What is up with passkeys?

[romanof]

Ok, I admit I haven't made a study of the topic, in actuality, just taking the industry blurbs that passkeys are safe and painless. But...

Ebay seems to be the only site that is consistent, but the rest (Amazon, Google, even Apple) are hit and miss. One time I get an offer to use a passkey, and the next, "Please enter your name and password" and sometimes when going to the EXACT same URL.

In the latest, and just now, I logged into Amazon instantly with Faceid, then needed to update my pickup location, and... "Enter Name and Password."

What the heck?

 

[erihp]

scams and thefts are so high, security is a mess. my bank tried to convince me that Apple pay transactions were more suspect than card transactions because someone could have stolen my phone and make the charges. when i told them that was locked with face id, they told me if a theif stole my phone they may also havr my passcode and can add a new face to face id. when it assured her i was calling from the phone in question and it was indeed not stolen... she allowed the charge.

i started to explain that i (the person calling) could also be the thief... i decided that wasnt a great idea.

face... palm.

 

[Jay Tee]

Ok, I admit I haven't made a study of the topic, in actuality, just taking the industry blurbs that passkeys are safe and painless. But...

They're trying to get people to use different passwords on different sites, which is such a pain, even with a password manager. Passkeys do this in a convenient way. Bulletproof: no, but moving in the right direction.

 

[romanof]

They're trying to get people to use different passwords on different sites, which is such a pain, even with a password wallet. Passkeys do this in a convenient way. Bulletproof: no, but moving in the right direction.

I agree with the direction, but it is the rollout that is the problem. Once enough people who don't even know what passkeys are find themselves in a confusing bootloop of a kind, then they will drop even trying and refuse the whole thing. It is hard enough to get friends and relatives not to use 123456 for their bank access - explaining to such a noob as to why their face won't unlock (insert random site) every other time is not even possible.

 

[Nermal]

Once enough people who don't even know what passkeys are find themselves in a confusing bootloop of a kind, then they will drop even trying and refuse the whole thing.

That wouldn't surprise me. I do know what passkeys are, and I consider myself reasonably technically-minded, yet I haven't set any up because I'm not sure how it all works in terms of multiple computers.

For example: if I set up a passkey at home, on my Mac, with Safari, can I then log into the same website at work, on Windows, using Firefox? Furthermore, given that I find myself more and more disenfranchised with the Mac, what about if I switch my home computer to Linux? Or Haiku? The general overviews of passkeys don't go to that level of detail, and the more complex ones are overly confusing when you only have a high-level understanding of how it all works.

Sure, "normal" users aren't going to be using Linux or Haiku, but if I can't figure this stuff out then what chance does the general public have?

 

[erihp]

I agree with the direction, but it is the rollout that is the problem. Once enough people who don't even know what passkeys are find themselves in a confusing bootloop of a kind, then they will drop even trying and refuse the whole thing. It is hard enough to get friends and relatives not to use 123456 for their bank access - explaining to such a noob as to why their face won't unlock (insert random site) every other time is not even possible.

I know people who actively avoid Apple's integrated keychain and passwords functionality, but also is perpetually 'resetting' passwords sooner than remember them. Some people are just confused about how it works. I can understand the password manager in the browser and a systemwide manager could get confusing...

Hopefully making Passwords an App will help. Multiplatform support is a must!

 

[whitestar27]

I tried to set up passkeys with eBay but it kept locking itself in some sort of loop. I'm fairly onto it with this stuff, I have used password managers and hardware keys for years but this one defeated me. I have a horrible feeling passkeys will end up not being adopted by most people. So what if it's easier? password1234 is easy too

 

[MacBH928]

i'd stay away from it for now. havent heard many successful stories

 

[Rkuda]

That wouldn't surprise me. I do know what passkeys are, and I consider myself reasonably technically-minded, yet I haven't set any up because I'm not sure how it all works in terms of multiple computers.

For example: if I set up a passkey at home, on my Mac, with Safari, can I then log into the same website at work, on Windows, using Firefox? Furthermore, given that I find myself more and more disenfranchised with the Mac, what about if I switch my home computer to Linux? Or Haiku? The general overviews of passkeys don't go to that level of detail, and the more complex ones are overly confusing when you only have a high-level understanding of how it all works.

Sure, "normal" users aren't going to be using Linux or Haiku, but if I can't figure this stuff out then what chance does the general public have?

