Facebook Now Supports Passkeys

Facebook now supports passkeys for login, offering users a more secure, phishing-resistant alternative to passwords by using biometrics or a PIN stored on their device. The feature is rolling out to iOS and Android "soon," while Messenger will get the feature "in the coming months." Lifehacker reports: Meta seems pretty excited about the news -- and not just because the company happens to be a member of the FIDO Alliance, the organization that developed passkeys. Aside from logging into your Facebook account, Meta says you'll be able to use passkeys to autofill your payment info when buying things with Meta Pay. You'll also be able to use the same passkey between both Facebook and Messenger, and your passkey will act as a key to lock out your encrypted Messenger chats.

Re:

[thegarbz]

Why stalk him on reddit when we know where he lives, rent free?

Re:

[Anonymous Coward]

this is why I tend to post AC on Slashdot. Some have a peculiar homoerotic obsession with certain users.

My posts are not worthy of having a fan club.

Re:

[thegarbz]

Is that a good reason though? Why do you care if someone is obsessed with your pseudonym? Personally I pride myself on how many people I cause mental anguish on a daily basis. :-)

My Ideal Setup

[organgtool]

My ideal setup is password + passkey for login to each service. I love the concept of passkeys because they're practically immune to all MITM attacks, however I hate the idea that every service I use could be accessed if someone has my device and can bypass any of its auth mechanisms. By having separate passwords for each site and requiring passkeys for MFA, I can mitigate the damage caused by theft/tampering while protecting myself from MITM attacks.

Yes, this is far beyond normal but if I want to be neurotic then just let me.

Re:My Ideal Setup

[mysidia]

hate the idea that every service I use could be accessed if someone has my device

Then use a PassKey authenticator that requires a PIN or biometric entry to use the key. For example a Passkey stored on a Yubikey with a strong PIN set. Or a Passkey stored on a TPM configured to require entry of the PIN each time the credential will be used. Many users would disable the separate PIN requirement, or choose a solution that does not require one for their own convenience purposes, But you don't have to. You can use the strongest possible implementation of Passkeys for your purposes.

By having separate passwords for each site and requiring passkeys for MFA,

Auth with a password sent to the server plus online MFA is weak authentication. You are better off authenticating with a Passkey stored on a cryptographic authenticator which confirms multiple auth factors locally on your device.

Any fixed value you send to an online server such as a "password" is not bound to your auth session and can be stolen and used independently with other authentications. That is why it is better to have a cryptographic device in your physical possession that authenticates a Knowledge or Biometric factor from you Before authorizing the response to a cryptographic challenge for authentication using the secret keys stored on that module.

Statistically speaking: If your auth process involves sending a password to a remote server ("Online authentication"), then that password will eventually be stolen. That together with the unbound session is why you can say Online remote multi-factor authentication is still weak authentication.

Re:

[Anonymous Coward]

A "PIN" is a password that is never sent across a network, only used to unlock credentials locally.

Re:

[thegarbz]

what the fuck is a "strong" PIN? the new vocabulary people come up with to shit on passwords is so weird.

The idea of something being "strong" is that it is complex e.g. in length and in information entropy. This isn't new vocabulary. This is vocabulary we have used since the dawn of cryptography.

If you are using 4 digit PIN limited to the numbers 0-9, that's your own fault, and is not a strong PIN.

Re:

[Computershack]

If you are using 4 digit PIN limited to the numbers 0-9, that's your own fault, and is not a strong PIN.

It's my fault that the service provider or software company only gave the option for using a 4 digit PIN?

Nobody understand what this is

[Anonymous Coward]

I have a TOTP authentictor and Yubikeys. I can understand these. I've read the WP article on Passkeys probably five times and still don't have a single clue about what these are or how they work.

Re:Nobody understand what this is

[ewhac]

This is how I've come to understand it. I welcome any and all corrections.

Passkeys are a cryptographic key stored in a Secure Element. This is usually a private key inside a small cryptographic engine. You feed it some plaintext along with the key ID, and it encrypts it using that key. The outer software then decrypts the ciphertext using the public key. If the decrypted text matches the original plaintext, then that proves you're holding a valid private key, and authentication proceeds.

The private key can be written to and erased from the Secure Element, but never read back out. All it can do is perform operations using the secret key to prove that it is indeed holding the correct secret key.

On phones, the Secure Element is in the hardware of your handset. On PCs, this is most often the TPM (Trusted Platform Module) chip. In both cases, the platform will ask for your PC's/phone's password/fingerprint/whatever before forwarding the request to the Secure Element.

Yubikeys can also serve as a Secure Element for Passkeys; the private key is stored in the Yubikey itself. Further, the Yubikey's stored credentials may be further protected with a PIN, so even if someone steals your Yubikey, they'll still need to know the PIN before it will accept and perform authentication checks. You get eight tries with the PIN; after that, it bricks itself.

The latest series 5 Yubikeys can store up to 100 Passkeys, and Passkeys may be individually deleted when no longer needed. Older series 5 Yubikeys can store only 25 Passkeys, and can only be deleted by erasing all of them.

Theoretically, you can have multiple Passkeys for a given account (one for everyday access; others as emergency backups). Not all sites support creating these, however.

Re:

[Anonymous Coward]

You're familiar with the secret key in TOTPs which you import into authenticator apps....

A passkey is a device that stores that secret in a hardware "secure enclave" (ie: A 'trust me bro' TPM-style black-box) and uses it to handle crypto-authentications as single-click interactions. It also tries to prevent everyone, include the owner, from accessing that secret directly.

The upside is it's harder to phish authentications (whereas idiots could be talked into sharing TOTP codes). The downside is if you want t

Re:

[Un-Thesis]

Do you ever use SSH keys for authentication?

Passkeys are SSH keys but for the web browser. Seriously, it's the same tech.

Re:

[jsonn]

The most important part is missing. TOTP authenticators are not phishing-resistant. They don't ensure that the website asking for the code is the one the code is intended for. That's also why remarks like "TLS already can do mutual authentication" are completely missing the mark. If I connect to s1ashdot.org and get a valid HTTPS certificate, the user doesn't necessarily notice the difference. With FIDO tokens, the public key authentication is also bound to the domain.

Good news for the old people still using Facebook

[ebunga]

I guess they can be safe and secure while they view their ai-generated bacon jesus memes.

About time...

[CommunityMember]

While there is the question of whether one *should* be using Facebook, it is long overdue for Facebook to allow passkeys if you choose to do so. Glad to see they got with the program.

I am still waiting for my bank to support passkeys for those of us not at some level of extreme premium service (where they do support it).