A Tour of WebAuthn

(imperialviolet.org)

290 points | by caust1c2 天前

13 comments

  • arianvanp2 天前
    There are some hairy edge cases during registration that many get wrong. (At least GitHub and google had this bug) that if create() returns but the passkey never reaches the server due to bad networking conditions that your password manager thinks it can log in but the server never recorded the passkey for the user. Basically there is no transactionality and you can get in a split brain situation where your password manager and your server don't agree and it's very confusing for end users.

    https://github.com/w3c/webauthn/issues/2038

    They apparently came up with a fix for this using something called Signals API but I don't think any browser implemented that yet.

    Just wanted to highlight that this part of the UX is hairy and hard to get right

      • compootr1 天前
        chrome is a child's toy with MV3. lmk when it's in a real browser!
        • surajrmal1 天前
          What extensions do you use which are not supported under mv3? I'm sure there are some chromium forks like brave which will also get this support for free.
          • aspenmayer10 小时前
            If I had to guess, uBlock Origin.
      • jesseendahl1 天前
        Nice seeing you here! :)
      • 1oooqooq1 天前
        now just 27 absurdly insane implementation hacks to solve.

        webauthn is the only spec born like a 60 yr old legacy technology with global adoption. everything about it is insane.

        they didn't even think about having more than one key plugged in (mostly because the use case was just so that the device own your identity so they never thought the use would have control over the hardware), and the solution is to just blink all the keys and use the first one the use touches while hoping the other keys with timeout before the use actually have to use them. so much insanity.

        • arnarbi1 天前
          “They” in this case included me and this was a deliberate fix for poor UX many years ago. We definitely thought about it and we used to blink only the key that had a credential from the allow list, because like you we thought that made the most sense. But people got routinely stuck because they just tapped a different key out of habit and nothing happened. There was no way for the browser to tell them “not that key”. Best case the reports would say the key was dead because it didn’t blink.

          We changed it to blink all keys, so that if you tap the wrong one, the browser can at least tell you something sensible and get you unstuck. This wasn’t a hypothetical shot in the dark, but something we tested and actually worked well for real users.

          I don’t disagree that WebAuthn has grown well beyond anything we could call good spec design. But it’s worth remembering that there’s /a lot/ of context behind it, and that the average user doesn’t behave anything like an average HN reader.

          > hoping the other keys with timeout before the use actually have to use them

          Both Chrome and Android will cancel requests to all other keys. If your keys are locking up until a timeout it’s more likely the key itself is buggy.

          • 1oooqooq21 小时前
            that's the kind of compromise you don't want to see on authentication code though.

            that's just the one i hit yesterday. Making software do crazy things "for the uneducated user" is a sure way to alienate both.

            but anyway. what bothers me most about passkey is that tomorrow someone will realize requiring passkeys trhu google and apple only, cuts spam more than captcha. it will happen and everyone knows it.

  • This is an excellent write-up that finally motivated me to try to understand the mess that was left behind as new standards kept being layered on top of each other.

    Given the requirement for discoverable credentials and sync, truly open/independent passkey implementations seem impossible/impractical. For example, you couldn't just have a set of Trezor-style devices that you load with the same seed and use that as your passkey without syncing the "discoverable" part of the credentials through some kind of cloud service. (The cloud service wouldn't need to be trusted with the actual keys, but you couldn't operate without it.)

    As a result, it looks like you can essentially choose which ecosystem you want to lock yourself into...

    With authenticatorAttachment, sites have been given a convenient foot-gun to make sure no single setup actually works for all sites, and with both the discoverable and non-discoverable credentials supported, inconsistency in the login flow for maximum confusion is guaranteed.

    Add to it that this is like the 4th or 5th iteration of a standard in the field in about 10 years, and there's endless opportunity to get locked out because providers migrated from one standard (or buggy implementation) to another, or start setting things up only for the 6th standard to obsolete what you had (again, potentially locking you out).

    And then people are surprised that users stick with passwords.

    • lxgr1 天前
      There is no technical requirement for discoverable credentials in most scenarios.

      Sure, not having to type your username is nice, but I'll gladly still do that if it allows "passphrase-based paper-restore-able authenticators" such as the one you describe. (I have one of these, in fact!)

      Many services I use that do support WebAuthN allow either variant to be used (i.e. they'll prefer discoverable credentials but will work just fine with non-discoverable ones), and arguably that should be how almost everybody ought to implement it.

      Unfortunately, at least as many other services completely botch it, e.g. by making discoverable credentials mandatory, by allowlisting browsers (e.g. Paypal), allowlisting authenticators (e.g. my government's e-signature platform), or by using them in a functionally braindead way (e.g. Amazon, who for completely unfathomable reasons still requires TOTP behind WebAuthn, i.e. they replace the password with it, not the second factor).

      So far I haven't noticed a strong trend towards enforcing discoverable credentials, but let's please name and shame everybody doing that. It's completely unnecessary.

      • > Many services I use that do support WebAuthN allow either variant

        The problem with "many" is that unless it's 100% of the ones someone cares about, the solution can't really solve the problem, adding an additional pain in the ass and making it easier to just stick with passwords.

        Sometimes, a lack of choices is a feature. (Compare e.g.: IPSec vs. Wireguard).

        • lxgr21 小时前
          How so? You can use the exact same password manager for both.

          > Sometimes, a lack of choices is a feature. (Compare e.g.: IPSec vs. Wireguard).

          HTTP vs. HTTPS seems like a more appropriate comparison in this context. Passwords and OTPs are really, really phishable.

    • raxxor1 天前
      Even the closed-system solution pose problems. I think it didn't get much airtime, but when Chrome switched their approach to save passwords, a lot of users lost access to their accounts. A case where a feature wasn't sensibly discontinued.

      The workaround now isn't using passkeys, something few people understand. Instead most seem to be migrating to an external password managers. Honestly, I don't have many arguments against this as these at least generate save passwords. There are many advantages to this approach.

      I believe moving forward, sticking to passwords might indeed be more viable. I think explaining users to upload their public ssl key is safer and more universal at this point.

      • portaouflop1 天前
        I use password as main auth method for everything (via a pw manager) - but then I often add passkey or similar for convenience. If I get locked out I still have the trad method as fallback; for me that’s the best of both worlds.

