https://keepassxc.org/blog/2024-03-10-2.7.7-released/ says it has passkey support. I guess the author can now do exactly what they want.
You seem to be falling for what the author was writing about. Only because you could technically try to use keepassxc to store passkeys, that does not mean that it will work. You see passkeys were build in a way the service you’re trying to login to can decide if they accept your keepassxc for passkey storage or not. It looks like you are in control when you are actually not.
So, same as passwords then. The service can determine what they accept as a password. And if they’re being assholes about it you can decide to go elsewhere.
The service can determine what they accept as a password.
And what password manager you use, I think was the poster’s point.
There is indeed a big difference between requiring a specific password vs. requiring a specific device or software to be able to use the service. Keep in mind that big tech can very conveniently leverage this technology to lock you in. For example think about Apple, Google and Microsoft requiring you to use passkeys, and then later require you to use your certified phone and app. Most people will not be able to “go elsewhere”.
Can someone explain to me how using biometrics rather than a password/pin to protect from unauthorized access to your passkeys doesn’t violate the “something you have” and “something you know” principle of multi-factor authorization? Most of these implementations seem squarely geared at user convenience at the cost of actual security.
Passwords can be secure when the end user picks a strong one. But that is the biggest problem with them, the end user. They don’t pick good passwords and decades have shown us the general public are bad at passwords.
Passkeys are not biometrics. They are much simpler. In a very simple way you can think of them as a secure long random password that is stored on you device, generated per device, and not sent over the wire to the other side (so more like public/private key cryptography I believe).
The passkey on your device can be stored in an encrypted vault or even secure hardware that requires a pin/password or key to unlock.
They are not getting rid of multifactor codes and can be used with them. But by protecting them locally you can still have 2 factors to access them - the hardware/vault that contains them and the pin/password/biometric that unlocks the vault. And that is in addition to server side multifactor systems.
But even without all that you still gain massive benefits over passwords as it stops cross site comprises when one sites gets their password database leaked. Or brute forcing access to systems by guessing weak passwords that most people use.
deleted by creator
https://en.wikipedia.org/wiki/Multi-factor_authentication :
- Something the user has - device/token
- Something the user knows - password/pin
- Something the user is - biometrics
This assumes a pin is used, which according to the WebAuthn wikipedia page is not generally the case:
The illustrated flow relies on PIN-based user verification, which, in terms of usability, is only a modest improvement over ordinary password authentication. In practice, the use of biometrics for user verification can improve the usability of WebAuthn.
The way I read this, a pin is even too much for the end-user and biometrics replace it for usability.
The author of this website is soooo full of himself he doesn’t even notice how he bends reality to fit his point of view.
Yeah, they make some good points but it’s all a bit dramatic
I’m not sold on passkeys, either. Too “opaques” to me.
The more every fucking site shoves that down my throat at every login, the more I am not willing to even look at it.
This
That was a huge rant, i also don’t like the microsoft authenticator so guess what i don’t use it, and the issue of your private keys to getting stolen if your pc is hacked has long been solved with password protected keys.
All of these issues pretty much amount to nothing, the standard works and is more secure then passwords, same reason as to why enabling password login on SSH is not recommended.
I think the author identifies the correct issues but this isn’t an argument against passkeys as a security measure rather their inevitable use by corpos for data harvesting. I hate it too tbqh I’d rather get hacked on some disposable email account with a random username than have to hand over my PII, money and mortal soul to Google for extra sec. At work it’s a different level of shit entirely. We have SSO behind SSO behind SSO, the inept overseas coworkers don’t understand arch of the company they got merged with nor the concept of legal compliance or ISO, they’re running the entire sec programme into the ground to bring it under AD in a way that directly compromises their AD when nothing in any of our orgs even uses windows in any way except theirs where they drink M$ coolaid. If this job wasn’t so comfortable I’d be depressed just thinking about it.
