Passkeys might really kill passwords - eviltoast

Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing… that lives on my phone? What if I lose my phone? What if you steal my phone?

  • monko@lemmy.zip
    link
    fedilink
    English
    arrow-up
    39
    arrow-down
    7
    ·
    edit-2
    9 months ago

    Glad this is being discussed. Having worked adjacent to the authentication market, I have mixed feelings about it, though.

    There are a few problems with passkeys, but the biggest one is that no matter what, you will always need a fallback. Yes, Apple promises a cloud redundancy so you can still log in even if you lose every device.

    But that’s just Apple’s ecosystem. Which, for what its worth, is still evolving. So the passkey itself is phishing-resistant, but humans still aren’t. Fallbacks are always the weakest link, and the first target for bad actors. Email, or sometimes phone and SMS, are especially vulnerable.

    Passkeys in their current iteration are “better” than passwords only in that they offload the fallback security to your email provider. Meanwhile, SIM swapping is relatively ready easy for a determined social engineer, and mobile carriers have minimal safeguards against it.

    Usability? Great, better than knowledge-only authentication. Security? Not actually that much better as long as a parallel password, email, or SMS can be used as a recovery or fallback mechanism.

    I’m not saying passkeys are bad, but I’m tired of the marketing overstating the security of the thing. Yes, it’s much more user-friendly. No one can remember reasonably complex passwords for all 100 of their online accounts. But selling this to the average consumer as a dramatic security upgrade, especially when so many still run passwords in parallel or fall back to exploitable channels, is deceptive at best.

    • pop@lemmy.ml
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      edit-2
      9 months ago

      But that’s just Apple’s ecosystem

      Apple isn’t the only one allowing redundancy, most popular password managers allow you to lose all your devices and still have passkeys securely stored in the cloud. And people who don’t even know that password managers exists, aren’t going to the early adopters of passkeys.

      • monko@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        I’d anticipate that most providers will do something similar. I just mentioned Apple because they’ve been pushing their “cloud backup” hard while still using SMS as a fallback.

        I’d be interested to hear which provider, if any, has managed to get around the usual (vulnerable) channels for recovery.

        • panicnow@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          The document you linked says it requires a combination of your apple account password plus an SMS text sent to a pre-registered phone number? Seems like a pretty good setup for most people. Also has the alternative of recovery contacts and recovery keys.

          It looks like turning on advanced protection would eliminate the SMS method but I am not 100% sure. Then you would need recovery keys or recovery contact.

          https://support.apple.com/en-us/102651

          My biggest worry in these cases is not that I get locked out, but rather that Apple mangles my keychain. I have a USB CSV of my passwords in my bank safety deposit box. With passkey I am not sure of how I would get a similar backup.

          • monko@lemmy.zip
            link
            fedilink
            English
            arrow-up
            5
            ·
            9 months ago

            I get what you’re saying, but it’s not about getting locked out. It’s about other people using recovery methods to take over your account. Why would anyone try to break through durable public-key encryption when you can just phish a victim’s email account password?

            And it’s not like real-time phishing for 2FA/MFA isn’t widespread—it’s just not automated to the same level as other methods. That said, two- or multi-factor is going to stop 99% of automated hacks. It’s the determined ones that I’m concerned about.

            In regards to the Apple thing… Apple passwords can be reset using a recovery email. That means the security of the account leaves Apple’s ecosystem and relies on the email provider. So, if I’m a cybercriminal determined to hack your account, I start there.

            Then, if you’ve got your keychain all set up, it’s time for a SIM swap. I clone your SIM or convince your mobile carrier to give me a SIM with your number. And even if recovery contacts and keys are alternatives, the use of SMS is problematic. If you really can turn it off, then I’m all for it. But if you can’t be sure, neither can I.

            SMS is a very low-security option that is showing its age. It was never intended to be a secure verification method, yet it’s become incredibly popular due to its availability. Unfortuantely, telecom companies are simply not interested in upping their security.

            All SIM swap protection is opt-in at this point. Verizon and the gang might wise up considering the lawsuits leveled at them by victims—many of whom lost millions in cryptocurrency due to the carriers’ negligence—but it’s not likely.

            The point here isn’t that passkeys are bad for consumers. They’re convenient and about as secure as existing methods. The problem is that they’re being sold on average folks as a security upgrade even though they’re more of a sidegrade. PKI/FIDO already existed before the whole passkeys buzz did, and it had the same limitations. This is mostly just branding and implementation.

            • panicnow@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              9 months ago

              If you enable advanced data protection apple cannot recover your account. You need your recovery keys or a designated recovery contact.