        If you don’t offer password as method I will not use your service. The worst are those that only offer code via email/sms or social login - miss me with that …

      • lxgr1 天前
        Passkeys are too complicated, so let's have users manage public keys manually instead? You can't be serious.
        • 1oooqooq1 天前
          except passkeys bought you a false sense of security and easy. yeah the happy path is easier because you're just generating new keys... but if the user ever gets a new phone or sit in front of another device, now passkeys are more complicated than the alternative.

          sadly the world became too dumbly complacent to question their devices.

          • lxgr1 天前
            Logging in to Bitwarden/1Password/KeePassXC/Strongbox/... takes less than five minutes, even when using sophisticated 2FA.

            Would you argue that loading a public key (load it where, actually?) is much faster? How'd you do it practically?

            • 1oooqooq22 小时前
              five minutes to click 2 buttons? anyway.

              yes, when you get your phone stolen in a trip and can't log into anything.

              or when you realize nobody cares for the 5 nerds using those and require an apple or google passkey.

    • userbinator1 天前
      And then people are surprised that users stick with passwords.

      IMHO that and a TOTP seems to be a sweet spot.

      • lxgr1 天前
        To me, they're an annoying half-measure: Not phishing/MITM resistant, yet annoying to use in practice.

        I'll still take them over SMS-OTP any day, but admittedly even that at least offers some technical benefits over TOTP, e.g. in that the relying party can tell me what I am consenting to in the message ("by entering this code, you approve a payment of $1000 to evilshop.com").

      • adam-p1 天前
        Except that TOTP codes are MitM phishable. U2F with its URL-checking (via browser cooperation) is needed.
      • Yep.

        2 factor authentication using 2 simple mechanisms is great.

        Password for most cases. And then in high value things, ask me for 2FA. For things like banks and anything money related, SMS 2FA already exists and is good enough. For normal websites, uncommon yet important actions, such as logging in (everyone can use long lived sessions these days), repo deletion on GitHub, etc, ask for me for 2FA.

        TOTP is also a really nice mechanism, especially in authenticator apps today that can backup your keys to cloud storage.

        I know "SMS" and "backup keys to cloud storage" gets the security folks off their chairs, but outside a theoretical setting they're both a perfectly good tradeoff.

    • 1 天前
      undefined
    • 1 天前
      undefined
  • eadmund1 天前
    The very first sentence is:

    > Passwords are rubbish.

    Hard, hard disagree. They’re really not. Password reuse is rubbish. Passwords human beings can remember are rubbish. But a secure password — i.e., a random value with 128 bits of entropy (such as a random 28-letter string) known only to the two parties to an authentication — is not rubbish.

    There is the very minimum amount of protocol necessary: one party asks for it; the other party provides it.

    The end user can pick his own software to manage his passwords, or none at all (a piece of paper in a wallet is remarkably secure) and the relying party to has no ability to approve or disapprove.

    I do agree that WebAuthn offers very real improvements over passwords (principally due to no longer being a shared secret), but it makes things worse for the users in a few ways. For one, the ability of relying parties to blacklist or whitelist authenticators tramples on the user’s freedom to use the software he wants. Attestation keys and enterprise attestation are user-hostile: users and servers are no longer equal parties.

    And finally, the user experience of passkeys with, say, a phone-based authenticator is miserable: one must interrupt one’s computer usage, pick up the phone, unlock the phone, open the notification and unlock the app, then put the phone down.

    All in all, while WebAuthn does offer real advantages, I am concerned by how it reduces users to mere consumers, digital serfs to their technological overlords.

    • lxgr1 天前
      > But a secure password — i.e., a random value with 128 bits of entropy (such as a random 28-letter string) known only to the two parties to an authentication — is not rubbish.

      No, they're still rubbish. Even if you make them 256 bit, passwords are bearer tokens which are reused across multiple authentications, which makes them replayable (if intercepted on the client, in transit, or server-side), phishable, social engineerable etc.

      > There is the very minimum amount of protocol necessary: one party asks for it; the other party provides it.

      And that's unfortunately too little protocol to be secure for repeated authentications.

      > [...] principally due to no longer being a shared secret [...]

      No, that's not the most important part of WebAuthN. You could get most of the benefits, i.e. phishing and social engineering resistance, from running it as a symmetric encryption protocol as well. Asymmetric keys "only" make server-side storage less sensitive (in the same way that hashing does for regular passwords).

      > The end user can pick his own software to manage his passwords, or none at all (a piece of paper in a wallet is remarkably secure) and the relying party to has no ability to approve or disapprove.

      The same is true for WebAuthN! (The only counterpoint here is attestation, but that is no longer a thing ever since Apple and Google introduced cloud synchronization for their credentials.) The difference is that you now need at least some software, because the calculations are too difficult to do on pen and paper.

      > I am concerned by how it reduces users to mere consumers, digital serfs to their technological overlords.

      Then... just don't do that! There are several open source implementations FIDO for you to choose from at this point.

      • hooverd1 天前
        Attestation is still a thing. You can still limit it to the Apple or Google platform authenticator.
        • lxgr1 天前
          Have you recently tried it?

          Attestation was most definitely removed from Apple's implementation.

          For Google, there's still a (relatively obscure) way to get a non-synchronizing/non-discoverable credential (which is then by definition not a passkey!), which then supports attestation, but that's Chrome+Android specific and wouldn't work on e.g. Chrome on Windows or macOS.

        • growse1 天前
          I think Apple deliberately don't add any attestation data in their implementation, precisely to stop services detecting (and filtering) on the fact that it's an apple-made authenticator.
          • lxgr1 天前
            I'm not sure if that's the only reason: Notably, they used to support attestation back when they didn't synchronize passkeys via iCloud Keychain, as did Google for Android.

            They basically had two choices once they did introduce synchronization: Keep attestations around, but specifically mark synchronized credentials as "not strongly device-bound" (and risk existing relying parties not looking for that flag and drawing incorrect conclusions from receiving such an attestation statement), or get rid of it entirely.

            I suspect that they opted for the latter mostly because it would require a lot of work with the FIDO and WebAuthN working groups to introduce that mechanism, not out of a selfless desire to avoid a future "big tech lock-in" (where everybody allows exactly Apple and Google passkeys, but nothing else), but I could definitely see the latter consideration also playing a role.

