Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Security

Passkeys Are Finally Here (arstechnica.com) 96

An anonymous reader quotes a report from Ars Technica: Generically, passkeys refer to various schemes for storing authenticating information in hardware, a concept that has existed for more than a decade. What's different now is that Microsoft, Apple, Google, and a consortium of other companies have unified around a single passkey standard shepherded by the FIDO Alliance. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks.

On Monday, PayPal said US-based users would soon have the option of logging in using FIDO-based passkeys, joining Kayak, eBay, Best Buy, CardPointers, and WordPress as online services that will offer the password alternative. In recent months, Microsoft, Apple, and Google have all updated their operating systems and apps to enable passkeys. Passkey support is still spotty. Passkeys stored on iOS or macOS will work on Windows, for instance, but the reverse isn't yet available. In the coming months, all of that should be ironed out, though.

Passkeys work almost identically to the FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication. Just like the FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. There's no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack. Even if an adversary was able to extract the cryptographic secret, they still would have to supply the fingerprint, facial scan, or -- in the absence of biometric capabilities -- the PIN that's associated with the token. What's more, hardware tokens use FIDO's Cross-Device Authentication flow, or CTAP, which relies on Bluetooth Low Energy to verify the authenticating device is in close physical proximity to the device trying to log in.
"Users no longer need to enroll each device for each service, which has long been the case for FIDO (and for any public key cryptography)," said Andrew Shikiar, FIDO's executive director and chief marketing officer. "By enabling the private key to be securely synced across an OS cloud, the user needs to only enroll once for a service, and then is essentially pre-enrolled for that service on all of their other devices. This brings better usability for the end-user and -- very significantly -- allows the service provider to start retiring passwords as a means of account recovery and re-enrollment."

In other words: "Passkeys just trade WebAuthn cryptographic keys with the website directly," says Ars Review Editor Ron Amadeo. "There's no need for a human to tell a password manager to generate, store, and recall a secret -- that will all happen automatically, with way better secrets than what the old text box supported, and with uniqueness enforced."

If you're eager to give passkeys a try, you can use this demo site created by security company Hanko.
This discussion has been archived. No new comments can be posted.

Passkeys Are Finally Here

Comments Filter:
  • by oldgraybeard ( 2939809 ) on Tuesday October 25, 2022 @05:10PM (#62997761)
    well that will be secure
    • AFAIK iOS is the only platform that makes cloud storage mandatory. Every other platform they either are or can be stored non-exportable in a hardware enclave.

      • AFAIK iOS is the only platform that makes cloud storage mandatory. Every other platform they either are or can be stored non-exportable in a hardware enclave.

        Are you sure? Checking my iPhone...
        General Settings > iCloud > Log In. (it is not mandatory)

        Oh you mean password sync? Well there are several options available in the App Store.

        Oh you mean file sync? Again, several options.

        Of you mean I cannot add a "local" storage device? I bluetooth and wifi sync my iPhone to a laptop.

        You mean using Apple's App Store is mandatory? Gotcha. That is true.

    • by AmiMoJo ( 196126 ) on Wednesday October 26, 2022 @04:50AM (#62998899) Homepage Journal

      It's proven secure thus far. Chrome has been syncing passwords via Google Cloud since the very early versions, and no reports of them being hacked that way.

      You can set a password for Chrome data, which is separate from your Google account password. It is encrypted before being uploaded. Your password is never transmitted to Google, and you can't view or recover the data without it.

      Lots of people store their password databases for things like Keepass in the cloud too. Again, encrypted client side. It's proven technology.

      • by MrNaz ( 730548 )

        Yea but this effectively means that you can't casually log into a service through a browser any more. A major part of the "Web As OS" paradigm is that devices are disposable dumb terminals, and you can just log in anywhere. You don't need to have a carefully set up desktop of your own any more, you just log into whatever service you want in any web browser and you're at your workspace.

        This arbitrarily makes that really hard.

        Here, do this. Go to that demo site, and create an account and passkey.
        Now, try to l

        • by AmiMoJo ( 196126 )

          That's true, assuming they don't support security keys.

          The thing is, unless you use a really crappy password then it's also not an issue, because you won't be able to remember your secure password anyway. If you can remember it, it's not secure.

          Most people have phones now so on balance it's probably too much of an edge case to justify having a weak password.

