They’re closer to a cooperative.

?

Yea, I know. But my preference is for my password manager to not be cloud at all.

Eh, easier to just use the same password for everything.

I use 12345, personally.

Why are us nerds like this? No one asked, please dont.

That’s with hosting your own server. Unfortunately I only discovered this paywall after sending them $10 out of good will.

Of course it’s open source, so it’s certainly possible to break their DRM, and if it were something less sensitive I would.

I still might, but VaultWarden looks like a better alternative.

If you self host you need the $40 plan for two people. Seems kinda backwards, doesn’t it?

Yeah, they absolutely don’t make that clear or I wouldn’t have gone with Bitwarden.

On the contrary, companies making a profit by making things better for you as a concept is pretty close to extinct. See corporations realized they don’t have to make better products if they just box out the competition so that you no longer have a choice. Theres even a term for it now, because practically every company across every industry is doing it, enshittification. Charging more for inferior projects is the new goal.

A company that grows itself by making a better product is an objective rarity in the modern world.

No, no, no. A Witch must float like a duck.

“Don’t be evil” to whom? Shareholders? ;)

The next question is does anyone actually let you import passkeys? I don’t think there is ☹️

I have a few keys in Bitwarden but before I go adding more I am going to play with Proton Pass. A lot of users were understandably annoyed when Bitwarden released passkey support but in such a limited manner.

In fact history has shown the good die out or become corrupt. Still using them for now though.

Iirc you can export everything. Most allow export of passwords of course but i think proton allows export of passkeys too.

So there’s portability if they ever do disintegrate.

True, but this is valid for every company.
Let’s say that since the company is Swiss based and, AFAIK, not quoted maybe they are not driven by the “the next quarter is all that matters” mentality of many quoted (US) companies.
There is a smaller chance that they will do something stupid to monetize more just to be ok next quarter (while risking to lose everything the next one) and will be there as long as they provide a value to the customer for the paid price.

Right, now I remember reading about that, I forgot.

Passkey = Resident Key

Nonresident keys are not passkeys, they are solely a second form of authentication meaning the service you are logging into still requires a password.

Yes, you need a passkey per service, so you would quickly end up with your 25 slots full.

Ideally yes, they’re supposed to eventually replace all passwords. Of which I have hundreds. And yes not 100% of them will do that on the near future but a lot more than 25 will.

/aparté: being downvoted for trying to understand gives me reddit vibes well done

I have 150 passwords in my password manager. I’m not buying 7 YubiKeys (and to be fair that’s not what they’re designated for)

No, sharing passkeys across services is way too risky. One service gets compromised, someone gets your passkey, and then they have access to all of your services. It’s the same principle with regular passwords.

Having a key shared across sites wouldn’t be great. If it was great it would be an article talking about “passkey” not “passkeys” because you would just have one. Like some sort of Skeleton Passkey that unlocks all your shit when compromised.

You only need one per website if you want it to autofill the username, because resident keys held on the security token can be recognized and suggested automatically but otherwise you must first enter your username on the website and let the website send its challenge value for the corresponding domain and account pair so that your security token can respond correctly.

I’m actually not sold that I should be putting all my keys in a single password manager like Bitwarden.

Treating social media accounts as irrelevant is fine as long as none of your real life friends associate with you on the same platform. Once that’s the case, scammers can take over your platform and send messages to your friends telling them you’re stuck and need money or other sorts of things that sound ridiculous but work all the time.

Yeah my point is it does not protect the local device well. It does protect well from remote compromise though.

If I’m on my laptop, and the 2fa code shows on that same laptop, it defeats the purpose of it. The point is sortation of security privileges, ask this just adds more work while providing no less security to the device. It does protect you from remote compromise, though.

I bring my yubikey with me, it’s in my keychain. This is not only more secure against phone theft/access, which probably is not very relevant for most people, but it spreads the risk of locking yourself out.

For example, I was in Iceland with my girlfriend and she “lost” her phone. We wanted to locate it, so I logged to Google for her, which asked 2FA. If she used her phone, she would have been toast. Instead I made her use yubikeys too, and she just logged in and found her phone.

Obviously you can lose your hardware tokens too, but it’s generally less likely (you take out your home keys way less than your phone, for example). You can also backup your TOTP on multiple devices etc., of course.

For Apple, it’s your iCloud account that everything depends on, and it’s the weakest point. Not by itself maybe, but in practice there needs to be a way to reset your iCloud password, even without your phone. Currently I believe that’s just an Apple representative asking life questions, but that information is mostly publicly available. There needs to be a better way.