              The apple doc implies (to me) that a SIM swap only works after you authenticate on an apple device (e.g. using your password) even without advanced data protection. I have never tested that.

              You can use the long process (many days) to recover an account assuming you haven’t enabled advanced data protection. I’m okay with that as it is perfect for my grandparents (I had an older relative who got their account back through this method).

              I get that you could SIM swap to recover other accounts (not Apple) if they have SMS as a recovery method. That sucks and it really sucks for people who don’t get that an email or SMS recovery can be a giant hole in security.

              • monko@lemmy.zip
                link
                fedilink
                English
                arrow-up
                1
                ·
                9 months ago

                Gotcha, point taken. Ultimately, I think there needs to be a better identity proofing process overall. But that may rely on a total infrastructure overhaul, which seems unlikely.

      • monko@lemmy.zip
        link
        fedilink
        English
        arrow-up
        6
        ·
        9 months ago

        Not sure exactly what you’re getting at, but any authentication model must be designed with the assumption that a user can lose all their devices, passkeys included. That’s where fallbacks come into play. Even with Apple’s system, you can recover your keychain through iCloud Keychain escrow, which (according to their help page) uses SMS:

        To recover your keychain through iCloud Keychain escrow, authenticate with your Apple ID on a new device, then respond to an SMS sent to a trusted phone number.

        While SIM swaps aren’t super common, they’re not the most difficult attack. Passkeys are strong against direct attacks, for sure. But if I can reset your account using a text message sent to a device I control, is it really that much more secure?

        • unconfirmedsourcesDOTgov@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          4
          ·
          9 months ago

          So if you lose access to all of your devices, you’re completely locked out of everything until you’re able to get a new working phone activated on a trusted phone number? The trade-off of inconvenience for security here just doesn’t seem worth it to me.

          • monko@lemmy.zip
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 months ago

            Depends on the provider in question. While Apple does allow SMS recovery, they also let you designate a trusted contact who can let you in as an alternative. This is obviously more convenient (if you have a friend or family member who can be available when you need them), but the situation with SMS vulnerabilities is still my main gripe.

        • Pulptastic@midwest.social
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          Is it possible to use some kind of fingerprinting to identify people? It works for marketers, could that idea be used for security?

          I am a total noob who is interested, if I come across as uninformed it is because I am.

          • monko@lemmy.zip
            link
            fedilink
            English
            arrow-up
            3
            ·
            9 months ago

            Totally! Browser and device fingerprinting are commonly used as first-line defenses against ATOs (account takeovers). There are other kinds of fingerprinting, like those that can learn about your installed hardware and drivers. Really, I’m learning about more fingerprinting methods all the time. That said, decisions are usually made based on several different information sources. These include variables like:

            • GPS geolocation
            • IP address/location
            • Time of day
            • Device ID, OS version, browser version, etc.
            • Hardware profiles, including CPU and GPU architecture/drivers
            • User behavior like mouse movement, typing patterns, and scrolling
            • Whether the user is connecting via a known VPN IP address
            • Cookies and extensions installed on the browser

            There’s even some buzz around “behavioral biometrics” to identify individuals by how they type, but this is still not the sole method of identification. It’s mainly about flagging bots who don’t type like humans. However, learning how an individual types can help you determine if a subsequent visitor is the actual account owner or a bad actor.

            In my experience, fingerprinting and adjacent identity proofs are rarely used in isolation. They’re often employed for step-up authentication. That means if something doesn’t match up, you get hit with a 2FA/MFA prompt.

            Step-up can be pretty complex if you want it to be, though, with tons of cogs and gears in the background making real-time adjustments. Like you might not even realize you’ve been restricted during a session when you log in to your bank account, but once you try to make a transfer, you’ll get an MFA prompt. That’s the UX people in action, trying to minimize friction while maintaining security.

    • EngineerGaming@feddit.nl
      link
      fedilink
      English
      arrow-up
      4
      ·
      9 months ago

      For me, it is the opposite. I would need passkeys to be like my SSH keys - not dependent on some proprietary software and never touching any cloud. For now I am a little bit afraid lock-in might happen at some point, so I wait until the technology matures enough until I can use KeepassXC for it confidently.

    • Flumpkin@slrpnk.net
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      My view is that for most people who still use bad passwords it will be a huge upgrade. So even though I use super strong passwords, every service and bank has extra security features because they must cater to simple passwords. So you have to check your email for a stupid code and shit. Or worse, give them your phone number!! Which is an outrage because it’s linked to my government id!!!

      Passkeys raise the lowest security ceiling, meaning there should be less checks needed. That’s what I’m excited about lol.