this post was submitted on 30 Mar 2024
297 points (79.2% liked)

Technology

60033 readers
2950 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
 

Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing attacks and make your online experience smoother and safer.

Unfortunately, Big Tech’s rollout of this technology prioritized using passkeys to lock people into their walled gardens over providing universal security for everyone (you have to use their platform, which often does not work across all platforms). And many password managers only support passkeys on specific platforms or provide them with paid plans, meaning you only get to reap passkeys’ security benefits if you can afford them.

They’ve reimagined passkeys, helping them reach their full potential as free, universal, and open-source tech. They have made online privacy and security accessible to everyone, regardless of what device you use or your ability to pay.

I'm still a paying customer of Bitwarden as Proton Pass was up to now still not doing everything, but this may make me re-evaluate using Proton Pass as I'm also a paying customer of Proton Pass. It certainly looks like Proton Pass is advancing at quite a pace, and Proton has already built up a good reputation for private e-mail and an excellent VPN client.

Proton is also the ONLY passkey provider that I've seen allowing you to store, share, and export passkeys just like you can with passwords!

See https://proton.me/blog/proton-pass-passkeys

#technology #passkeys #security #ProtonPass #opensource

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 6 points 8 months ago* (last edited 8 months ago) (2 children)

Why shouldn’t these features require money?

It’s $10 per YEAR. This is an extremely reasonable price given the importance of the service.

Bitwarden employees need to eat too.

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago) (1 children)

It's not paywalled. It's not yet implemented in mobile bitwarden apps. It probably won't be paywalled once implemented because it's not paywalled in extension where it's already implemented

[–] [email protected] -4 points 8 months ago* (last edited 8 months ago) (1 children)

2FA is a paid feature in Bitwarden. That's the feature we were talking about.

Edit: fuck me for explaining myself

[–] [email protected] 1 points 8 months ago

You're getting downvoted because that, in fact, isn't the feature we were talking about.

2FA and passkeys are different

[–] [email protected] 1 points 8 months ago (2 children)

I'd be perfectly okay with them just charging for Bitwarden, period. Instead they pretend it's free but charge premium for all the most effective security features, including 2FA to their own services. Effectively it creates a group of people that use Bitwarden without access to these security features but complacent enough to not seek alternatives that would offer these features at a price acceptable for them (possibly free, like KeepassXC).

Bottom line: security shouldn't be a premium feature. It should be either available or not at all. Never as a premium within the service.

[–] [email protected] 3 points 8 months ago (1 children)

For logging in, Bitwarden supports TOTP, email, and FIDO2 WebAuthn on the free plan. It only adds Yubikey OTP and Duo support at the paid tier, and WebAuthn is superior to both of those methods. This is an improvement that they made fairly recently - back in September 2023.

The other features that the free plan lacks are:

  • the 1 GB of integrated, encrypted file storage. This is a convenience that is nice to have, but not essential to a password manager.
  • the integrated TOTP generator. This is a convenience that many argue is actually a security downgrade (under the “putting all your eggs in one basket” argument).
  • Upgraded vault health reports - free users get username data breach reports but not weak / reused password reports. This is the main area where your criticism is valid, but as far as I know free competitors don’t offer this feature, either. I looked at KeepassXC and didn’t see this mentioned.
  • Emergency access (basically a trusted contact who can access your vault under some circumstances). This isn’t essential, either, and the mechanisms they add to ensure security of it cost money to provide.
  • Priority support - free users get 24/7 support by email, which should be good enough
[–] [email protected] 1 points 8 months ago

I wasn't aware they added WebAuthn to the free plan recently. That's great to hear, thanks for the correction!

[–] [email protected] 2 points 8 months ago

I disagree.

Simply adopting the use of their free service (or any password manager, sans 2FA) is an upgrade in terms of personal security. That's moving in the right direction from memorized (and let's be honest, that means using the same or a small list of similar passwords) passwords everywhere.

The existence of alternatives that include 2FA at no cost works against your point IMO. But that also comes at a cost - Keepass requires that you manage your own sync and backup.