If you know what SSH keys are just think of passkeys as the same thing. The server has the public key and needs a device with the matching private key to successfully respond to the server challenge.

In your scenario you need to either have a way to sync the passwords from your Mac to the Windows PC. Or, if the passkey is not on the PC it will prompt you with a QR code, you would then scan the code with your phone and authenticate with FaceID.

 

[adrianlondon]

when i told them that was locked with face id, they told me if a theif stole my phone they may also havr my passcode and can add a new face to face id

Every banking app I have, and I have a few, requires total re-authentication if FaceID is reset in any way, such as a new face added or the phone restored.

 

[MacBH928]

If you know what SSH keys are just think of passkeys as the same thing. The server has the public key and needs a device with the matching private key to successfully respond to the server challenge.

In your scenario you need to either have a way to sync the passwords from your Mac to the Windows PC. Or, if the passkey is not on the PC it will prompt you with a QR code, you would then scan the code with your phone and authenticate with FaceID.

the question is can you share passkeys with other devices like you sync , import, export passwords or are they tied to specific device or app?

 

[DFWSteve]

I know people who actively avoid Apple's integrated keychain and passwords functionality, but also is perpetually 'resetting' passwords sooner than remember them. Some people are just confusrd about how it works. I can understand the password managet in the browser and a systemwide manager could get confusing... Hopefully making Passwords an App will help. Multiplatform support is a must!

I'm one of those who actively avoid Keychain. Edge is my primary browser and I do not let it store passwords either. I use 1Password on my Macbook and iPhone. Also I have Yubikeys which I haven't set up yet, but may consider them in certain situations.

 

[DFWSteve]

<Mentioning YubiKey in the reply above> I'd like to hear the experiences anyone has using physical keys; pros / cons.

 

[polyphenol]

Every banking app I have, and I have a few, requires total re-authentication if FaceID is reset in any way, such as a new face added or the phone restored.

Every so often, my banking app just tells me to login and ignores the faceid. But it doesn't present a login option and I can't find any way of getting it to do so.

Eventually I remember that I have to go to Settings and re-allow the app to use faceid. Then it all works OK.

I suspect that this happens when the app has been updated. Maybe I should switch off Background App Refresh? But not sure what happens if I do that and it refuses to work without doing an app update. If I am at home., fine. But I don't want to be downloading banking apps from random public wifi connections if I am out and about.

 

[Rkuda]

the question is can you share passkeys with other devices like you sync , import, export passwords or are they tied to specific device or app?

I don't use a 3rd party password manager so I don't know the details on how that integrates with everything.

Looking at KeePass documentation they at least have options to import / export passkeys: https://keepassxc.org/docs/KeePassXC_UserGuide#_passkeys

I don't know if passkeys can be exported from the Passwords app in Sequoia as I don't have any PassKeys and can't add any unless I enable iCloud Keychain. I'll try and test it once the initial release of Sequoia is available.

Passkeys can be airdropped to other Apple devices as long as they meet the criteria (and have iCloud Keychain enabled I would guess since I couldn't make it airdrop to Sequoia.)

If you use the password app on iOS/macOS then the passkeys appear to be available globally across apps and not limited to Safari. Testing with Firefox I was able to get the standard passkey prompt.

Update: Also tested Firefox on Sonoma since it has the passkey in Keychain and it prompts for TouchID and logged in successfully.

 

[Rkuda]

I tried to set up passkeys with eBay but it kept locking itself in some sort of loop. I'm fairly onto it with this stuff, I have used password managers and hardware keys for years but this one defeated me. I have a horrible feeling passkeys will end up not being adopted by most people. So what if it's easier? password1234 is easy too

I've not had any problem setting up passkeys on about 12 different sites, I don't use eBay though. Web developers should take the time to get it right.

I think over the next few years there will be a big industry push to have all major websites support passkeys. As for adoption just have users prompted at login to enable it, it can be a one step process basically and after that point it will just use the passkey 99% of users won't even know anything changed.

The pros for both the website and user are more than worth it against passwords.
No more social engineering people to give someone their password.
No more phishing to trick users into logging in on a fake site.
No more having to reset a bunch of passwords because they used the same password everywhere.

I think even having a database leak becomes meaningless as the passkey stored on the server is useless without the private key from the users device.

 

[MacBH928]

I've not had any problem setting up passkeys on about 12 different sites, I don't use eBay though. Web developers should take the time to get it right.

