Mastodawn

@rmondello Personally for me the biggest issue I have is I want passkeys in iOS and passwords in 1Password (can’t migrate yet), and 1P has this tiny little USB security key icon, and then macOS sugggests password related things. This experience was better a couple years ago before 1P did passkeys and before the passwords app :/

@g The article we’re discussing was trying to make an argument around “normal” people, I think. People who don’t use Mastodon.

That said, let’s talk about you personally, because you were kind enough to share with me, and I appreciate that!

Can you tell me more about why do you want passkeys in Apple Passwords and passwords in 1Password, instead of using one provider (even if it’s 1Password, which is great software!)?

@rmondello I don’t want to ADD more in 1Password like new passkeys, I want them platform level, but I can’t move my 1P usage out completely yet and don’t want to fragment where I have passwords.

But 1P starting to do passkeys and hijacking security keys has caused me issues at work where people tried to 2FA with Yubikeys and could not figure out how to not have 1P hijack the dialog because the freaking USB stick icon is minuscule :/

@g I think it’s been a profound mistake on 1Password’s part that 1Password on desktop intentionally ignores the platform-native way to plug passkey data into web browsers and instead implements passkeys by hijacking the web API via their browser extension. (On iOS, however, they properly integrate as a data source.)

@rmondello For “normals” I’ve seen confusion with local Chrome passkeys too etc. Overall I think people are just concerned they don’t understand things will be reliable long term as opposed to a password they can store on paper on in their heads. But 1P… I’ve disabled its passkey support completely in many orgs cause WTF

@rmondello Pre Electron 1Password team would’ve done it right.

Matt Dec 30, 2024

@g @rmondello yuuuuuup

Matt Dec 30, 2024

@rmondello @g agree. It’s a really bad UX

@g The good news is that everyone involved here is working in good faith and cares a lot about their users. The great news is that there’s still time to make the software work better.

Dan Goodin Dec 31, 2024

@rmondello @g

I completely agree.

Guillaume Ross Dec 31, 2024

@rmondello To be completely honest I think the issue is *we* would like the transition to happen in 2 years, but considering tons of websites still block special characters, long passwords and force expiration, this is likely something that takes deep root over a 10 year period.

David Nelson Dec 30, 2024

@rmondello @g 💯 I’ve disabled the Safari extension on iOS and I don’t feel like I’m really missing anything. In fact the overall experience seems better to me. Wish I could do the same on the Mac.

Sam Schmitt Dec 30, 2024

@rmondello
I am not a Safari user so I’m not sure about there, but unless I’m mistaken their passkey support predated the macOS APIs to do that properly in other browsers? Is there an example of another third party password manager supporting it the proper way? I’d love to see the difference.

Gracjan Nowak Dec 30, 2024

@sam I think that Strongbox does it the native way.

https://apps.apple.com/pl/app/strongbox-password-manager/id897283731

‎Strongbox - Password Manager

‎Strongbox is an application for keeping all your passwords safely stored and protected by one master password. Supporting the open source Password Safe and KeePass formats. *** Features *** - Touch ID & Apple Watch Unlock for the ultimate in convenience, security and speed. - Passkey support - Th…

App Store

Thijs Alkemade Dec 30, 2024

@rmondello @g The inability to use passkeys from 1Password in Safari when Lockdown Mode is enabled is very annoying. (I assume this is also a consequence of their hacky implementation.)

James Brown Dec 31, 2024

@rmondello everything about the 1Password 8 UI is a mistake. All I can think is that they've totally lost sight of their users. I wish there was better competition (Strongbox seems nice on Apple platforms but has no useful way to share vaults with other users; Apple Passwords is closer this year but still missing a lot of key features)

Cendyne Dec 31, 2024

@rmondello What search terms or documentation shows how to use the native methods with Chrome or Safari? I'm crazy and want to make my own passkey provider on a weekend.

This prototype pollution has bothered me greatly the last two years and I'd love for this specific prototype to be read only. In my eyes it makes the PRF extension dangerous to build upon.

https://developer.apple.com/documentation/authenticationservices/ascredentialproviderviewcontroller

Cendyne Dec 31, 2024

@rmondello is this the right API for Safari?

ASCredentialProviderViewController | Apple Developer Documentation

A view controller that a password manager app uses to extend AutoFill.

Apple Developer Documentation

Timo Grün Dec 31, 2024

@rmondello @g
Have you checked how other tools like BitWarden handle this?

@rmondello @ruuda is one of the most intelligent and technically inclined friends I have and he got stuck on how to use a yubikey on android because he didn't understand the Google Password Manager prompt when doing passkey login and that he had to click the "Use a different device" button.

If he can't figure it out we're doomed.

@arianvp @ruuda Good anecdote. Thank you for this!

@rmondello @ruuda password managers hijacking navigator.credentials.get is personally what completely trips me off. Having to click through a bunch of inconsistent dialogs -- first bit warden dismiss that I don't want to use it, then 2 clicks in iCloud passkey manager, just to use my security key, is not good UX.