    • hahn-kev1 天前
      The assumption that only one party knows the password is not always (maybe even usually) incorrect. Plenty of sites store the password in plain text or hash on the server side. Meaning it's very possible for both parties to know it.
      • hahn-kev1 天前
        Ignore this, I misread what the author above wrote.
  • _Algernon_1 天前
    Just like every other piece on passkeys it does not justify them, at all.

    Passwords have problems, but less than putting all authentication secrets in a single basket or ecosystem is (which is what big tech fundamentally wants).

    Passkeys are a solution to a manufactured problem, and keeps getting pushed because it is a useful big tech honey trap that solidifies their user's captivity in their ecosystems.

    • pas1 天前
      Those are pretty strong claims.

      KeePassXC has support. Many people use Vaultwarden. And so on.

      Also, end users are already locked into Chrome and Safari (and Meta's webview and even worse fates).

      Passkeys right now has upsides and downsides, like all technology.

      I think they are both too complex/clunky on the data/spec/API side, and not complex enough on the UX/lifecycle side. But likely both will evolve based on the usage patterns that get solidified.

      • eadmund1 天前
        > KeePassXC has support. Many people use Vaultwarden. And so on.

        It doesn’t matter if other authenticators could work if a relying party refuses to allow its users to use them.

        > Also, end users are already locked into Chrome and Safari …

        Not this end user; I am typing this in Firefox right now. Not coincidentally, WebAuthn is yet another bit of complexity making it slightly more difficult to implement a browser. From the perspective of the big tech companies, end users aren’t expected to write software, or to run anything the big tech companies haven vetted.

        • lxgr1 天前
          > It doesn’t matter if other authenticators could work if a relying party refuses to allow its users to use them.

          You keep repeating that, but that's not possible anymore, since both Apple and Google removed attestation from their respective passkey/WebAuthN implementations.

          For details, see https://news.ycombinator.com/item?id=42522490.

    • greenthrow1 天前
      This is an extremely bad take. Webauthn and Passkeys do not necessitate handing over control to "big tech". They are standards implemented by open source projects as well as megacorps. Webauthn offers substantially better security than passwords, which we should all be moving away from by now.

      Disclaimer; I work in security so my opinions are informed by actually knowing what I'm talking about.

      • mardifoufs1 天前
        It might provide more security but no, more security isn't the only metric when it comes to user facing stuff like this. If it was some implementation detail in a b2b service sure. But there are a lot more variables to take into account than just "how secure it is". As a trivial example, being able to recover an account is insecure by definition, yet is almost always necessary for any user created accounts.
      • _Algernon_1 天前
        Appeal to authority does not make a good argument.

        We have witnessed the user capturing playbook of big tech for decades at this point. Ignoring what they are doing at this point is naive at best, malice at worst.

        • greenthrow1 天前
          I obviously wasn't doing an actual appeal to authority. I'm anonymous on here, so it would hold no weight even if it wasn't a poor argument. I was just being snarky because the ignorant objections are so very stupid.

          I didn't argue big tech isn't doing user capture. I pointed out webauthn is a standard and does not necessitate getting into bed with "big tech".

      • eadmund1 天前
        > Webauthn and Passkeys do not necessitate handing over control to "big tech".

        Attestation enables a relying party to deny users the right of using their own software or devices. That hands over control.

        • lxgr1 天前
          Apple and Google discontinued attestation when they introduced passkeys. It's gone.

          There are still lots of problems with passkeys, but it's worth staying up to date if you want to contribute to that discussion.

    • reddalo1 天前
      100% agree. Passwords + OTPs are the best solution, IMO. No big tech can control this, and it's easy to keep a grasp on all the credentials we have.

      WebAuthn? No, thanks.

      • How does big tech exert control over your usage of WebAuthn?
        • eadmund1 天前
          By enabling relying parties to blacklist or whitelist the devices their users are allowed to use.

          It’s one more brick in the wall preventing general-purpose computing. Want to authenticate to Banana Computers? Well, you have to use one of their oDevices, because they will not let you use a RoboPhone to store your passkeys.

          • lxgr1 天前
            You seem to be thinking of attestation, which is not a thing anymore with at least Apple's and Google's implementation. (They both had it for their non-synchronizing device-bound authenticators, but have heavily or even entirely rolled that back in favor of passkeys.)

            And since any solution excluding either of these is a non-starter, ironically the passkey push has made WebAuthN more open when it comes to client choice.

            So while I agree that Apple and Google not allowing passkey exports (yet; I am cautiously optimistic that they'll eventually be pushed to offer that too) runs the risk of locking in non-sophisticated users, the future is looking very bright for everybody posting here at least.

          • growse1 天前
            Yeah, you're missing the point of why attestation is in the spec in the first place.

            Show me a widely available service that filters authenticators based on attestation attributes?

  • treve2 天前
    Looks like an amazing resource for webauthn. Currently diving into this so it comes at a nice time for me.

    But it's also great advertising against WebAuthn. Hard to believe that this kind of complexity is needed, but as with OpenID Connect it feels like enterprise interests are running the ship, not end-users. Ease of implementation seems like a non-goal.

  • Zamicol1 天前
    WebAuthn and passkeys are a disaster.

    Much of the specs were created behind closed doors and never done in a way where we could have had outside input. They're completely corporate driven and designed to control users not empower them.

    • reddalo1 天前
      I agree. I will not use them, not as a user, nor as a developer.
    • pas1 天前
      Ah yes the closed doors of the world wide web consortium.

      https://lists.w3.org/Archives/Public/public-webauthn/

      (nb. I'm not saying the folks were easy to work with or super open to discussion, but it was not some clandestine black kitchen where it was cooked up.)

      • lxgr1 天前
        The working group is definitely quite corporate-driven – just look at who's most active in it! – and has made some bad decisions in the past (my favorite example being [1], which effectively either breaks the hardware authenticator experience for passkeys or helps Yubico sell more/higher capacity Yubikeys, depending on how you look at it).

        But I agree that one thing you can't accuse them of is not operating in the open. While I don't agree with some of their decisions, discussing feedback in Github issues as well as on public mailing lists is probably as transparent as it gets.

        [1] https://github.com/w3c/webauthn/issues/1822

        • pas15 小时前
          ... arms in a wide shrug ... well, yes, and ... it was always like this, no?