A physical 2fa device may be just what we need to securely rest our iCloud passwords, keeping everything else more secure

I’m not saying it’s good, I’m saying it’s easy. It is not hard for normal consumers to setup.

Go to site->change password->use whatever you want moving forward.

Passwords are not a great way to lock in users unless they’re are completely unmotivated to change services, in which case - iOS passkey or not - it’s all moot.

The way out of the circle that you’ve put yourself in is realizing Google isn’t the only company implementing passkeys.

Are we talking in circles here?

No. “I avoid passkeys because of Google” is avoiding an entire technology because of a bad implementation. “Passkeys implemented by Google have problems” is only avoiding passkeys implemented by Google, leaving using passkeys still on the table.

Asymmetric cryptography has been ubiquitous and generally standardized by the time Google began letting you store Passkeys, so what’s your point?

Is Google supporting a particular service or system a dealbreaker for you or not? Because Google has far more fingers in the public operation of email than it does passkeys. So if you’re still ok with having an email account, then you should be just as ok with using passkeys.

Well that’s great news, then you’ll like passkeys because you can use them without being locked into anything.

Yes. It’s still the fact that Google monopolizes shit. Same thing with Apple by the way.

a.k.a password-protected certificates

deleted by creator

It basically performs the same function as an SSH key (providing public key authentication), yes.

Your issue with logging in on your phone vs laptop can be solved by either syncing them (like the OS/Browser platforms of Google/Apple/Microsoft or a password manager like Proton Pass/Bitwarden do) or by setting up each device separately (like most people should do with SSH keys). Each method comes with trade-offs: syncing means they aren’t device bound and can potentially be stolen, setting it up on each device can be a pain, etc.

The important thing to remember is that passkeys don’t need to be the only authentication methods attached to an account. You can use the convenience of a passkey most of the time when it’s possible and then fall back to another method (like a password/TOTP pair) when that’s not available (such as when setting up a new device). There’s also always the standard account recovery options if all else fails, those don’t necessarily go away.

The other thing to remember is that it’s not trying to be a perfectly secure solution to all authentication everywhere but to replace passwords with something better. Not having to generate and store random passwords with arbitrary complexity requirements, being able to log in with just a tap or a click, and not having anything that needs to be kept secret on the website’s side can be enough of an improvement over passwords to make the change worthwhile.

You setup passkeys for all your devices with biometric features. I know I have a Yubikey for my desktop, facial recognition on my phone, and a fingerprint reader on my laptop. So, I setup 3 passkeys using biometric (fingerprint or face). I also kept my password and 2FA for now because it’s all new. I wouldn’t recommend jumping in face first.

I only am using it on a few key sites and partly because I’m a web developer testing it all out. I wouldn’t advise it for the average user at the moment but it’ll mature and many password managers can store passkeys now. As it matures, I’m hopeful it becomes seamless like FaceID and fingerprint readers.

Close, but you are still trusting the device you own. If I were to compromise that device, I could capture that key and use it. Again, this is my limited understanding, but a zero trust solution works in such a way that the actual keys are not stored anywhere. During setup, new temporary keys are generated. A keypass binds to the temporary key for use of authentication. The temporary key can be revoked at any time for any reason, whether it’s due to a breach or routine policies. It can be as aggressive as it needs, and the implication is that if someone else (either you or an attacker) got issued a new temporary key then the other would not receive it. Using an incorrect temporary key would force an initialization again, using the actual keys that aren’t stored anywhere.

The initialization process should be done in a high trust environment, ideally in person with many forms of vetting. But obviously this doesn’t take place online, so there is the risk that your device is not trusted. This is why the process falls back on other established processes, like 2FA, biometrics, or using another trusted device. How this is done is up to the organization and not too important.

But don’t get too hooked on the nuances of passwords, keys, passkeys,etc. The entire purpose is to limit trust, so that if any part of the process is compromised, there is nothing of value to share.

Disclosure: Worked in military and this seems to be a consumer implementation of public/private key systems using vector set algorithms that generate session keys, but without the specialized hardware. It’s obviously different, but has a lot of parallels, the idea in this case is that the hardware binds to the private/public keys and generates temporary session keys to each unique device it communicates with, and all devices can talk with members of it’s own vector set. Capturing a session key is useless as it’s constantly being updated, and the actual keys are stored on a loading device (which is subsequently destroyed afterwards, ensuring the actual key doesn’t exist anywhere and is non recoverable, but that’s another thing altogether). My understanding of passkey systems is solely based on this observation, and I have not actually implemented such a solution myself.