          • Logging in to a web service on a device you don't own is an "edge case"? That'll be news to:
            - Corporates with shared PCs
            - Internet cafes
            - Parents with kids who visit
            - School computer labs

            Heck, people who only log in to web services on their own devices? THAT'S the edge case.

            • by AmiMoJo ( 196126 )

              In those scenarios how do people find their long, random, and unique password?

              In corporations and schools there will be a network login, and the user's Passkey will be stored as part of their profile.

              In other places you can use a security key like a Yubikey, or choose to have a memorable password if you really think that's a good idea. For family another option is to just log into Firefox or Chrome, which will sync the Passkey, and then log out again when finished.

        • Here, do this. Go to that demo site, and create an account and passkey. Now, try to log into that account from your friend's laptop.

          The upgrade in TFA is that Google/whoever will sync your device authentication through the cloud, so if you login to your Google account on your friend's laptop (with 2FA hopefully) then you can validate the friend's laptop as a trusted device. It basically ties your logins to your cloud provider, but lots of people were doing that anyway somehow and this method makes it ultra-secure (for sites that support it).

  • Not sure why anyone would need to log into PayPal now, which can simply steal $2500 from you [reason.com] for either sending to, or receiving money from people PayPal deems to be "intolerant".

    (it was originally described as also for "misinformation" but as the arctic explains PayPal backtracked on that).

    Regardless of how you feel about intolerance or how PayPal even judges that, that's way too much financial exposure for me to be comfortable when I can't be sure of what every single person I transact with on PayPal thin

    • Comment removed based on user account deletion
      • nor do I send or receive money to/from other people and as such the $2500-thing just simply doesn't apply.

        It's not just "other people", it's also companies PP deems "incorrect". So it simply does apply.

    • Okay, I understand the shady business practices of paypal.

      But why are you sending money to hate groups?

      • by SuperKendall ( 25149 ) on Tuesday October 25, 2022 @05:52PM (#62997875)

        But why are you sending money to hate groups?

        I don't send money to hate groups - that I know of.

        The problem is more that someone from a hate group may send money to me, say to pay for an item I'm selling online.

        Or maybe I'm buying something like an action figure from someone who (unknowingly to me), is in fact running a hate group.

        Do you see the problem here? There is not one person I can safely transact with on PayPal going forward because I cannot control what other people do.

      • by piojo ( 995934 )

        Why are you assuming anybody that gets blocked is actually a hate group?

        (In my world, assuming and stating someone is really rotten is a hate comment. You have pretty much crossed that threshold. You see how easy it is to be defined as hateful by someone else's rules?)

      • Define "hate group"? Biden claims the entire Republican party is a hate group. I don't send them money, but it seems paypal could call anyone a hate group. Or is it only the SPLC's definition of hate group? ...Many of which I disagree with.

        • Define "hate group"? Biden claims the entire Republican party is a hate group. I don't send them money, but it seems paypal could call anyone a hate group. Or is it only the SPLC's definition of hate group? ...Many of which I disagree with.

          Hate crime is a completely nebulous concept. There are obvious hate crimes, ant there are not so obvious ones. A dark skinned person of African descent killed by the KKK - Yeah, that's pretty much hate.

          Using hateful language is an area where it gets kind of gray. And it gets really gray when the claim is that 54 percent of hate Crime victims do not report it.

          It is defined as “crimes that manifest evidence of prejudice based on race, gender or gender identity, religion, disability, sexual orienta

    • by gweihir ( 88907 ) on Tuesday October 25, 2022 @06:04PM (#62997913)

      Not sure why anyone would need to log into PayPal now, which can simply steal $2500 from you [reason.com] for either sending to, or receiving money from people PayPal deems to be "intolerant".

      Let them try that in Europe. They will have the book thrown at them so fast they will not know what hit them. They may even lose their banking license over something like that because banks are very much not allowed to fine their customers. They can report people to the police, but that is it.

      • by AmiMoJo ( 196126 )

        Be careful though, even in Europe PayPal is quite slippery. For example, normally if you pay on credit card in the UK you have various protections. There is Section 75 that makes the card issuer equally liable as the vendor, and there are chargebacks.