          DARPA was defense money, Xerox PARC was corporate money. The one big success I can quickly name that's "pure" is the web from CERN. (Okay I looked up, SMTP, RFC 821 from 1982 submitted by Jon Postel from ISI USC. But emails with the familiar @ were invented at a for-profit company by Ray Tomlinson more than a decade earlier.)

          I'm not saying we should just slump into apathy, I'm just trying to point out that many mostly good things came from big corps. (And the usual problem is that they still hold the keys to the kingdom. For example see how hard it is to send mail to MS hosted email inboxes. And of course they hide behind "oh our users choose this aggressive level of filtering".)

      • Zamicol1 天前
        You're right that WebAuthn was much more public, but passkey was not.

        I personally tried to stay apprised of passkey's development. After asking several developers and poking around the best I could, I was told several times that it was being primarily developed behind closed doors for corporate interests, invite-only, and wasn't ready for release. The only information available was the WebAuthn forums.

        Even now the documentation is still poor, and there's essentially no rationale to understand design and architectural decisions. We're just given a spec and expected to adhere to it.

        • growse1 天前
          Passkey is just a fancy brand/marketing name for a specific mode of webauthn (resident).

          Saying that "WebAuthn was much more public, but passkey was not." shows that you don't really have a clear and accurate mental model of what passkeys are. Maybe TFA might help?

  • xenophonf2 天前
    I've always wanted to write a serverless OIDC provider/SAML IdP but got stymied by the WebAuthn standards, which don't seem to be written for normal people. :( But this e-book looks like it might have enough actual code interleaved with exposition to serve as more than just a high-level intro.
    • caust1c2 天前
      Adam Langley is probably one of the most gifted teachers when it comes to explaining cryptography concepts. Very clear, concise, precise, and makes it simple enough for me to follow without getting my neurons all knotted up.
      • jf2 天前
        Agreed, I implemented TLS key pinning for a project at Okta using one of Adam's blog posts
    • cyberax2 天前
      OIDC providers are surprisingly NOT complicated! I created one to implement single sign-on with AWS, and it ended up being only around 200 lines of code in Go. All you need to do is create a JSON blob that is signed by a public key that is known to the consumer of the IDP.

      I'll need to do a write-up for it.

    • nmadden1 天前
      Yes, the WebAuthn spec is pretty unreadable. Every time I open it I feel like I’m lost in a maze of twisty hyperlinks, all alike.
  • ggm2 天前
    It interested me how quickly all of my auth methods started to include "pick the right one of three presented numbers" tests after TOTP got widespread. I'm guessing there is some replay method which they wanted to prevent? This is distinct from in protocol large random value challenges, it must be to ensure a Hooman, or very numerate dog is actually present.
    • g_p2 天前
      TOTP codes are phishable and repayable in real-time - both via web (visiting the wrong site which asks for a TOTP and relays it within a few seconds), and via social engineering over the phone (give us one of the codes to prove it's you and we can keep your account safe).

      Adding number matching or similar helps ensure that the same user is initiating the session as is approving it - an issue when people discovered that Microsoft (among others) would do push messages to authenticate a login, and that users (if spammed late at night with constant requests), would often eventually hit allow to stop the notifications.

    • hirsin2 天前
      Pick the right number is not secure (enough), unfortunately - MFA exhaustion leads to users hitting one of three at random in an attempt to "make the notifications stop" (that are, naturally, being spammed by the attacker with a password but no mfa).

      The attacker just has to spam them a few dozen times to get the victim to pick the right one at random and let the attacker in.

      This is why it's switched on good platforms to "type in the number you see", which mitigated this.

      • lxgr1 天前
        That's slightly better against people essentially accidentally letting attackers in, but still completely phishable by e.g. tech support scammers.

        The big advantage of WebAuthN is that (at least for sane implementations, including all I've seen) there just is no way to enter an attacker-provided number and/or supply a displayed code to an attacker.

  • zcdziura1 天前
    Can anyone recommend a good dummy passkey provider to use when developing and testing RESTful authentication services that will rely on WebAuthn? Every example that I've seen online for interacting with a WebAuthn service assumes that you're working within the context of the browser and can use the Navigator APIs.

    I like to use regular ol' cURL when testing out API endpoints, and it would be great if there were some kind of dummy CLI program that I could use to generate the WebAuthn key agreements and materials.

    • echeese1 天前
      In Chrome Devtools, in the bottom panel, you can select WebAuthn, click Enable virtual authenticator environment, and create all the test passkeys you desire.
    • lxgr1 天前
      What exactly are you trying to test? Is there even a non-browser standard/protocol for using WebAuthN (which is a web standard, after all)?
      • pabs31 天前
        There isn't even a non-JavaScript way to use WebAuthn, let alone a non-browser way to use it. You could manually rewrite the JS for each site into curl calls or something I suppose.
  • jgalt2121 天前
    Credential stuffing would be a much less effective strategy is web apps went back to string-based usernames, and not email-based ones.

    Also, I hit CTRL-F on this post for the term "portable", and I got zero hits. Both passwords and SSH keys are trivially portable. Not so much with WebAuthn passkeys.

    • lxgr1 天前
      Hopefully it shouldn't take much to get there. Bitwarden/Vaultwarden already allows exporting the private key and (as far as I can tell) all other metadata required by another implementation to import them.
    • lxgr1 天前
      Let's please not. Password recovery flows are hard enough to get right and usually suck; adding username recovery on top of that doubles the opportunity for locking legitimate users out.
  • lapcat2 天前
    > A passkey is a synced, discoverable WebAuthn credential.

    This is my fundamental problem with passkeys: I don't want to use any syncing service.

    To be clear, I don't want to deprive other people of the ability to sync their credentials; I simply want to opt out myself. I just want to be able to manually back up and restore my credentials, like I've always done with passwords, but the passkey vendors seem to want to refuse to give anyone this ability. The vendors claim that this is to make phishing impossible, but I abhor paternalism in all forms, and also it's suspicious that this paternalism forces people to use the syncing systems of the passkey vendors, which are usually paid subscriptions. So passkeys become an endless supply of money for the vendors.

    It's very telling that passkeys were designed and shipped without any export/import mechanism. You can plainly see the priority of the passkey vendors, which is to lock you in. Allegedly, export/import is coming sometime in the future, but I strongly suspect that they'll end up with some kind of "approved provider" system so that the big passkey vendors can retain absolute control and avoid giving power to the users.

