xssfox (crossy)0 days since site tricked me into making a passkey
Meadow Whisper (Natasha L.)@xssfox Ugh, I hate that that concept caught on; one of those things that I *want* to like from a security perspective, but I have zero faith in the platforms doing it. Especially since the whole idea is built on some *extremely* US-centric assumptions about mobile device ownership and usage that do not hold true universally (and they don't even hold true universally *in the US*)
neuron
Mark Tyndall@neuron @xssfox So, the basic idea is that your phone (or other mobile device) is your authentication method: Unlocking your phone during the login process logs you into whatever you're trying to use. But there's no direct interaction between devices, so it's more like simultaneously logging in from two separate devices in parallel, which means it requires the infrastructure and data access of a monopolistic megaplatform to work as securely as advertised in the first place. And when it works as advertised, it's really easy! But, just a sampler of the ways this can go wrong in practice, for normal people who aren't wealthy tech bros living specifically in major West Coast cities:
- You lost/broke your phone or someone stole it and you don't have a second phone sitting around but you need to be able to login to stuff to replace it.
- You lost/broke your phone or someone stole it and you can't afford to replace it immediately.
- You lost/broke your phone or someone stole it and you can't turn on cloud backups because the platform says it's not available in your country.
- Someone stole your phone and you *do* replace it, but your old phone is still out there and the thief did a sloppy job wiping it for resale, and the buyer uses it to set up their own passkey somewhere, and the platform flags this as suspicious and locks out *both of you*.
- The above scenario, but also the platform doesn't officially offer customer support in your country or language.
- You can't afford to buy a new phone every year or two and the platform arbitrarily decides your phone is too old to log you into stuff anymore.
- You *can* afford to buy a new phone every year or two, but only because the phones available to you are either used models, or the unsold leftovers from wealthier countries, so by the time you buy a new phone, it's considered "obsolete" by people on another continent who make a quarter million dollars a year.
- You're trying to login to something from a computer but your phone doesn't have internet access.
- You're trying to login to your computer but it doesn't have internet access so unlocking your phone is useless (seen this happen with Macbooks)
- The platform's geolocation data is inaccurate in your country and they think your phone and computer are arbitrarily too far apart even though you're literally holding them both.
- The platform decides they don't allow passkeys from your country but they forgot to tell you this until after you already set it up.
These are just the ones I *remember*. And this doesn't even factor in the basic concept of human mortality - I've been dealing with the mess passkeys cause in *that* scenario for *months*.
In short, my criteria for recommending passkeys is as follows:
- Do you live within 50 miles of San Francisco, CA or Seattle, WA and plan to stay there forever?
- Do you comfortably own at least two personal mobile devices and plan to continue to do so indefinitely?
- Does your annual salary have at least six digits?
- Do you trust at least one monopolistic megaplatform (Apple, Google, or Microsoft) to be a permanent, inescapable middleman in every attempt to login to things forever, and to indefinitely support the brand-new standard they championed?
- Do you plan to die alone and unloved with no surviving friends, family, or creative/business partners who might need access to something you locked behind a passkey?
If the answer to all of the above is "yes", then passkeys are for you!
@neuron @xssfox The official statements from companies trying to sell passkey integration is really telling, too, because if you ask *them* "what happens if I don't have my phone?", the official answer is usually a combination of "uh, don't do that?" and "make sure you subscribe to our cloud backup service and also have a second phone ready to go so that when you immediately buy a replacement for your first phone, which you're obviously going to do, you can use the second one to login". Followed by "investors and governments should give us millions of dollars to solve this problem" with no specific ideas for *how*.
@lupinia @xssfox Just wanted to give you a quick thank you! ❤️ I still have to digest that and want to follow up. It seems a few things you mentioned are of the category "they could be done better, but we know the incentive structure of companies and should have specced around them". I always thought of passkeys as a second factor for convenience (TOFU like) and not as a replacement.
@neuron @xssfox yw! And yeah, if passkeys were another type of MFA, this would be a VERY different conversation, but nope, they are a full-on replacement for conventional authentication. Theoretically, the conventional username/password/MFA is still there as a fallback, but in practice, it's entirely at the whims of the platform to algorithmically decide whether to allow you to use them, and I've personally never seen a situation that *didn't* lead to "lolnope, use your passkey or GTFO".
@neuron @xssfox Also, like I said at the top, this largely comes down to the problems being with the platform-owning companies implementing the technology, combined with the fact that passkeys are uniquely dependent on monopolistic infrastructure in ways that make them prohibitively impractical to implement without the direct involvement and control of Google, Apple, and/or Microsoft, OR making so many trade-offs that it'd be easier and more secure to just not bother, and implement something else that accomplishes a similar security role *without* being dependent on platform-monopoly surveillance to function (like FIDO or mTLS/smart cards).
Baloo Uriza
Eli the BeardedI have one financial account that requires passkeys (FSA, company chosen by $WORK). I put the passkey on a yubikey, which let's me log in from work and non-work laptop. But Firefox on Android doesn't work.
I really distrust that FSA company's security judgment. (Not just for this reason)
qwazix@lupinia @neuron @xssfox I was under the impression that it was only possible with a big corpo as such and avoided them but then keepassdx offered to store a passkey for me and the experience was not that much different from the regular autofilling of passwords.
The thing however is not really transparent and I'm pretty sure I've also inadvertently created a passkey in firefox on some computer and at some point I will be searching for it as I don't usually backup stuff from firefox.
@qwazix @neuron @xssfox Yeah, the underpinning technology of the passkey *itself* is just another flavor of stuff we've already had for years, similar to smart cards and other hardware tokens. But that actually makes credential theft *easier* if it's the only authentication factor, which is why such auth methods have always included another factor, like a PIN. This is also why the idea of putting the token on a separate parallel device that doesn't directly interact with the one you're using (like pressing a single button on your phone to login to something on your computer) is *hilariously* insecure without a whole lot of extremely robust infrastructure support to make that make sense.
So the big idea of capital-P Passkeys, as implemented by the big three megaplatforms, is that the ease of token/certificate theft with a system built on parallel login from an independent device is mitigated if they flex their pervasive surveillance power to monitor how you use your devices and control where and how your token can be stored.
Thus, there's kinda two different versions of passkeys in common use:
1. Standards-compliant implementations by third parties like Keepass and Firefox, which work more like conventional authentication token/certificate systems that already existed for decades, but also have the same limitations and vulnerabilities (plus some exciting new ones) while adding nothing of value over any of the other standards we already had for doing this.
2. The "works as advertised" implementations by the big three platform owners, which *are* legitimately a security improvement *when things are working smoothly*, at the cost of being an impossible nightmare without recourse when things aren't working smoothly, because the passkey standard makes a lot of compromises compared to smart cards, and any gains to make up for it are built entirely on the authority of "this is more secure because Google/Apple/Microsoft says so", backed by their surveillance infrastructure deciding that you are *you*.