Seems non of the password managers integrate with the native passkey APIs so they do this hijack thing. When i asked 1password about it they said the couldn't because they support a too wide range of MacOS versions.

@rmondello @ruuda like. I know Apple has all the hooks to make the password managers feel just as native as iCloud. But seems nobody is using it. :(

@rmondello @ruuda i I wonder if a WebExtensions API as opposed to a native API would lead to better integration for password managers. As they get nice integration on all platforms instead of having to do native integration for each.

@arianvp @ruuda Now that a few years have gone by, it feels like a hybrid strategy is in order: use the native integration on platforms that have it, and do the API hijacking only when absolutely necessary.

It seems like we have evidence at this point that bypassing the platform leads to user confusion.

@rmondello @ruuda it would be pretty neat if Apple could publish a small toy example of a password manager hooking into the passkey flow. The docs were not that easy to digest in my opinion. I think it could help with adoption if some best practice examples are readily available.

Dale Price Dec 30, 2024

@rmondello Safari always offers to use a Passkey in the username/password field of Apple’s own websites (e.g. App Store Connect), but the website complains about the username or pw being blank. Every step of the way I have to dismiss the passkey offer and even manually click the submit button instead of pressing Enter, or it will revert to the passkey.

It shouldn’t be insisting on submitting the form with a passkey & leaving the username/pw fields blank if the website requires them to be filled

@dale_price Hi Dale! Would you mind filing a bug about this at feedbackassistant.apple.com with a video attached? If you send me the feedback ID, I can make sure the right apple.com people look at this.

Dale Price Dec 30, 2024

@rmondello FB16202128 (thanks!)

Dale Price Dec 30, 2024

@rmondello apart from that issue, I (even as a developer myself, can’t imagine what it’s like for the less technical) usually get thrown off by mismatched terminology between the website and browser UI. I’ve seen sites ask for a “security key”, “device biometrics”, “platform authenticator”, and even terms like Face ID or Touch ID. Then Safari’s UI comes up and uses the word “passkey” seemingly out of the blue.

Eric deRuiter Dec 30, 2024

@rmondello @adamshostack I think getting prompted for a passkey when using 1Password, declining to add one, and then Chrome or Apple jump in that maybe you'll save it with them. Like this https://mastodon.social/@ridogi/112967019327128836

My experience as an IT consultant is people try to avoid passkeys (they get prompted at login and choose set up later), or they have created passkeys but don't understand how they created them, where they are stored, or how to use them.

@ridogi @adamshostack https://hachyderm.io/@rmondello/113743765133597292

Ricky Mondello (@[email protected])

@[email protected] I think it’s been a profound mistake on 1Password’s part that 1Password on desktop intentionally ignores the platform-native way to plug passkey data into web browsers and instead implements passkeys by hijacking the web API via their browser extension. (On iOS, however, they properly integrate as a data source.)

Hachyderm.io

snowy Dec 31, 2024

@rmondello @ridogi @adamshostack oh my gosh I have been begging and annoying 1Password on various socials and their community site to use native macOS autofill api (what 2-3 years that api has been around s). It is maddening 🤯and frustrating. my wife has accidentally saved passwords 2 places. not her fault cause she uses the native autofill on iOS for 1Password. Why the heck is not on macOS?! …argh rant over

Sam Schmitt Dec 30, 2024

@rmondello
Not necessarily the same thing but I have hit several sites that allow you to register exactly one passkey, which is annoying.

sbi Dec 31, 2024

@rmondello That's not just a passkey problem. Every time my mother calls me to ask about "that strange question" which just popped up on her phone or computer, I first ask which app is showing this. Generally, she has no idea about this, though. And that is true even for dialogs where it's obvious to me, but there are some where even I am stumped.
I think every OS needs a generic solution that makes it absolutely obvious what app promoted a specific question/decision to the user.

ティージェーグレェ Dec 31, 2024

Re: "it’s a problem that websites that have adopted passkeys aren’t using them to replace passwords and one-time codes."

I'm not sure that's a problem or at least, it isn't a critical one IMHO; robust systems have fall back modes. I personally am against key escrow (as implemented by for example BitLocker) but I and most other sysadmin sorts would be lost without single user mode on most UNIX like systems and similar tools for Windows for when our users completely screw the pooch. Before Alex Stamos was Facebook's CSO, I was the person he called to help him restore access to some accounts, and if I didn't have some tricks up my sleeves, I probably wouldn't have had a job with him afterwards. Some of those tricks are necessary.

For me I think a much bigger problem is when HUGE NAMES (e.g. Micro$oft owned GitHub) uses incorrect terminology that I must enable 2FA (Two Factor Authentication) when I am already using at least 4 factors (more often at least 5) and they have even more factors of authentication to choose from, including passkeys.

