this post was submitted on 09 Apr 2024
503 points (92.7% liked)
Technology
59466 readers
3672 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The idea of a passkey is that it is a security certificate that permanently bound to the software/hardware and can't be exfiltrated, in the same fashion you'd make one SSH private key per device connecting to a server, never leaving the computer it was generated from. Or how you'd keep your primary PGP keys in a safe location and deploy a unique subkey per device to use it. That way you can revoke an individual subkey if compromised, without revoking the entire chain.
You don't backup your Passkeys, you associate multiple passkeys per account (ie: ProtonPass, Bitwarden, Yubikeys) as a contingency.
If you can back it up, it can be stolen.
Hmmm see this is how I thought it worked but then Google and Apple providers are syncing passkeys around devices without issue? There are definitely backups and cloud syncs happening. I'm aiming to use an OS agnostic provider like 1password which I'd expect to sync across hardware- but with everything in its infancy I'm not sure how that shakes out.
But tbh that does bring up another concern of mine: I have some 200+ accounts, assuming a passkey world where everything is using them, if a user wanted to change ecosystems it seems they will need to visit every service, edit the account and reconfigure their keys instead of transferring the private keys into the new ecosystem? Sounds like a nightmare!
they are syncing, but under no circumstances it let you see the passkey's private key in a format that you can import elsewhere, which reduce the amount of damage that can be done, but still if an attacker gain access to your Google account and its "password manager" (or any other password managers tbh) it's mostly game over at that point.
Personally I don't have all my passkeys on a physical device, they're mostly stored in my Bitwarden vault for the convenience of multi-device sync, and the important accounts that offers SSO into other services (Google, Facebook, Amazon, Apple, plus Bitwarden) are protected by multiple hardware tokens with a Passkey for redundancies.
Security is as strong as its weakest link.
For the accounts that are highly important, you might want to use only keys that are bound to a device like a computer, phone, or hardware security key. This would require a bit of manual management as you swap out devices and hardware keys but for a limited number of important accounts this should be feasible. For all the other general accounts, storing them in a password manager can continue to be the most convenient way to use them. The Google/Apple/Microsoft solutions take this second approach and allow them to be synced across devices.
As for the portability, it's still relatively early and I don't think there's a standardized format to export passkeys into. It's only a matter of time before things settle down and different password/passkey managers support importing and exporting to at least one format that will work.