undefined | Better HN

0 pointsstetrain1y ago0 comments

You can store passkeys in a password manager as well:

The super simple explanation is: SSH keys for websites.

You have a unique private key for each website account stored on your device, in a local password manager, or in a cloud synced password manager (iCloud account, Google account, 1Password, etc).

The website only gets the public key, so unlike password auth your secret is never given to the website.

When accessing that website, the website can send a challenge which your browser answers using your private key associated with that specific domain.

(I'm not a passkey expert and there are a lot more technical details to this, but this is my 10,000ft mental model of what's going on)

0 comments

rcarmo1y ago

It's still not a great multi-platform/multi-device story. I use multiple machines regularly (and I've migrated away from 1Password to the KeePass ecosystem, by the way) so syncing passkeys from my Mac(s) to my iPad, to my Fedora machines and my Windows working environment is simply not happening any way I look at it.

Passkeys are great for consumers who use one or two devices (or browsers - I also switch browsers frequently). For anyone with more than one platform or one device in their lives they suddenly become added complexity, because even though you _can_ have more than one passkey per account per service, in practice there are all sorts of weird edge cases.

They're just not mature yet, period.

vel0city1y ago

You shouldn't ~~necessarily~~ need to "sync" your passkeys across all your devices; each device should have its own passkey. Then if you lose a device (or that one device gets compromised), you revoke the one key and everything else is fine.

Similar to SSH keys. No reason to use the same key on all your machines, use a different key from different places.

The passkeys on my laptop are different from the passkeys on my desktop which are different from the passkeys on my phone which are different from the passkeys on my main yubikey which are different from the passkeys on my backup yubikey.

Edited due to acknowledging people may choose a variety of alternative workflows.

NoMoreNicksLeft1y ago

> You shouldn't necessarily "sync" your passkeys across all your devices; each device should have its own passkey. Then if you lose a device (or that one device gets compromised), you revoke the one key and everything else is fine.

If he's storing his passkey in his password manager, it wouldn't matter that he lost the device. They can't get to it, it's AES-somebigassnumber-ed up the wazoo. If the passkey is cached outside of the password manager, then passkeys are a horrible idea, where you have to "go home and call the 800 numbers to cancel the credit cards", and worse still, people with few devices might end up in circumstances where they have no valid devices left to bootstrap access.

I am resigned to the fact that I will die with humanity never having solved the problem of passwords adequately, but being that I will live another two decades minimum, I will get to see two more of the stupidest possible non-solutions.

1 more reply

Macha1y ago

I use far more sites than I ssh into servers, which makes this much more of a pain. Like, every time I sign up to a site I need to grab all 5+ devices I might ever use and add them to every site, or I can't e.g. log into my D&D game while travelling because I forgot to generate a key on the work laptop? If all my devices are destroyed in a house fire again, I'm locked out of everything? These have been my big concerns.

1 more reply

abadpoli1y ago

Great in theory, but in practice there are still a frustrating amount of websites and services that put a low upper limit (usually just one or two) of the number of keys you can enroll.

This effectively makes it impossible to do what you’re saying. It sucks.

1 more reply

discardedrefuse1y ago

Yo. Thank you so much for posting in this thread. Turns out I was thinking about Passkeys wrong this whole time and you're the first person (I've seen) to really explain this workflow. Thanks again!

rcarmo1y ago

Actually, I much prefer to use the same SSH key for deployments from any of my machines, so that example doesn't really work for me (I do have multiple keys).

cgeier1y ago

How do I then get the passkey for my second device accepted by the service? Do I mail the public part to myself and insert it from my first device?

1 more reply

landmass1y ago

I've installed KeePassXC on my Mac and Linux machines and it stores Passkeys. Low-tech syncing is by Signal Notes to Self. If there were an audited app for iPhones I'd still be using that method; there isn't, so I've moved to Bitwarden. Passkeys seems to work fine on Bitwarden.

nindalf1y ago

How do the private keys get synced across my devices? What's the default in the Apple, Google and Microsoft ecosystems? Devices get lost after all.

stetrainOP1y ago

By default they go in your cloud synced password manager for those platforms. iCloud Keychain etc.

Or you can use a third party password manager like 1Password or KeePassXC.

MadVikingGod1y ago

I currently use the 1Password passkeys, and when they work, it's pretty good. I get all the fun of showing up on a website, and with three clicks, I'm in. But I've used them on just a few websites (email and GitHub), and they work correctly maybe 10% of the time.

First, I had to figure out how to get the website to request the passkey. Then I had to figure out that I didn't want to use the browser's passkey but 1Password's, which is different on different browsers and platforms. And good luck if I'm on mobile, I don't think it's ever worked.

At this point I'm taking a break from signing up new passkeys. I'll stick to UN+PW+(TOTP|Yubikeys).

PS: Why is it that no financial institution lets you use anything more than a SMS U2F?

mixmastamyk1y ago

How do you back up the private key? With ssh I know to back up .ssh with the rest of my home folder. With a passkey I'd have no idea where it was, and get the feeling the "modern" software won't tell me on purpose, so that it can manage/sync it for me. Which leads to a lack of a mental model.

stetrainOP1y ago

The same way you would back up passwords stored in iCloud Keychain, 1Password, KeePassXC, etc.

mixmastamyk1y ago

So you don’t, just leave it to BigTech, thanks.

1 more reply

j / k navigate · click thread line to collapse

0 comments

rcarmo1y ago

They're just not mature yet, period.

vel0city1y ago

Similar to SSH keys. No reason to use the same key on all your machines, use a different key from different places.

Edited due to acknowledging people may choose a variety of alternative workflows.

NoMoreNicksLeft1y ago

1 more reply

Macha1y ago

1 more reply

abadpoli1y ago

Great in theory, but in practice there are still a frustrating amount of websites and services that put a low upper limit (usually just one or two) of the number of keys you can enroll.

This effectively makes it impossible to do what you’re saying. It sucks.

1 more reply

discardedrefuse1y ago

Yo. Thank you so much for posting in this thread. Turns out I was thinking about Passkeys wrong this whole time and you're the first person (I've seen) to really explain this workflow. Thanks again!

rcarmo1y ago

Actually, I much prefer to use the same SSH key for deployments from any of my machines, so that example doesn't really work for me (I do have multiple keys).

cgeier1y ago

How do I then get the passkey for my second device accepted by the service? Do I mail the public part to myself and insert it from my first device?

1 more reply

landmass1y ago

nindalf1y ago

How do the private keys get synced across my devices? What's the default in the Apple, Google and Microsoft ecosystems? Devices get lost after all.

stetrainOP1y ago

By default they go in your cloud synced password manager for those platforms. iCloud Keychain etc.

Or you can use a third party password manager like 1Password or KeePassXC.

MadVikingGod1y ago

At this point I'm taking a break from signing up new passkeys. I'll stick to UN+PW+(TOTP|Yubikeys).

PS: Why is it that no financial institution lets you use anything more than a SMS U2F?

mixmastamyk1y ago

stetrainOP1y ago

The same way you would back up passwords stored in iCloud Keychain, 1Password, KeePassXC, etc.

mixmastamyk1y ago

So you don’t, just leave it to BigTech, thanks.

1 more reply

j / k navigate · click thread line to collapse