At a minimum they should be correcting their terminology to be MFA (Multi Factor Authentication) but adding more factors when I am already at a level of having factor fatigue, is not a security win, it's security theater.

Moreover, since I was previously IT Admin for iSEC Partners (the aforementioned employer where Alex Stamos and I worked together), I want to scream at the morons who drafted that GitHub email.

Instead, I toned down some of my language (instead of calling a spade a spade with the "morons" terminology) and filed a bug:

https://github.com/orgs/community/discussions/147069

It's been two weeks without a response.

So the Ars article harping on passkeys and confusion, is the least of my worries, personally.

I'm old enough to remember when "two factor authentication" was called "paranoid mode" and I've implemented client certificate authentication at past employers.

And y'know what?

I'm beyond burnt out at trying to get folks to adopt a stronger security stance and when people getting paid more than I have are misusing terminology and mandating "changes" when I'm already using many factors of authentication, I mostly wonder:

For whom do they think they are meaningfully improving security? It isn't me, particularly since I am already using more than 2FA and they are vague about what additional authentication factors must be enabled before their January 2025 date.

it just makes me wish that everyone would migrate their code out of GitHub already!

I don't care about the passkey issue.

I know you do because you worked on some implementations of such things, but you may be too close to the fire to see how others who sympathize with wanting people to not get hurt, are being burnt by even bigger morons fanning the wrong flames in our field.

That's me not dumbing things down for you, even if it's still full of colloquialisms, I already know, painfully well, that to most users on Earth, we look as if we're constantly advocating for "paranoid mode" unnecessarily in their eyes and they're happy with "hunter2" as their passphrase.

I'm not convinced that passkeys, or any of their other ill-defined "2FA" measures are making me or any of GitHub's users more secure.

I am absolutely convinced GitHub are providing too many choices for anyone to be able to evaluate rationally, including their own staff.

After all, GitHub were the ones who already leaked their private SSH keys:

https://github.blog/news-insights/company-news/we-updated-our-rsa-ssh-host-key/?ref=blog.gitguardian.com

Not me.

So, from my perspective, GitHub are the overpaid amateurs and I am sick to death of them.

But hey they do offer passkeys!

Most other organizations offering passkeys, also offer a plethora of other authentication factors as well.

"Secure by default" wasn't originally OpenBSD's motto, that was inherited from Secure Networks (many of whom at some point were early OpenBSD developers) and Micro$oft even aped that motto for a while, but Micro$oft may talk the talk but they have never walked the walk and the same is true of GitHub and many others offering passkeys presently.

You misuse the phrase 2FA (Two Factor Authentication) when you really mean MFA (Multi Factor Authentication) · community · Discussion #147069

Select Topic Area Bug Body "GitHub [email protected] Fri, Dec 13, 7:12 PM (12 hours ago) to me Hey artkiver! We're reaching out to let you know that, as announced last year, we have officially beg...

GitHub

lj·rk Dec 31, 2024

@rmondello I think we need something like arewepasskeyyet.org :'D
There's various papercuts yet which is why I seldomly can use Passkeys, even if I'd like to:

# Per OS

macOS and iOS are quite neat here, both providing not only integrated passkey management but also an API for 3rd party managers to hook into, similar situation on Android. Windows I don't use but is AFAIK getting there. Linux currently provides none but this is in active development. This means however, that at least for Linux I need to use the built-in passkey manager or a browser extension, which is kinda meh.

# Per Browser

Which leads us to browsers which have probably the best support (but also least to do). Chrome/Firefox can both use the system's API (if it exists), Chrome can also natively store passkeys.

1/x

lj·rk Dec 31, 2024

@rmondello

# Per-Password Manager

This is already getting a lot worse. We don't have passkey transfer (yet), so people are hesitant to look into something or switch to a different keychain provider even if it supports better integration (e.g., Apple Passwords). And many password managers (1Password, BitWarden) don't use the system's APIs even if they exist (e.g., on macOS) so you still fall back to browser extensions. This has it's own issues, e.g., NMH to unlock both at the same time etc., but also conflicts if you use multiple (if you are part of different organizations): With BitWarden and Dashlane installed on Chrome on macOS I cannot store any passkeys on BitWarden anymore.

In addition, the better integrated password managers (Chrome/Android/Google and Apple) don't have enough platform coverage, you obviously cannot use Chrome passwords on Firefox, nor can you use Apple passwords there, nor on Linux.

2/3

lj·rk Dec 31, 2024

@rmondello

# Per Site

This is the worst honestly. Many sites require TOTP even when using Passkeys. Or use them as 2FA after a password. Or ask you to plug in a hardware security key. Also the UX here is often unpolished or very restrictive. Ideally, the UX should convey that Passkeys are a replacement for password+TOTP. But also you should, IMHO, be able to use physical security keys as 2F *even* if using Passkeys if you wish to do so (I'd like to do that for some highly critical stuff such as my password manager).