        PayPal is just a middleman though, and will argue that the transaction was with them and it went according to their terms and conditions. Therefore if you have an issue with what you bought, you can't use Section 75 or do a chargeback because PayPal didn't scre

    • by Anonymous Coward
      The secret to closing is to remove each person you have saved in contacts (if you ever sent them money in the past) and remove any entries for businesses you had set up to periodically renew subscriptions or periodically pay money for any reason. Then remove payment sources and when it is almost bare the "close an account" will actually work.
      • I had scoured and removed all cards and any subscription related items, though I have to admit I've not removed contacts so I'll do that.

        However I think I have something else going on. When I tried to use the AI help system it noted (A) I have a PayPal credit card, so I have to figure out how to close that first. Moderately understandable, though the PayPal help system also claims you can keep a PayPal credit card without an account so....

        But anyway, it says I have a second problem and when I ask it to te

    • Lol, no they can't. At this point it's just a right wing meme.
      • by ArchieBunker ( 132337 ) on Tuesday October 25, 2022 @07:28PM (#62998105)

        You can always count on SuperKenDoll for letting you know the daily right wing talking points.

      • Re: (Score:3, Informative)

        PayPal acceptable use policy. [paypal.com] Prohibited Activities

        1. violate any law, statute, ordinance or regulation.

        2.
        (f) the promotion of hate, violence, racial or other forms of intolerance that is discriminatory or the financial exploitation of a crime,
        (g) items that are considered obscene
        (i) certain sexually oriented materials or services
        (j) ammunition, firearms, or certain firearm parts or accessories, or (k) certain weapons or knives regulated under applicable law.

        Emphases are mine.
        These "may subje
    • by AmiMoJo ( 196126 )

      If you can't close your account, you can at least remove all your cards and bank accounts from it. Change your address to a fake one, ditto your phone number.

      • I bailed years ago. I changed my address to a fake one in Hollywood and my phone to that legendary 555-1212.
      • you can at least remove all your cards and bank accounts from it. Change your address to a fake one, ditto your phone number.

        Yeah already did that, my concern is how permanent is that delete really. I don't trust PayPal not to dig up older database records (though I admit that is kind of far-fetched, but I also would have said PayPal charging money for thought crimes was far-fetched as well and here we are).

  • Not exactly... (Score:4, Insightful)

    by ArmoredDragon ( 3450605 ) on Tuesday October 25, 2022 @05:12PM (#62997771)

    There's no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack.

    For iOS, apple forces you to also store them on iCloud, which we all know never gets hacked because apple is perfect, and they also can't be provisioned as non-exportable, meaning they can be shared over airdrop. Apple had the courage to weaken the security model.

    • So don't use Apple.

    • by tragedy ( 27079 )

      There's no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack.

      For iOS, apple forces you to also store them on iCloud, which we all know never gets hacked because apple is perfect, and they also can't be provisioned as non-exportable, meaning they can be shared over airdrop. Apple had the courage to weaken the security model.

      Yeah, that one kind of got to me. There should be no way of getting the cryptographic secrets short of disassembling the device (for a value of "disassembling" that includes the use of a scanning electron microscope. Jailbreaking or rooting should, at best, possibly allow a man in the middle attack, but there should be absolutely no possible software method whatsoever of getting the keys themselves off the device. They should be write once, read never.

      • by MrNaz ( 730548 )

        Surely you meant write once, read only under very specific circumstances. I only say this because write once/read never technology has been around for quite a while. Even my 2 year old showed mastery over it when he found a bunch of important post it notes on my desk.

        • by tragedy ( 27079 )

          Nope, I meant write once, read never. To be clear, I don't mean that it would never be read, I mean that it would never be read from outside the hardware. In other words, all of the logic required for cryptography is performed in microcode on a small sub-processor inside a chip on the storage device. So, the key is stored and it is read, but only by an internal component. There would be no way to externally access the memory containing the keys. So, the only way to read it would be to remove the chip (which

  • Not private. (Score:4, Insightful)

    by rtkluttz ( 244325 ) on Tuesday October 25, 2022 @05:14PM (#62997781) Homepage

    These are being pushed because they provide a way for these companies to uniquely identify you and they assume that you trust the company with who you are authenticating against. Any smart person does NOT automatically trust any company they create an account with and it should always remain possible to use a companies free services in a way that does not uniquely identify you. Passwords CAN be less secure but they also allow you to be in control of how, who and where your account is accessed from. If I choose to give my wife access to my account I can do it. If I choose to create a shared account, I can do it. I will be in control of my own security and privacy, thank you. Take your biometrics and passkeys and gtfo. It should be an OPTION, not a requirement.

