Looks like a huge amount of security vendors are working to have a secure and open standard for passkey portability between platforms.

It is always good to see major collaboration in the security space like this considering the harsh opinions that users of some of these vendors have toward many of the others. I just wish apps and sites would stop making me login with username and password if passkeys are meant to replace that lol.

  • zerozaku@lemmy.world
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    1
    ·
    2 months ago

    Why is the buzz around passkeys is back? I am seeing them way more often than they used to be. I think I have created passkeys for 2 apps and don’t even know how that worked, it such a breeze that almost felt it wasn’t secure lol.

    In what ways the passkeys are different than authenticator apps?

      • ShortN0te@lemmy.ml
        link
        fedilink
        arrow-up
        13
        ·
        2 months ago

        With the ability to transfer passkeys, the attack vector phishing does not sound that far fetched. Tho i have not looked into the transfer process.

        We will see i guess.

          • ShortN0te@lemmy.ml
            link
            fedilink
            arrow-up
            4
            arrow-down
            1
            ·
            2 months ago

            Why do you think SSH-Keys are safe against phishing? I mean it is unlikely, that someone will just send the key per mail or upload it somewhere since most ppl using SSH-Keys are more knowledgeable.

            When you now get an easy one click solution to transfer Passkeys from one Cloud provider to another it will get easier to trick a user to do that. Scenario: You get a mail from Microsoft that there is a thread and that you need to transfer your keys to their cloud.

            • Petter1@lemm.ee
              link
              fedilink
              arrow-up
              2
              arrow-down
              1
              ·
              2 months ago

              The thing is, that you only have to share public keys and never private ones. So you can only phish public keys…

              • Ferk@lemmy.ml
                link
                fedilink
                arrow-up
                2
                ·
                edit-2
                2 months ago

                You share public keys when registering the passkey on a third party service, but for the portability of the keys to other password managers (what the article is about) the private ones do need to be transferred (that’s the whole point of making them portable).

                I think the phishing concerns are about attackers using this new portability feature to get a user (via phishing / social engineering) to export/move their passkeys to the attacker’s store. The point is that portability shouldn’t be so user-friendly / transparent that it becomes exploitable.

                That said, I don’t know if this new protocol makes things THAT easy to port (probably not?).

                • Petter1@lemm.ee
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  edit-2
                  2 months ago

                  Well, they made it very secure with the transfer of passwords /s

                  It felt so strange having a CSV file with all my passwords and 2FA secrets in plain text in my downloads folder…

                  Imagine if would not have used a encrypted partition, my passwords may still be on that disk…

              • ShortN0te@lemmy.ml
                link
                fedilink
                arrow-up
                2
                ·
                2 months ago

                The thing is, that you only have to share public keys and never private ones. So you can only phish public keys…

                How would you sync or transfer a passkey across devices without transferring the private key?

                • AA5B@lemmy.world
                  link
                  fedilink
                  arrow-up
                  3
                  ·
                  2 months ago

                  That’s July question: the article even points that out. If previously the private key was in hardware, never exposed, but now it has to be available to software. Does it open any potential attacks?

                  Even if it is less secure, this is probably a good thing to prevent vendor lock-in. I know that’s one reason I rarely use passkeys

                  • Petter1@lemm.ee
                    link
                    fedilink
                    arrow-up
                    2
                    ·
                    2 months ago

                    Yea, I strictly did not set up any passkeys until I got strongbox pro, to store it outside of apple walled garden. To get 2FA secrets was hard enough (had long time no macOS device, only iOS)

                  • ShortN0te@lemmy.ml
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    2 months ago

                    That was a rhetorical question towards the commenter since the discussion point was not understood.