I kinda hate the push towards passkeys. If you have two factor Auth, going to passkeys makes you go back to 1 factor, aka less secured.
There’s also more and more 2FA fatigue attacks going on, and they can affect passkeys too, and if you don’t have a 2FA that involves the user writing a code on the 2FA device, passkeys could be quite possibly worse than passwords
SSH keys without passphrases are just fancy credential files sitting in your .ssh/ directory, basically like writing your passwords on paper and leaving it in your desk drawer.
Well, the main reason I do it every time is because I’m just too lazy to setup pinentry.
But yeah, for the Bluetooth keyboard, I realise I better get off it.
I had mine on paper for years before i learned about Keepass. I trusted it more than a cloud based manager because someone would have to physically be in my room.
I am a lot more careful these days but that is not beyond the pale for a lot of folks haha
Yeah. Passkeys are something I would love if they were a second factor because they are so much better than any other 2fa. And I use my yubikeys as second factors where I can. But why the hell would I not want a password too?
Passkeys are always supposed to be protected by another layer of authentication. e.g. a password should be required to unlock the passkey. If your passkey don’t do that, stop using it.
If I provide passkey support and still require a password, most users will get annoyed and not bother. If I provide it as a replacement for password, then I can get them onboard more often. I’d rather have them using passkey than sticking with password.
It’s different. It’s still two factors if implemented correctly: 1. Possession of the passkey (better if you have a physical token, but passkey on your phone is passable). 2. Knowledge of your password (or bio authentication if you use face id or w/e).
Note you are not giving your password to the website, and if a hacker gets hold of your password they still can’t do anything without your passkey device.
It’s client specific and my phone requires whatever can unlock the phone and chrome requires either windows hello or a pin if under linux.
Certain implementations do whatever, and as far as the backend is concerned, there’s no way of knowing, unless you want to get into the business of locking down specific vendor keys…
But I say MFA is overrated versus just getting away from generally crappy password factors. Also passkeys are less phish-able than OTP type solutions.
Yes, it’s implementation specific, in this case your phone, or your browser is the passkey “device”. And as long as it’s protected by some form of authentication it’s OK (though I would recommend a hardware token over phones/browsers). If it doesn’t then you shouldn’t be using that “passkey”. Yes, there is no way for the website you are authenticating with to know whether your passkey is safe or not, choosing a secure passkey implementation is (unfortunately) the user’s job. But it’s the same with more traditional 2FAs, e.g. you can store your TOTP secret securely or insecurely, and the website will have no way to know.
You are supposed to have two redundant ones. Hooked up to every service. One leaves the house with you, the other stays in a safe, and you rotate them periodically
and nobody is gonna fucking do that lol
Mine are USB-A and USB-C so no two computers can use both. One of them randomly quit working (something in the OS dropped support for it maybe?) but then I think started working again?
At an old job I had a lot of control over my own infra and I used my HSM to log in to my forge. I haven’t used it daily in years now.
I kinda hate the push towards passkeys. If you have two factor Auth, going to passkeys makes you go back to 1 factor, aka less secured.
There’s also more and more 2FA fatigue attacks going on, and they can affect passkeys too, and if you don’t have a 2FA that involves the user writing a code on the 2FA device, passkeys could be quite possibly worse than passwords
I think this post is about git CLI, not www.github.com.
SSH keys are very secure and you can still encrypt them with a password if you wish.
SSH keys without passphrases are just fancy credential files sitting in your
.ssh/directory, basically like writing your passwords on paper and leaving it in your desk drawer.Yeah, but who wants to type in a password everytime they push/pull?
I do it.
Every time.
And I keep a wired keyboard for it.
Get a load of Ross Ulbricht ovah here!
Well, the main reason I do it every time is because I’m just too lazy to setup
pinentry.But yeah, for the Bluetooth keyboard, I realise I better get off it.
TIL some people store SSH keys unencrypted
I had mine on paper for years before i learned about Keepass. I trusted it more than a cloud based manager because someone would have to physically be in my room.
I am a lot more careful these days but that is not beyond the pale for a lot of folks haha
It’s not about encryption/security it’s about creating something that can’t be phished.
We know that 2fa is secure. But if an attacker can trick you into giving them the code, or typing it in a fake box. Then they own you.
Passkeys are made so that there’s nothing to give, nothing to type. You must control the device.
SSH keys are more like passkeys than passwords.
I’d love to see the state of online banking if everyone were to manage their own ssh keys
In all seriousness, they are similar, but not quite in this context.
There’s a good project on how to make ssh key infra more scalable and innately secure. Then you can use passkeys on top if you’d like.
https://github.com/openpubkey/openpubkey
https://github.com/openpubkey/opkssh
I personally use this on all my servers.
Most people couldn’t figure out how to download a binary release from a GitHub repo, much less clone it, regardless of HTTP or SSH.
True, not the point though
Yeah. Passkeys are something I would love if they were a second factor because they are so much better than any other 2fa. And I use my yubikeys as second factors where I can. But why the hell would I not want a password too?
Passkeys are always supposed to be protected by another layer of authentication. e.g. a password should be required to unlock the passkey. If your passkey don’t do that, stop using it.
If I provide passkey support and still require a password, most users will get annoyed and not bother. If I provide it as a replacement for password, then I can get them onboard more often. I’d rather have them using passkey than sticking with password.
No phishing
It’s different. It’s still two factors if implemented correctly: 1. Possession of the passkey (better if you have a physical token, but passkey on your phone is passable). 2. Knowledge of your password (or bio authentication if you use face id or w/e).
Note you are not giving your password to the website, and if a hacker gets hold of your password they still can’t do anything without your passkey device.
Uh… What password?
Passkey should ask for a password for unlocking. If it doesn’t then it’s not implemented correctly.
It’s client specific and my phone requires whatever can unlock the phone and chrome requires either windows hello or a pin if under linux.
Certain implementations do whatever, and as far as the backend is concerned, there’s no way of knowing, unless you want to get into the business of locking down specific vendor keys…
But I say MFA is overrated versus just getting away from generally crappy password factors. Also passkeys are less phish-able than OTP type solutions.
Yes, it’s implementation specific, in this case your phone, or your browser is the passkey “device”. And as long as it’s protected by some form of authentication it’s OK (though I would recommend a hardware token over phones/browsers). If it doesn’t then you shouldn’t be using that “passkey”. Yes, there is no way for the website you are authenticating with to know whether your passkey is safe or not, choosing a secure passkey implementation is (unfortunately) the user’s job. But it’s the same with more traditional 2FAs, e.g. you can store your TOTP secret securely or insecurely, and the website will have no way to know.
Also, what happens if your device with the passkey fails?
Like the drive craps out?
You are supposed to have two redundant ones. Hooked up to every service. One leaves the house with you, the other stays in a safe, and you rotate them periodically
and nobody is gonna fucking do that lol
Mine are USB-A and USB-C so no two computers can use both. One of them randomly quit working (something in the OS dropped support for it maybe?) but then I think started working again?
At an old job I had a lot of control over my own infra and I used my HSM to log in to my forge. I haven’t used it daily in years now.
That sort of thing is the push I need to get entirely off of Github
It’s still more secure than password+sms/email
Barely.