    • Bingo "companies to uniquely identify you" and government
    • Re:Not private. (Score:5, Insightful)

      by MachineShedFred ( 621896 ) on Tuesday October 25, 2022 @05:23PM (#62997809) Journal

      They are already uniquely identifying you based on insistence of using weak shit SMS MFA. If they can send you an SMS with a 6-digit code in it, then they have your phone number and can look up subscriber info.

      Don't you think it's odd that a lot of these companies don't implement the free-as-in-beer AND free-as-in-speech TOTP MFA that is far more secure and reliable than SMS?

      • Re:Not private. (Score:4, Insightful)

        by rtkluttz ( 244325 ) on Tuesday October 25, 2022 @05:53PM (#62997879) Homepage

        I never said that I use SMS. I try very hard not to for exactly that reason. I use passwords and passwords only unless there is no tie to a unique real world identity. I don't mine a company knowing that is a unique individual as long as it cannot be tied to a real world identity of me.

        • My point is that a lot of services don't give you a choice. It's SMS or you don't log in. And the worst offenders are exactly who you would like it not to be: banks and health care / insurance.

          • by tepples ( 727027 )

            What do banks and health insurers do for customers who do not subscribe to mobile phone service?

    • Re:Not private. (Score:5, Informative)

      by AmiMoJo ( 196126 ) on Wednesday October 26, 2022 @04:55AM (#62998909) Homepage Journal

      Passkeys use Webauthn cryptographic keys, which cannot be used to track a user between websites. The key that the website gets is unique and there is no known correlation attack. If such an attack was found it would immediately be a huge problem not just for Passkeys/Webauthn, but for a lot of other similar crypto systems that we rely on daily.

      Even if you don't trust these companies, Passkeys are a good thing because you can use something like a Yubikey with sites that support it. There are even open source security keys that you can build yourself and validate the firmware of, in case you think there is a secret modem built into them or something.

      • by jsonn ( 792303 )
        You can use resident keys that are discoverable, but that also requires consent from the user. That's not the normal use case.
    • by ras ( 84108 )

      These are being pushed because they provide a way for these companies to uniquely identify you

      No, they are not being pushed for that reason. In fact that's so wrong it borders on a conspiracy theory.

      They uniquely identify you by making you to create an account and forcing you log on before every interaction with them. It doesn't matter if you used passwords or FIDO2 to identify yourself - the horse had already bolted when you entered your unique user name, or email address, or whatever. The password or F

  • because someone is sure to ask...
  • I understand the deficiencies of simple passwords, or even SMS vulnerabilities. I understand 2FA will not be able to save you from a man-in-the-middle attack. And some basics of this authentication process. How this would prevent man-in-the-middle by sending out the hash of the domain requesting the credentials. Thus man in the middle will not be able to use it.

    But what I worry about the security of the device where this authenticator is running. Something like the user has inadvertently installed a trojan

  • Biometrics - ugh (Score:5, Insightful)

    by fahrbot-bot ( 874524 ) on Tuesday October 25, 2022 @05:31PM (#62997825)

    passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. ... or -- in the absence of biometric capabilities -- the PIN that's associated with the token.

    And, hopefully, users can rely on only a PIN if the they *choose* to not use biometrics, as the latter can be legally compelled under under the 4th and 5th Amendments: Compelled Biometric Access Legal Under 4th, 5th Amendments [bloomberglaw.com] (in the US).

    • ...so they have to coerce or torture the PIN out of you instead?
      • by tragedy ( 27079 )

        ...so they have to coerce or torture the PIN out of you instead?

        That's where some sort of second "panic" PIN could come in handy. If you use it, it looks like everything authenticates properly, but a flag has gone up on the transactions and the police are brought in. Not a perfect system, but it could help.

        • by _merlin ( 160982 )

          Yeah, that's great, until the police are the ones trying to torture the PIN out of you. Calling the police when you use the duress PIN will tip them off to it.

        • by AmiMoJo ( 196126 )

          Android supports that. There is an open source app called Wasted, that is actually a little ecosystem of apps that provide various functionality. One of the possible functions is a duress pin that factory resets the device. On any device that uses encrypted storage (Google and Samsung devices do, probably many others) the data is not recoverable after a factory reset as the key is destroyed and regenerated.