    • amlozano2 天前
      This is the exact reason I self host vault warden. I get all the convenience of syncing passkeys, but know that I am the only one with access to the back-end.

      I am also slightly paranoid as a security engineer, and admit that whole heartedly.

      • g_p2 天前
        I share your paranoia and felt that passkeys were a step back as anything getting access to your browser extension memory can realistically dump both your "password" and MFA ("passkey") in one move.

        I wonder if there would be a way for vaultwarden to wrap passkeys such that a hardware FIDO2 key is needed to decrypt them "per-use", and prevent software on the host from stealing a pile of passkeys that give direct access to accounts without further MFA.

        Right now it feels like passkeys in the password manager is akin to storing MFA seeds and recovery keys in the same password manager...

        • briHass2 天前
          I'm also waiting for a password manager that tightly integrates with a hardware device to protect passwords individually and in-memory.

          I wrote a quick PoC using certificates to encrypt a password, with the cert private key 'stored' in the TPM, with a PIN. This is pretty easy on Windows, which exposes the TPM as a special crypto provider.

          • g_p1 天前
            That's a pretty neat solution. I like that idea.

            If you wanted to go a step further, you could use a smartcard with hardware PIN reader as a PKCS11 crypto device, and use that to decrypt the long lived keys in the store, then pass it back to the host encrypted by a platform-protected key to be decrypted and used.

            If you could get the right implementation specifics together, you could likely then have the smart card simultaneously re-encrypt the credential with a key bound to PCR state of the TPM via a policy. You'd then decrypt that ciphertext on TPM without a PIN, but conditional on PCR state of a couple of PCRs that represent your system like the secure boot toggle state and allowed CAs.

            That lets you be a bit more "cross device" than a fully TPM solution does, though your certificate technique works fine as long as you keep an offline backup for enrollment if anything changes on your system.

        • MaKey2 天前
          Storing the passkeys on a device protected by a PIN is an option too. Example: T2F2-PIN+ Release3 by Token2 can store 300 passkeys.
          • g_p1 天前
            That's a fair point, although as the PIN is validated locally, you could argue from the server perspective you gain a second (knowledge) factor, but from a local perspective it's entirely correlated with the existing stored factor (a weakness in the local device implementation can skip that PIN check and yield the result).

            Perhaps this is excessive, but it's a model where I like to see layers of security that depend on different, uncorrelated failures being required to bypass them.

            Today if you want to get into an account using "FIDO2 as MFA" you need both the account credentials or ability to reach the Fido prompt (say password reset), and the hardware token device (with optional pin). The device alone being compromised shouldn't get you into the account.

        • amlozano2 天前
          For anything that is important enough, I put passkeys on 2 separate FIDO2 key devices directly. Services that come to mind are things with recovery backdoors; like email or device backups. Unfortunately many banks and financial institutions don't support passkeys, but I'd consider using that solution there too.
    • ylk2 天前
      Just use a password manager that doesn't sync by itself then

      https://keepassxc.org/docs/KeePassXC_UserGuide#_passkeys

      • g_p2 天前
        The downside of this (at least in my personal view) is it's a regression from the elevated security you got with non-resident FIDO/U2F MFA.

        The moment you go "passkey" and have to use a system like the one you suggest, you need to trust software based storage of long term credentials.

        That isn't the case with a hardware FIDO2/U2F token, which has unlimited capacity for non-resident MFA keys the server holds for you to decrypt and use locally to sign login attempts.

        I liked that FIDO seemed to get towards hardware backed security modules for login, without cognitive load of worrying about number of sites and yubikey slot capacity. Resident Webauthn keys limit the number of sites you can have, and push you towards software based solutions (so you lose out on doing the crypto on the single purpose, limited platform that's dedicated to generating those signatures).

        • ylk2 天前
          I agree that it's annoying that there's now a limit on the amount of credentials you can store on hardware keys. But while older Yubikeys only support 25 resident keys, models with firmware 5.7 onwards support 100. That probably makes it feasible to exclusively store passkeys in hardware. https://www.yubico.com/blog/empowering-enterprise-security-a...

          However, I don't know whether it's possible to delete only a single resident key you no longer need.

          • g_p2 天前
            Yeah, a fair point (though if you can't manage keys one by one that seems a massive usability issue and oversight with no safe path to resolution).

            This adds another step needing considered for a user, as finite storage means a whole edge case to consider (can't register as slots full), and no simple actionable step to take ("which account would you like to never be able to log into again?" or "sorry you need to wipe this key and lose everything, or buy another one")

            I feel there is a usability aspect of FIDO2 (for non-resident MFA) that is being overlooked - the paradigm was simple - a physical key you don't lose, and you can have multiple keys. The gotcha was no way to replicate backup keys, which becomes fairly difficult for users. But hey - passkeys launched with no export or migration process between closed device ecosystems!

            From my perspective though, I won't use passkeys until I get sufficient control over them to be allowed to decide if I want to make them "resident" or not. (I don't want resident keys!!)

            I want to use non-resident keys everywhere as a hardware-backed second factor that is phishing resistant, without capacity limitations (so zero cognitive burden on whether to use or not).

            It feels like a regression for passkeys to be forgetting about what (for me at least) was the core basic use-case of FIDO2 - as a highly secure second factor for someone who already can manage storage of secrets in software, and just wants high assurance phishing resistant MFA during their conventional login process.

            • > Yeah, a fair point (though if you can't manage keys one by one that seems a massive usability issue and oversight with no safe path to resolution).

              You can, it’s part of CTAP2 and various apps like Yubico Authenticator are available to do it.

              It’s not user-friendly, but it is possible.

              • g_p1 天前
                Thanks - yeah it seems like this is supported in FIDO 2.1 (but not 2.0). I suspect this is only implemented in Yubikey 5.7 and above.

                Once the technology is there to support it, hopefully the user experience part can be improved with time.

                Ref in the standard - https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-cl...

      • lapcat2 天前
        There's no browser extension available for Safari: https://keepassxc.org/docs/KeePassXC_GettingStarted#_setup_b...
        • lxgr1 天前
          For macOS/iOS, you could give Strongbox a try: https://strongboxsafe.com/

          I haven't really looked into it myself, but it seems to be using the same database format as KeePass, and it hooks into macOS's "FIDO provider" API, which makes it accessible to not only Safari but all browsers that use it (which includes Firefox and Chrome on macOS, and probably everything on iOS), without requiring any browser-side extension.