I think over the next few years there will be a big industry push to have all major websites support passkeys. As for adoption just have users prompted at login to enable it, it can be a one step process basically and after that point it will just use the passkey 99% of users won't even know anything changed.

The pros for both the website and user are more than worth it against passwords.
No more social engineering people to give someone their password.
No more phishing to trick users into logging in on a fake site.
No more having to reset a bunch of passwords because they used the same password everywhere.

Here is the question, If I setup passkey to my google account and buy a new macbook and now I want to login into that google account from my new macbook how does this work? with passwords I just need to type in my password.

I think even having a database leak becomes meaningless as the passkey stored on the server is useless without the private key from the users device.

isn't this the same with passwords because passwords are stored encrypted ?

 

[kitKAC]

Here is the question, If I setup passkey to my google account and buy a new macbook and now I want to login into that google account from my new macbook how does this work? with passwords I just need to type in my password.

The passkeys are synced to the new machine using whichever password manager you stored them in. You could also use the QR code method with a mobile device to log in.

isn't this the same with passwords because passwords are stored encrypted ?

Unfortunately, history has shown us that this isn't always the case.

 

[whitestar27]

<Mentioning YubiKey in the reply above> I'd like to hear the experiences anyone has using physical keys; pros / cons.

I've used Yubikeys for a few years, I use them on any sites that allow you to load FIDO keys and I also use them for 2FA using the Yubi authenticator app on my phone - the secret stays on my key so it doesn't matter if someone gets into my phone because the authenticator app is useless on it's own.

The main disadvantage I have found is that I need to load all my keys individually either as FIDO keys or loading TOTP codes on them. I have two on my keyring (one USB-C and one USB-A), one stashed at work as a backup and one stashed at home as a backup. For TOTP I print out the QR codes and keep them in a safe place so I can reload keys if I need to. For FIDO I just need to remember to load all my keys on each site.

Other than that, it's been smooth. For TOTP they work exactly the same as a regular authenticator, I just need to open the Yubi auth app and wave my USB A key with NFC at my phone, and for FIDO my machine will ask me to insert my key and touch it to active. Just seems to work.

 

[Rkuda]

Here is the question, If I setup passkey to my google account and buy a new macbook and now I want to login into that google account from my new macbook how does this work? with passwords I just need to type in my password.

As kitKAC mentioned you would sync your passkeys through iCloud Keychain or 3rd party password manager just like you would for your normal passwords.

The nice thing about passkeys is you can use your iPhone to basically provide something akin to "guest access" to your login on computers you don't own. You just scan the QR code on the computer and authenticate with faceID. This doesn't transmit the private key part to the computer so it won't get accidentally saved to a system that isn't yours. You should still remember to logout when you done though.

isn't this the same with passwords because passwords are stored encrypted ?

I think it's better than encrypted passwords since it appears lot of companies aren't actually encrypting passwords as can be seen from all the various password leaks. Also passwords can be brute forced with varying degrees of difficulty.

A passkey isn't an encrypted password to be decrypted. It's a keypair with the server holding the public key. The server then encrypts some value with that key when you try to login. Only your private key can then decrypt the value the server sent and send it back as proof you are the user.

 

[MacBH928]

I've used Yubikeys for a few years, I use them on any sites that allow you to load FIDO keys and I also use them for 2FA using the Yubi authenticator app on my phone - the secret stays on my key so it doesn't matter if someone gets into my phone because the authenticator app is useless on it's own.

The main disadvantage I have found is that I need to load all my keys individually either as FIDO keys or loading TOTP codes on them. I have two on my keyring (one USB-C and one USB-A), one stashed at work as a backup and one stashed at home as a backup. For TOTP I print out the QR codes and keep them in a safe place so I can reload keys if I need to. For FIDO I just need to remember to load all my keys on each site.

Other than that, it's been smooth. For TOTP they work exactly the same as a regular authenticator, I just need to open the Yubi auth app and wave my USB A key with NFC at my phone, and for FIDO my machine will ask me to insert my key and touch it to active. Just seems to work.

isn;t this an overkill? i don't want to use yubi key everytime I log in to youtube, and how would I use it if I wanted to log in via apple tv or android phone?

As kitKAC mentioned you would sync your passkeys through iCloud Keychain or 3rd party password manager just like you would for your normal passwords.

The nice thing about passkeys is you can use your iPhone to basically provide something akin to "guest access" to your login on computers you don't own. You just scan the QR code on the computer and authenticate with faceID. This doesn't transmit the private key part to the computer so it won't get accidentally saved to a system that isn't yours. You should still remember to logout when you done though.




