Ayush GuptaFeb 28
rakekniven 👁️

A survey for all users of the password manager #KeePassXC :
How many #Passkeys do you have already in your vault(s)?

Tagging #nextcloud as well as many users have their vault in their private cloud.

Please retoot.

Zero
53.8%
1 - 5
16%
5 - 20
7.7%
> 20
22.5%
Poll ended at .
Feb 27 at 9:44pmWeb
Show threadkevin ⁂ (he/him)Feb 27
@rakekniven 0 and I didn’t know it supported passkeys. I’m always a bit torn when it comes to putting passkeys (or OTPs) in the same vault like the password themselves. Feels wrong
Show threadjFeb 27

@kevin @rakekniven even KeepassDX supports it on Android.

Well, the passkey is just another way to access the account. Usually when you have the password, you can anyhow create passkeys. Especially on Android I have the impression that it works smoother than the autofill feature.
So you are less likely to copy paste the password bypassing the domain/app check.

Show threadrakekniven 👁️Feb 27
@kevin For me, a password or passkey is comparable, so the same vault is fine for that. For OTP, you can do things differently, such as using a second vault, hardware token, or mobile app.
Show threadkevin ⁂ (he/him)Feb 28
@rakekniven in some cases they are comparable, but it depends on the implementation of the service you’re signing into. Some apps require user+password AND passkey as second factor for login, then the passkey shouldn’t be in the same vault (like 2FA codes).

If the app uses passkeys instead of user+password there’s no harm in having it in the same vault in my opinion.
Show threadcomputer mausMar 7
@rakekniven @kevin to me this falls apart when i use my password manager on my phone. having one database for passwords and one for 2fa on the same device is not more secure than a single database for both
Show threadMad Argon Mar 4
@kevin @rakekniven I also didn't know, even after almost 7 years of using KeepassXC. When I encounter passkeys - very rarely because they are mainly on sites I don't use - I just set this on Yubikeys. Especially when some sites conflate it with U2F (I still don't know if they do it purposely).
Show threadrakekniven 👁️Mar 6
@madargon I love passkeys as they protect me from phising.
Show threadtyzbitFeb 28

@rakekniven Zero and also important to note that I do not plan on adopting passkeys. Their implementations are of wildly varying quality and widely varying security. They also tie authentication too strongly to devices that can be lost, hacked or coerced to be unlocked, make assumptions about what every kind of user has access to do and obscures authentication mechanisms behind more opaque user experiences (this one, truthfully, will be less important if they're widely adopted, common and familiar to the general public, which makes a further assumption about how well that will go or how long that will take).

I also have a minor, semi-serious hunch that passkeys primarily exist so that organizations can offload responsibility when password breaches happen since they won't store private material, only public keys for accounts - which is valuable in its own right for groups interested in surveillance and invasion of privacy. If implemented poorly (reusing keys or using derivative keys in an insecure way), it also allows for mapping a user's accounts across many services (something that hacking groups might not have the full capability of but are just one sealed warrant away for governments...)

Show threadMensh123Feb 28
@rakekniven #askfedi
Show threadRebel ZhangFeb 28
@rakekniven I use a hardware token - far more secure than a software passkey.
Show threadpdlFeb 28
@rakekniven I configured a passkey in Nextcloud, the passkey stored in KeepassXC. But:
- I cannot deactivate the login with password. Password authentication is configured with 2FA. This is a must-have (my opinion). The result: I login with passkey and have to complete the login with TOTP.
#Nextcloud #Passkey #Passkeys #keepassxC
Show threadpdlFeb 28

@rakekniven The benefits of passkeys are
- convenience: Not when TOTP is required additionally.
- security: Not when password login cannot be disabled.
- phishing resistence: This is the only benefit remaining.

Disadvantages:
- full security benefit only with hardware token: complex management

I thought about securing my password database with a hardware token and leave my accounts with password/TOTP (where pssible). On Android I would have to change to KeepassDX.
#Passkey #KeepassXC

Show threadAngela ScholderMar 1
@rakekniven Passkeys, only a few for share links, but passwords many.
Show threadHakusoMar 4
@rakekniven
I don't use passkeys, far too inconsistent in implementation, lots of passwords and.Aegis is brimming with TOTP entries.
Show threadRichard K Mar 7
@rakekniven How do I search my Bitwarden vault for passkeys?
Show threadrakekniven 👁️Mar 7
@RichSPK No. Maybe any #bitwarden user here?