          • by tragedy ( 27079 )

            I was thinking of something along those lines. Although I was thinking more for bank account access, etc. and not necessarily locking things out/deleting keys but rather allowing dummy banking sessions where, for example, thieves might see the transaction supposedly happen in the GUI for your account, but actually no money is moved and the police are alerted. This, of course, would require a lot of cooperation between banks on implementing a protocol for this. Honestly I don't think a lot of financial insti

      • by ebyrob ( 165903 )

        "cold, dead hands" I think they call it...

    • by alw53 ( 702722 )
      Be sure and change your retinas frequently.
    • ... not for your full disk encryption "you won't get my password even if you torture me" types.

      Way, way, way, way before you get to any discussion about how they can compel you to use your face or fingerprint or whatnot to unlock your device they'd have all your data from all the services mentioned (Microsoft, Apple, Google, Kayak, eBay, Best Buy, CardPointers, WordPress, Paypal... really anything), with just a few clicks and possibly without you even knowing for a long time.

      • Ya, I agree. And if they don't get your client info directly from the service, they'll just get your passkey info from the cloud service storing/exchanging them by using a warrant or via the backdoors that probably exists -- depending on who's doing the getting ...

  • get one in my right hand or my forehead?
  • Because there will be some. There is no way such a scheme could really be impervious.

    Here is my prediction, assuming people actually start using this (if nobody cares, it will take longer):
    1. First lab-breaks shown at some security conference: 2023
    2. First breaks by attackers: 2024
    3. Turns out to be worse than good passwords or 2FA: 2026-2028

    • Not long if you attack the four digit PIN.
    • by jsonn ( 792303 ) on Tuesday October 25, 2022 @08:54PM (#62998271)
      FIDO tokens have been around for a while and the security model is the best against phishing attacks so far. There have been the occasional bugs in the embedded firmware of course, but overall, it's fairly mature technology at this point.
      • by gweihir ( 88907 )

        You are a) underestimating the inventiveness of the attackers and b) FIDO tokens are a niche tech. Or at least they were, so attackers did not invest effort. Also, phishing is not the only possible attack technique. In the end, it only matters whether people will get successfully attacked or not.

        • by jsonn ( 792303 ) on Wednesday October 26, 2022 @09:02AM (#62999273)
          It's not a niche technology just because you haven't heard about it before today. Google has been rolling out FIDO tokens for its employees in 2017. The number of security incidents due to account take over by 3rd parties since then has been reported to be zero. It's not perfect, of course, because the keys can still be physically stolen, but it solves by far the biggest security issue for any internet service. So saying there wasn't a valuable enough target so far is just ignoring how many big players have already deployed this and that it is especially used for high-value targets.
  • "By enabling the private key to be securely synced across an OS cloud..." unless it is zero-knowledge scheme, this isn't going to be a private key after you sych it all over servers you don't own.
  • Comment removed based on user account deletion
  • "By enabling the private key to be securely synced across an OS cloud, the user needs to only enroll once for a service, and then is essentially pre-enrolled for that service on all of their other devices."

    I might be willing to get a dedicated PayPal key ... maybe, but there is no way that key will be used for anything else!

    • by jsonn ( 792303 ) on Wednesday October 26, 2022 @09:11AM (#62999303)
      There is no need to get a different FIDO token for different services. The token takes the domain name of the website and combines it with a secret to derive a domain-specific private key. This technique is similar to how you don't store a raw user password, but preprocess it to make it harder to brute force. You can safely use the same token across different services, and they will all see a different key. It is common to have two tokens, one you always have with you, and another one in your safe as backup, but that's about it.
  • Been using it on a few sites. Canâ(TM)t wait for widespread adoption. Login brute-force attacks and forgotten passwords will become relics of the past.
  • I tried out the demo site reference at the end of TFA, putting in an email address I use. Coincidently and curiously, I received a phishing attempt to that same email address within one minute. Coincidence? I don't know, but its highly suspicious.
  • Our original email address has been used since the days of CompuServe and Iâ(TM)ve been told that this address is all over the Dark Web. I guess that explains all the titillating and spurious emails weâ(TM)ve been getting!!

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...