated PayPal key ... maybe, but there is no way that key will be used for anything else!
Re:One Ring to Rule Them All (Score:5, Informative)
So excited about Passkeys (Score:2)
Potential phishing attempt from demo site (Score:2)
Dark Web (Score:1)