←back to thread

Passkeys and Modern Authentication

(lucumr.pocoo.org)
184 points Bogdanp | 3 comments | 02 Sep 25 13:47 UTC | HN request time: 0s | source
Show context
bmandale ◴[02 Sep 25 16:50 UTC] No.45105669[source]
> An attempt by an open source password manager to provide export of private keys was ruled insecure and should not be supported.

The name of the issue reveals the actual problem: "should never be exported in clear text". If the export was encrypted with a passphrase in a standard format, then there would be no issue. It's specifically doing it in plain text that causes consternation. Of course, in practice it doesn't make much of a difference when users are incapable of choosing secure passwords, let alone passphrases. But requiring exports to be encrypted is the least one can do to maintain a degree of security while still allowing exports.

> For many years already, people lose access to their Google account every day and can never regain it. Google is well known for terminating accounts without stating any reasons. With that comes the loss of access to your data. In this case, you also lose your credentials for third-party websites.

In practice this is frequently already true. Many sites require an email to sign up. Whenever you attempt to log in on a new device, they require you to type in a code sent to your email. Without access to your email, you cannot sign in.

replies(3): >>45105880 #>>45106093 #>>45117111 #
tuckerman ◴[02 Sep 25 17:05 UTC] No.45105880[source]
Where is the line exactly though? If the password manager put up a big red notice when trying to export in plain text is that enough? If not, why not?

I am sympathetic to the intent but the words of Patrick Henry come to mind too often in conversations like these. I love passkeys and appreciate secure defaults but I feel strongly that user freedom is a more fundamental requirement than preventing phishing attacks.

replies(1): >>45108302 #
AndrewDucker ◴[02 Sep 25 20:04 UTC] No.45108302[source]
Because many end users will ignore that. And this technology is set up to prevent end users from hurting themselves, even if that constrains technologically capable ones.
replies(1): >>45109870 #
tuckerman ◴[02 Sep 25 22:21 UTC] No.45109870{3}[source]
My values are such that it’s inappropriate for a few folks at companies and random consortiums to make that decision on behalf of all society.

If KeepassXC wanted to enforce that world view for the safety of their users, it’s their right, but this is essentially a threat of blacklisting an entire password manager for adding a feature demanded by their users (who likely predominantly used by technically savvy users at that).

replies(1): >>45113752 #
palata ◴[03 Sep 25 09:17 UTC] No.45113752{4}[source]
> but this is essentially a threat of blacklisting an entire password manager

I don't think they could blacklist the entire password manager. They can't prevent it from giving you a username/password...

Refusing some passkeys is, to me, similar to refusing passwords that are too short. It may make sense to only accept passkeys backed by a secure element. Companies already force their employees to use a specific MFA app, because they don't want to trust any app out there.

replies(1): >>45116257 #
tuckerman ◴[03 Sep 25 14:29 UTC] No.45116257{5}[source]
What if websites start adopting passkey-only with instead of offering a username/password option? We could live in a world where services are inaccessible unless you use Google/Apple/1Password/etc as your password manager
replies(1): >>45120682 #
palata ◴[03 Sep 25 21:39 UTC] No.45120682{6}[source]
> We could live in a world where services are inaccessible unless you use Google/Apple/1Password/etc as your password manager

If services want to force you to use whatever authentication they want, they can. That's what already happens with any service that is serious about security. In big companies, you have to use their authenticator app, their mail client, their messaging system, etc. Often it's Microsoft software. Banks have their own systems, etc.

Now, if a service allows you to use a passkey instead of their own 2FA app, I'd say it's a win. I'm happier using a security key than a Microsoft authenticator. But if they give up on using their own app, they may well set conditions on the passkey you use. And that condition may be "it has to be backed by a trusted secure element".

You won't be able to use a passkey that's deemed unsecure just like right now, you already are not able to just use a weak password with some services.

Again, I'm not saying that being forced to depend on TooBigTech is not a problem: it very much is. But nothing says that services have to do it with passkeys: they could (and should) also accept secure passkeys that don't come from TooBigTech. But they still have a say in what they find secure or not, and that part is okay.

replies(1): >>45122268 #
tuckerman ◴[04 Sep 25 01:05 UTC] No.45122268{7}[source]
I don’t think we should create standards that make it easier for companies to erode user freedoms and I’d support legislation to restrict what certain companies can/can’t do (banks, Google/Apple, etc)

The discussion about what happens in big companies is completely unrelated to this discussion. In that case the company is the user. They can do/enforce whatever they want and nobody is having any freedoms infringed.

replies(1): >>45125441 #
1. palata ◴[04 Sep 25 09:50 UTC] No.45125441{8}[source]
> The discussion about what happens in big companies is completely unrelated to this discussion

It's not, in that they have plenty of technological solutions to address their security concerns. Passkeys don't make it easier.

> I don’t think we should create standards that make it easier for companies to erode user freedoms

We want some degree of security in many services (typically our bank). And we generally can't have it all. Security is a compromise.

replies(1): >>45127815 #
2. tuckerman ◴[04 Sep 25 14:39 UTC] No.45127815[source]
> Security is a compromise.

To spell out the quote I allude to above, "give me liberty, or give me death!" We could eliminate a lot of bad things in the world if we were willing to give up freedoms.

Well intentioned but naive security researchers are constructing the very tools that will be used to by governments and corporations to restrict the rights and freedoms of users and I don't think we should stand for it.

replies(1): >>45132617 #
3. palata ◴[04 Sep 25 21:49 UTC] No.45132617[source]
> Well intentioned but naive security researchers

If you are still talking about passkeys, I kindly disagree. I feel like many well intentioned but naive people seem to complain about passkeys for reasons that are not justified, precisely because governments and corporations don't need at all passkeys to restrict the rights and freedoms of users. Passkeys won't make it easier for them, it's already easy.