I think it's better than encrypted passwords since it appears lot of companies aren't actually encrypting passwords as can be seen from all the various password leaks. Also passwords can be brute forced with varying degrees of difficulty.

A passkey isn't an encrypted password to be decrypted. It's a keypair with the server holding the public key. The server then encrypts some value with that key when you try to login. Only your private key can then decrypt the value the server sent and send it back as proof you are the user.

1) so can I export those keys as plain text?

2) how can I use those passkeys if I am using a different device like logging in through my smart tv app ?

3) If passkeys are stored in the vault of a password manager, how will I unlock the password manager itself?

 

[whitestar27]

isn;t this an overkill? i don't want to use yubi key everytime I log in to youtube, and how would I use it if I wanted to log in via apple tv or android phone?



1) so can I export those keys as plain text?

2) how can I use those passkeys if I am using a different device like logging in through my smart tv app ?

3) If passkeys are stored in the vault of a password manager, how will I unlock the password manager itself?

It's not overkill. I hardly ever have to use my keys. If I set up a new phone I do need to use them and if I'm logging in fresh to sites that I have them loaded against but day to day I rarely need to use them. I don't generally log completely out of YT for instance.

I have Google's and Apple's versions of Advanced Data Protection enabled but they're mostly to stop someone setting a new device up I think.

I'm pretty sure you can't export passkeys. If you use Keychain or something like Proton Pass or Bitwarden they will sync between devices.

When I set up my Chromecast I remember it had a special procedure for using your phone to authenticate my Yubikey for it. Apple TV will probably have something similar. It's fine, they've accounted for it in their setups.

I use Proton Pass as a password manager. Nothing changes as far as logging into it goes since I added a couple of passkeys, why would it? I have a Proton account with username and password plus I've switched on their 'extra password' option.

 

[MacBH928]

I'm pretty sure you can't export passkeys. If you use Keychain or something like Proton Pass or Bitwarden they will sync between devices.

This is what worries me. So if development stops on my password manager of choice, how do i move my passkeys to a new password manager? or am I locked in that password manager vendor forever?

or do I have to go back into my accounts and de-activate all passkeys and setup all new passkeys with the new password manager?

 

[whitestar27]

This is what worries me. So if development stops on my password manager of choice, how do i move my passkeys to a new password manager? or am I locked in that password manager vendor forever?

or do I have to go back into my accounts and de-activate all passkeys and setup all new passkeys with the new password manager?

I wouldn't worry too much about that. Below is from Bitwarden's passkey FAQ - sounds like it will be a thing in future

Q: Are stored passkeys included in Bitwarden imports and exports?​

A: Passkeys are included in .json exports from Bitwarden. The ability to transfer your passkeys to or from another passkey provider is planned for a future release.

 

[romanof]

OMG! What a mess.

Prediction - Passcodes and hardware tokens will fail and be abandoned or not even implimented by most websites.

Got a pair of Yubikeys, intending to migrate them to sites that use hardware tokens. (Actually, I have been intending to do so for a year, at least, but just now finally got around to it.)

They will be fine for nerds and techies - those who already know about long passwords and no reuse and don't click on that "You won't believe..." email. In other words, for those who need protection the least.

The setup for every site is different, always confusing and often non-existent. For example, both Yubikey and Ebay brag about the utter safety of using a hardware token on the site, but nowhere in Ebay (that I have found, as yet) are tokens, Yubikey or the setup of such even mentioned. However, the backup default of a passkey went pretty easily.

Even Yubikey itself has pages and pages of how important it is to use hardware 2Fa. But, "Learn how" buttons lead to other sub-pages that say nothing but, "Easy to Setup. Which one do you want to buy?" Eventually, again if you are really really persistant, (and a nerd) you will find a technical document, in a locked cabinet drawer in a dark basement behind a door that says, "Beware of the Leopard."

For whatever reason, website programmers just cannot get the idea of

"Are you new to (xxx)?"
1. do this.
2. do that.
3. check that this is...
4. and so forth.

The Yubikeys work great once they are set up, but there is not the slightest chance of my neighbors or family making one work.

Passkeys are great when they work, but those are not at all consistent. I log on with one, then go to another area of the site, and I get "Name and Password please." And what is really strange, is for the exact same URL asking for a passkey one day and a password the next.

Doomed, I say!