this post was submitted on 24 Sep 2023
78 points (94.3% liked)

Programming

17326 readers
255 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev



founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Greensauce@sh.itjust.works 19 points 1 year ago (3 children)

I’m stealing this from another comment:

The main advantage comes with phishing resistance. Standard MFA (time based codes) is not phishing resistant. Users can be social engineered into giving up a password and MFA token. Other MFA types, such as pop up notifications, are susceptible to MFA fatigue. Similar to YubiKeys, Passkeys implement a phishing resistant MFA by storing an encryption key, along with requiring a biometric. The benefit here is that these are far easier for the average user, and the user does not need to carry a physical device. Sure, fingerprints could possibly be grabbed with physical presence, but there is far less risk that a users fingerprint is stolen, than a user being social engineered over the phone into giving creds. For most organizations and users, this is far more secure.

[–] SorteKanin@feddit.dk 10 points 1 year ago (2 children)

Standard MFA (time based codes) is not phishing resistant. Users can be social engineered into giving up a password and MFA token.

So basically this is just idiot-proofing the system. If you aren't the type of person to give your password or MFA token to another person, then passkeys don't really make better security.

[–] 0xc0ba17@sh.itjust.works 16 points 1 year ago (1 children)

idiot-proofing

Don't chalk it up to idiots. The quote mentions "MFA fatigue", which is something that definitely happens.

If you're a Windows user (and moreso if you play games on your computer), you certainly regularly have admin prompts. I'm pretty sure that, like everyone else, you just click OK without a second thought. That's fatigue. Those prompts exist for a security reason, yet there are so many of them that they don't register anymore and have lost all their meaning.

For my job, I often have to login into MS Azure, and there are days where I have to enter my MFA 3 or 4 times in a row. I expect it, so I don't really look at the prompt anymore. I just enter the token to be done with it asap; that's a security risk

[–] IphtashuFitz@lemmy.world 5 points 1 year ago

It also doesn’t take into account the technological advances that scammers are using more and more. Get a phone call from your boss requesting something sensitive? How sure are you that it really is your boss and not an AI generated voice relying on data from LinkedIn, Facebook, etc. run through a ChatGPT style system to respond to all manner of small talk etc?

[–] whosdadog@sh.itjust.works 9 points 1 year ago

It also allows you to login without someone visually observing your password while typing it on a keyboard or on an untrusted device that could have a keylogger.

[–] atheken@programming.dev 8 points 1 year ago* (last edited 1 year ago) (1 children)

And, they are actually more convenient because then entire login process is one step with minimal keyboard input, rather than two.

[–] beejjorgensen@lemmy.sdf.org 5 points 1 year ago (1 children)

What's the backup login mechanism when you lose your biometric sensor? How do you pair with the new sensor?

[–] atheken@programming.dev 3 points 1 year ago (1 children)

You can still keep password + 2FA on GitHub and Google Suite (probably anything else that's currently implementing them), it's just a convenience/anti-phishing feature right now.

The passkey is synced between devices if it's kept in a password manager, I haven't looked at the mechanism that Apple uses to sync it/use it if you store it in the system keychain. I guess you could also have multiple passkeys configured for a few devices.

[–] valpackett@lemmy.blahaj.zone 2 points 1 year ago (1 children)

IIUC Apple syncs them using the most secure way they can, i.e. when you enroll a new device to your account the existing device, the existing device's HSM encrypts keys using the pubkey of the new one's HSM; and for recovery from being left with 0 Apple devices there might be (?) an escrow option that's optional (?)

[–] atheken@programming.dev 2 points 1 year ago

Cool. I should check it out. I tend to assume that when Apple (or Google) rolled this out that it’s not broken in any obvious way that I would recognize right away.

But like contactless payments, which I’ve advocated my friends and family switch to, I should read up on why it’s more secure.

[–] takeda@lemmy.world 4 points 1 year ago (4 children)

I kind of don't like to store my fingerprints with Google. Even FBI collects them when you are indicted.

What about allowing us to log in to services via asymmetric keys?

[–] Greensauce@sh.itjust.works 9 points 1 year ago

You don’t have to store them with Google. Passkeys are supported in both iOS and Android natively. Within the last few months both Bitwarden and 1Password support storing passkeys as well.

[–] valpackett@lemmy.blahaj.zone 4 points 1 year ago (1 children)

Note that you pretty much can't store them with Google or Apple; smartphone biometric sensors operate the on-device HSM, not something remote.

[–] takeda@lemmy.world 1 points 1 year ago (1 children)

So, how does it work when you are accessing account from a different device? How the other device knows your fingerprint?

[–] valpackett@lemmy.blahaj.zone 2 points 1 year ago

It does not. The fingerprint always only unlocks the device's HSM ("secure enclave" in Apple speak).

Between your devices enrolled in the ecosystem, private keys are synced securely (AFAIK, they make it so that an existing device’s HSM encrypts keys using the pubkey of the new one’s HSM); for signing up using your device on someone else's computer there's a process that combines QR codes with Bluetooth communication.

[–] Trivial@programming.dev 4 points 1 year ago

It is just an asymmetric key. Phones try to store them securely but you could use an app to just generate them and store your key wherever.

[–] IphtashuFitz@lemmy.world 1 points 1 year ago

Eh. The feds already have my fingerprints due to a background check…