    • no_wizard1 天前
      At some point, you have to trust something. Thats how I feel about WebAuthN and syncing services.

      Ideally, some of this could actually be solved by having a government organization that provides this and is regularly updated / audited etc. but in the US at least, we are not in any place for that to happen, so you need to pick a provider.

      Apple is reasonably good at this, if you're in their ecosystem. Can't speak for Google. 1Password has been very good to me as well, and there are Yubikeys too.

      Nothing is perfect, but this is a far, far far better state than were it was heading before WebAuthN

      • lapcat1 天前
        > At some point, you have to trust something.

        If by "something" you mean an internet syncing service, then no, I don't.

        I do trust my own backup methodology.

        • no_wizard1 天前
          Some service. I’m not saying you have to trust what I trust.

          Personally I’m a big 1Password fan and have been in the Apple ecosystem for a very long time as well.

          Most security folks I trust also vouch for them, as far as practices and effectiveness goes of their software.

          But you’ll need to trust something somewhere, and you might even need to expose it to a network in some cases.

          The one thing I really like about Yubikey is it doesn’t require a network connection at all to work, but it never caught on generally for that model to be widespread supported so I have found while I do use my Yubikey a fair amount there are still things that don’t accept it that I wish did

          • lapcat1 天前
            > But you’ll need to trust something somewhere, and you might even need to expose it to a network in some cases.

            Again, no, I don't, and you still haven't explained why. Unless you mean that the big tech companies will force me to use a sync service whether I want it or not.

            Moreover, you've ignored my point about paid subscriptions.

    • lxgr1 天前
      > The vendors claim that this is to make phishing impossible

      They do? I don't see how, since non-discoverable WebAuthN credentials make phishing just as impossible.

      The only thing discoverable credentials allow on top of non-discoverable ones is avoiding having the user type in their username or email address.

      • drhuseynov1 天前
        yes, that is for "usernameless" login, in addition to passwordless. Does not increase security, improves usability a bit
    • Elucalidavah1 天前
      Not to mention that a better security would involve a master key, and revocable subkeys signed with it, one for each device, instead of syncing. Not to mention n-of-m requirements.

      And sure, I understand that most people need the paternalistic form, whey they are not given any guns and are also unable to export their keys from some service.

      For example, with TOTP, the key is given to the user in the QR code, but common authenticator apps are unable to export the same data after it was imported. But not all; and the only bad thing about this is that the export restriction is a surprise to those who didn't expect it.

    • somat1 天前
      I was messing with implementing webauthn the other day, mainly because I like public key authentication. I was hoping for something sort of like ssh keys. and they were close, so close, to having something good that could replace password auth. and then they break it by requiring a hardware token, Yes, a hardware token is better, but I am not going to require users get a hardware token. there are working software token systems built into the browser but they are gated behind dev tools, again something I am not going to ask of users. and just to spit in whatever goodwill they have left, to make it really unusable, there is this weird mandated "no user interface" policy in the standard. making near impossible to manage keys. The keys are critical in a public key auth system. but "no, we are disallowed, by the standard, to give you an easy mechanism to back up and restore keys"

      If I were more conspiracy minded, I would suspect some sort of agent provocateur ruining our standards. However, I am unable to come up with a profit motive, so my only conclusion is incompetence.

      • lxgr1 天前
        > I was hoping for something sort of like ssh keys

        SSH keys (and any other keypair shared across services) are a non-starter on the web for privacy reasons. (See also: `ssh whoami.filippo.io`.)

        • somat1 天前
          The implementation ends up being a new key gets generated per domain, which is actually what you should be doing with your ssh-keys as well something like "ssh -i server.domain.net server.domain.net"

          Because webauthn is such a nonstarter I am actually going to try and half-ass it using SubtleCrypto.sign() and friends. sort of mimic the webauthn api. This is really just a weekend project, nothing important. but I feel really stupid every time I work on it, mainly because of how ridiculous it is to have your key infrastructure managed by the service you are logging into.

          However due to domain sandboxing I have half convinced myself it is as secure as using a cookie to auth the person, perhaps even a little better because I never have to see a secret. then fall into despair again on how stupid this whole endeavor is, because I could see the keys anytime I want to. (sighs, shakes fist at the sky) why could you have not made webauthn usable?

          • lxgr1 天前
            What specific gripes do you have with WebAuthN that makes you want to reimplement it?

            All the problems I have with it as a user originate from either reyling parties doing dumb/user-hostile things (enforcing resident keys even though I'm perfectly capable of remembering my email address or my username, improperly layering WebAuthN with existing second factors etc).

            These are possible because WebAuthN is trying to provide for many use cases at once, but I've never felt like it was missing something, and user-friendly behavior is definitely possible. I've seen many examples at this point.

            • somat20 小时前
              No good way to manage(save/restore) the keys. but the real killer for me was that it requires a hardware token to work, while a hardware token is better, it sort of sucks as a hard requirement for all users.

              Really, I don't want to reimplement webauthn, I will will probably be sticking with basic auth as it just works. However, I was hoping to finally get decent public key auth. and webauthn is close, really close, but it is like the designers gave up at the last second and said "no, we don't want this to work in the general case", all it would have took was to say software token are an ok fallback. I was so close that out of frustration I spent a weekend with an experiment to make public key auth work for everybody. It works, but is a bit pointless as then I, the service needing to authorize somebody, is the same person providing them their public key management system. I might as well cut out the all the ridiculous bit twiddling and just use cookies for all the security that grants the end user.

      • You used to be able to generate X.509 client authentication certificates (well technically CSR) right in the browser with the since removed <keygen> tag. Ergonomics weren’t that bad, until a user forgot they had a certificate on their broken PC.
        • lxgr1 天前
          As somebody that used to use them for a while: The ergonomics of TLS client authentication in the browser were abysmal. And that's to say nothing about the privacy consequences.
          • iirc managing them was buried super-deep in the browser settings (just like managing resident keys, browsers don’t even do that), but enrollment was fairly simple from a user PoV - submit a form and the server sent back the certificate, iirc you had to confirm a scarily worded dialog (or maybe import it manually? Not sure). Login was smooth if I remember it - just a pop-up if you want to use the installed certificate. Privacy should be fine with TLS 1.3 but would’ve been nonexistent with the contemporary SSL/TLS versions of course.
            • lxgr1 天前
              > Login was smooth if I remember it

              That's unfortunately not how it works. TLS sits at the transport layer, so it's not possible for a website to use these certificates for a "login-like flow". The site doesn't get to present to the user why and to whom they are authenticating, since transport layer authentication has to happen before HTTP even gets a single request in.

              There is also no "logout" button. It shares these UX problem with HTTP "basic authentication" (even though that's technically an application layer protocol).

              On top of that, TLS is these days often terminated by a load balance or even a completely separate entity like Cloudflare. Not sure if you can configure these to request client certificates at all; even if you can, it makes things pretty awkward if you want to have closer control of the authentication flow.

              > Privacy should be fine with TLS 1.3

              It's not fine at all. Any HTTP server can request your client certificate, and most users would probably not think twice before clicking "authenticate", which then reveals their long-time stable certificate and public key to a potentially malicious server.

              Compare that with WebAuthN, which makes it intentionally impossible to accidentally present the certificate for a.com at b.com.

    • 2 天前
      undefined
  • OtomotO2 天前
    [flagged]
    • growse2 天前
      > I don't give a fuck if other people can't manage secure passwords.

      Sure you do. When your local tax office / hospital / large data holder of your personal data has an administrative interface that only uses passwords, then the administrator gets fished and your identity stolen, suddenly you care a great deal.

      • tshaddox2 天前
        That seems like a separate problem, since no authentication mechanism can somehow force a competence floor onto your local government office. Even if passkeys become the industry standard (or even required by law) your local government office will always rise to the challenge to lose your data, leak your data, sell your data, etc.
        • tptacek2 天前
          Phishing isn't a competence issue. This is well studied. In practice, even security practitioners trained to be vigilant against phishing attacks fall to targeted ("spear") phishing attacks of suitable sophistication; that's the impetus behind phishing-proof authenticators like U2F and WebAuthn.

          Phishing is a technology issue, not a user issue.

          • frogsRnice2 天前
            I work in the security space and fell victim to an internal campaign as they sent a very enticing looking email at a point where I was on leave and my grandfather just passed.

            You simply cannot know what mindset youll be in when you get phished :)

            Edit: To clarify i was itching to work because it helps distract me from the reality that someone so dear to me was gone forever. I didnt want to cancel leave though because my output would have been absolutely turdy

          • noprocrasted2 天前
            Problem is that passkeys aren't resilient enough to loss of the authenticator device, which means a fallback flow is always made available, that is vulnerable to phishing/MITM/social engineering.

            This is even more pronounced thanks to the efforts to roll out passkeys to the masses. Most of them don't understand what they're getting into and are most likely gonna get themselves locked out quite quickly, which may mean recovery flows need to actually become more relaxed than they currently are.

            • tptacek2 天前
              I'm not interested in litigating the broader question of Passkey-only login setups, only in spelling out why the field cares so much about phishing-resistant authenticators, which password managers and random passwords do not provide.
          • stavros2 天前
            Can confirm, I know all about cryptography and security and the things, and I still got phished for a bunch of cryptocurrency. The only thing that saved me is that it was in a hardware wallet, so it was physically impossible to steal. Otherwise I was ready to happily paste my private key into the (official-looking) form and domain.
            • DaSHacka2 天前
              > Otherwise I was ready to happily paste my private key into the (official-looking) form and domain.

              Sorry, why would you ever disclose your private key to some online forum? I can't see a situation where it makes sense.

              Clearly there's something I'm not thinking of, so I'm genuinely curious

              • simonw2 天前
                I think you misread the word "form" as "forum" there.
                • DaSHacka1 天前
                  Ah you got me, though I don't think it changes that much.

                  Even with an online 'form' (presumably a phishing page) I don't understand why anyone would ever upload private keys for their wallets.

                  In the case of exchanges, users typically don't get access to the private key for the wallets anyway, so pretending to be an exchange to phish for something the victim can't even provide wouldn't make sense.

                  In the case of a local wallet, the whole purpose is personal ownership of the coins—which obviously becomes moot when sending the private key to some random person—so I don't see why a user would upload them in this circumstance either.

                  Though yes, the situation is certainly more understandable than GP posting private keys to an online 'forum' ;)

                  • pvg1 天前
                    I don't think it changes that much.

                    There's overwhelming empirical and anecdata evidence people make mistakes and fall for phishing. If that doesn't change your mind that much, it's not obvious what reasonably could.

        • growse2 天前
          Sure, but you're moving the goalposts. We're comparing a system that relies exclusively on passwords Vs one that relies on webauthn.

          The operational competence of the dba is the same in both cases.

      • jiggawatts2 天前
        Or they store your password insecurely — plain text or merely “encrypted” with XOR.

        I still see both of those regularly.

      • dheera2 天前
        Everything boils down to some password or key (effectively a long password) access to some SQL instance.

        Anything on top of that is just fluff. The database can still be compromised directly.

        • hirsin2 天前
          Keys are _not_ just long passwords. They're asymmetric. Feel free to steal any and all of my webauthn public keys.

          Heck, here's one: "kty": "EC", "alg": "ECDSA_w_SHA256", "crv": "P-256", "x": "xYkEVgMClD28hXHn5JQjrgjRX3crmr0OhGiWKsLvxUY=", "y": "5lZZGFF6VrVubIHfRhGbvQBGpw6LcbP3/ZBVk7PqH0Y="

          It's what you'd get if you somehow got into the db and decrypted it.

          Now, do feel free to give me your nice symmetric secret password, since it's the same, yeah?

          • dheera1 天前
            Keys can be symmetric or asymmetric depending on the algorithm.

            From the standpoint of a non-technical user, they're not any different in nature; a password and a private key are both just strings that give full access to your account. One is easier to remember (password), one is harder to remember (key). The one that is harder to remember usually ends up in a Google doc, iCloud, or saved as a text file.

        • growse2 天前
          There's a difference between fluffy that's phishable (passwords) and fluff that isn't (webauthn).

          Not all fluff is equal.

          • dheera1 天前
            How is Webauth'n Crunch not phishable?

            Most implementations throw about 20 "recovery codes" at you and at the absolute fucking worst possible moment while the user is trying to do something urgent, they say "save these in a secure place right now".

            It's not 1, but 20 passwords that ALL give access to your account. Where do you think those codes go?

            They are not only phishable, but they usually end up in a Google doc, screenshotted and pasted to Notion, or some other insecure place.

            • growse1 天前
              We're talking about webauthn, not recovery codes.
    • simonw2 天前
      We have decades of supporting evidence that passwords are rubbish at this point.

      Congratulations on being able to maintain good password habits yourself. It sounds like you already know how vanishingly rare that is.

    • arccy2 天前
      and yet everyone recommends ssh keys over passwords. passkeys are just the ssh keys of the web
      • onli2 天前
        Ssh keys are files that can be moved easily from device to device. That's very different to using e.g. your proprietary macbook internals as your login key. Completely different lock-in.
        • aseipp2 天前
          You can just enroll multiple keys from different devices, just like you do with SSH, that's the recommended way. But even then, there are software implementations of WebAuthn, like 1Password. You can then use the local TPM as a "last mile" authentication mechanism to quickly and effectively unlock your local encrypted password database and then get the needed key material to do WebAuthn. I use this across all my devices e.g. to login to GitHub, even on my iPhone.

          You could accomplish something fairly similar to this for SSH keys actually (an encrypted sync layer + deriving master keys from a local trusted source), but I don't think anyone has done this to the same level of polish.

        • pabs31 天前
        • Scion90662 天前
          A passkey is a synced, discoverable WebAuthn credential. While many implementations protect the private keys with additional security measures like secure enclaves or TPMs, it's not required. If you want to use an implementation that doesn't use those types of lock-ins, even when they're there to protect your credentials, you can. Multiple software-only implementations exist.
          • eikenberry2 天前
            Until they start trying to enforce attestation. Then your only choice will be giving a large corporation control over your online access.
      • timewizard2 天前
        [dead]
    • 2 天前
      undefined
    • paulddraper2 天前
      > I don't give a fuck if other people can't manage secure passwords.

      I infer that you use a password manager.

      Consider passkeys as a standardized interface for password managers.

      • sam_lowry_2 天前
        > Consider passkeys as a standardized interface for password managers.

        I have not followed WebAuthn spec for a while but I vaguely remember that the spec discouraged software-only authenticators.

        Which made me feel like WebAuthn is yet another attempt to take the power from users and even states and concentrate it in the hands of a few multinationals controlled by US government.

        Pretty much what happened to Certificate Authorities and the push to use HTTPS everywhere.

        Of course there are benefits to HTTPS Everywhere and to passwordless authentication.

        But they do not outweight concerns over the digital autonomy of my country.

        • aseipp2 天前
          For ordinary websites none of the existing platforms support WebAuthn attestation AFAIK, because the spec for attestation was not designed with key synchronization in mind, which is a key use case; otherwise, basic features like Keychain synchronization via iCloud would not work and the whole thing would be DOA. Synchronization is widely considered to be a core necessity to match the functionality of existing password managers.

          I believe you can enforce attestation using MDM and a custom app as far as I'm aware. But for general people using Safari or whatever, you can't request any kind of device attestation.

        • paulddraper2 天前
          1Password supports passkeys, and I am sure that others do as well.

          Given the convenience factor (no extra install), I imagine that device/platform passkeys to be the most popular, but there should be no problem with using alternatives.

      • josephcsible2 天前
        If the passkey protocol didn't support attestation, then that would be true. But since it does, passkeys aren't as good, since I can't make my own backups of them.
        • Scion90662 天前
          Generally attestation is not supported outside of enterprise contexts and Apple for example doesn't support it without mobile device management policies being applied to the device.

          You can make your own backups of passkeys from your password manager.

          I believe you are confusing ones that are stored in software or syncable (Passkeys) with the hardware backed credentials (platform authenticators).

          • josephcsible2 天前
            > I believe you are confusing ones that are stored in software or syncable (Passkeys) with the hardware backed credentials (platform authenticators).

            The problem is that the protocol allows websites to require use of the latter. If the two were indistinguishable to the website, then passkeys would be a good thing.

        • aseipp2 天前
          You're confused. You can use software that doesn't provide backups or clear exports, but attestation is not supported for any widely used websites or WebAuthn software because it defeats synchronization, something pretty much everyone widely considers to be a benefit. It would for example completely negate the ability to synchronize passkeys over something like iCloud, whether or not it had the ability to export keys in a standardized format. Attestation is basically a boondoggle solely for corporations with device management policies, so they can use a standard protocol/framework at the app layer while still enforcing stuff they already enforce.

          The amount of people in this thread who don't understand the very basics of this stuff is a pretty good counterexample to the common trope they somehow "know better." I kind of doubt that when many people here can't even get the basics straight.

          • josephcsible1 天前
            Couldn't, e.g., Apple implement attestation in such a way that you can move credentials between Apple secure enclaves, but still never export them in a way that you have control over them? That's what I'm worried about.
        • madeofpalk2 天前
          I don't believe there's any (public, stable) implementations of it yet, but Secure Credentials Exchange will let you export, transfer, and backup passkeys

          https://fidoalliance.org/specifications-credential-exchange-...

          https://fidoalliance.org/specs/cx/cxp-v1.0-wd-20241003.html

          • josephcsible2 天前
            That lets the megacorps make backups for me, but it doesn't let me make my own backups, because they'll only encrypt them to each others' public keys, not mine.
      • OtomotO2 天前
        I do, so I have a working solution.

        I am not migrating to something just because it's new.

        My solution works for me. If it doesn't anymore, I'll see what I'll do.

        Depending on the service I'll swallow the bitter pill and use another solution or simply not use the service anymore.

        Every and any decision has consequences, on any side.

      • dheera2 天前
        Passkeys and 2FA recovery codes are all just shitty replacements for passwords.

        Fight me. Grandmas and Joes end up putting these recovery codes in a Google doc because they don't know what the hell else to do with them. That is NOT more secure.

        Hell, even try explaining the difference between the "secret key" and the "password" in 1password to a non-technical person. It's impossible.

        • paulddraper1 天前
          > That is NOT more secure.

          "More" implies a comparison to something.

          Given that Grandmas+Joes were using "passw0rd!" for all their passwords, I would argue their GDoc of backup codes is considerably more secure.