- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
DNA companies should receive the death penalty for getting hacked | TechCrunch::Personal data is the new gold. The recent 23andMe data breach is a stark reminder of a chilling reality – our most intimate, personal information might
Unfortunately, even that’s not enough. That’s often a user choice to enable, and otp itself is a flawed system. (be that email, sms, or timed)
Really, services should be transitioning to Passkeys, however adoption of a new standard always takes time. There are not a huge number of services that have implemented them yet. Here’s a list
TOTP is better than no TOTP/2FA.
It sure is. My point is that users often don’t enable 2fa even when available, while those that do are still at risk anyway.
Id rather see a much less flawed system implemented, particularly for important services like ones that store your genetic code.
The first link is basically an “advertisment hidden in a normal, professional-looking article”. All they’re saying is how these ways are not secure, but most importanly, how their solution is more secure, published under their own site.
When you take this into account, their claims start to break down: while yes, email and SMS MFA might be inherently less secure since the code could be transmitted via an insecure channel, saying TOTP is not not secure because “you device can be hacked” is a kinda bad take: if your device is already hacked, you’d have a much bigger problem: even if you are using security keys, the hacker would already have access to whatever service you might be trying to protect. As for the lost/stolen case mentioned in the article, if you put TOTP code in a password manager (as most would probably do if they’re doing this), that shouldn’t be a problem. The only way this would be a problem is that the TOTP secret is stored in plain text, which would be the same for any authentication methods.
Thanks for the link, I wanted to read up on passkeys since the other day, as GitHub asked me to set one up with Bitwarden
I don’t like passkeys. There’s the old thing about good security being the thing you have, the thing you know, and the thing you are–a key, a password, and biometrics. I don’t like keys or biometrics for anything online. Mainly because of 5th amendment issues (police can hold your finger to your phone to unlock it, but they cannot compell you to say what your password is), but also because either it’s more secure than using a password (if you lose the thing you have, you’re fucked) or it’s the same as using a password (if you lose the thing you have, you can enter a password to get it back).
Why can’t we just normalize memorizing complex passwords? It isn’t that hard if you dedicate some effort to it instead of lazily making it Currentmonth123!$
This is just a stupid take. I bet you either reuse your passwords regularly or you don’t really use the internet that much. I just looked it up and I have 270 unique logins, with as many 20 characters long passwords, with letters numbers and special characters.
Now tell me with a straight face that you think everyone can memorize that.
Anything I have to log into frequently gets memorized. Anything I set and forget gets reset every time I log in. I don’t know my Xbox password, and I don’t need to, because the next time I need to log in I can just use my email address and reset it to like 2023!TheDayBefore$ucked! or something stupid and unguessable like that. Then 6 months later, when I can’t even fathom what I would have set it to, I’ll reset it again.
And then ofc the few super important things like my bank and email get special unique 20+ character passwords that I memorize
I currently have 75 different accounts stored, each with a unique 16 character randomized password. My memory cannot handle remembering each one alongside their username and which service they are used for. I don’t think it’s reasonable to expect anyone to.
You are not required to secure passkeys with biometrics, you can just use a password to encrypt them if you want, removing the possibility of forced unlock.
With that many logins, I use a password manager anyway. Regardless of whether I use passwords or passkeys; that is always going to be target. With passkeys, that manager+my device are only possible targets to gain access to my accounts. With passwords every service is also a target, along with every connection I make to that service.
A random example: If I login to twitter with a password using a work computer, that password is more than likely now sitting in a log file on the corporate firewall that performs https inspection. That could be used to gain access to my account later.
Replace that password with a passkey, and now there’s no ability to harvest and use login info from those logs. All they saw was the passkey challenge and response sent back/fourth with no ability to replicate it later.
While yes, you can usually recover you passkeys with a password and the appropriate access to the systems where they are backed up; the difference is very rarely using a password as a recovery code, vs using a password regularly giving much more opportunity for it to be intercepted or mishandled. The systems my password manager backs up to are also my own and not publicly accessible. (you don’t have to use google/apples managers)
Also the passwords used for account auth are stored in my password manager, where as my password managers password is only stored in my mind. One is easy to remember, 75 is a bit much…
Passkeys are not better than a well implemented password. The fact that you cannot use 2fa on top of a passkey actually makes it a worse solution overall.
Passkeys raise the minimum… but at the same time lower the maximum security a user can choose to utilize. I will not personally accept any solution that lowers the maximum level of security I can have.
Several services do allow you to use MFA alongside passkeys, that’s up to the service, not the technology. Google, Github, Nvidia, and Microsoft to name a few.
Passkeys are better than passwords as they cannot be stolen from the service you are logging into, or the network connection between you and the service as they are never transmitted. They can only be stolen directly from the users device (or their passkey/password manager). They are also encrypted and often stored behind biometric authentication locally making them extremely difficult to access even with physical access to the device.
A well implemented password also cannot be stolen. Only a hash of that password. Which would be equivalent to the public key, since it’s derived from the private key of the passkey. Much like the hash of a password is derived from the password.
is bullshit. You must be able to revoke something in order for it to be effective as a password. Revoke your fingerprint… I’ll wait. Making it one factor is fine, making it the only factor is fucking moronic.
Which makes it the same “factor” as most MFA implementations. Something I have and something I have is not effective for adding security to something. Multi-factor isn’t having many of the same factor. It’s covering multiple factors.
Edit:
Google!!! the company that automatically creates passkeys without your authorization. BTW… my google account IS MFA configured… The Passkey login on my phone SKIPS Mfa… So your list is already dead with the biggest and first item on your list.
Presuming it was hashed before transmission which it often is not. It can still be stolen during transit, directly from the user, or from poorly implemented processing/storage practices on part of the service which you have no control over and no ability to audit. You can have all the best practices as a user, and still be screwed over by a services poor practices.
Passkeys guarantee to reduce this to a single possible target of theft: The users device.
You as a user have no control or even insight into how a service implements password based auth. All you can do is use a unique complex password and hope they do the right things to keep it secure. Just by using a passkey though, you can know for sure that you are in control of it being kept secure as it never leaves your possession.
Biometric auth is only used to secure the keys on the local device, ontop of the devices own auth.
By MFA, I was refering to all the other factors you can apply just like typical password+2fa. Email, sms, timed, physical key, etc. You have all of the same additional options ontop of replacing passwords with a more secure option. I’m not saying bio+passkey is MFA. Bio is used to access the passkey then MFA is applied to the service itself through whatever other means you’ve enabled. Hell, you can use your password as the secondary MFA option if the service has enabled that.
All of the same concerns exist with passkeys. Worse though is that with passkeys you cannot audit yourself them at all, they’re locked away and have no ability to be viewed at all. You actually can’t tell if the passkey you “Deleted” was actually removed… Nor if a new one that you create to take it’s place is actually different than that one you just “deleted”.
Which you as a user, if you implement password properly (one unique password per service) also have the same quality. Except you don’t have to rely on now a single possible target! If you steal my device, you have no hope of getting access to my accounts. Period.
You don’t have any control over passkeys either…
Same as passkeys. Except now your hope is that your system AND their system keeps the passkeys properly secure.
You actually have no idea about this… since different standards can exist at the browser or implementation level that can do whatever they want with the keys. Case and point is that Apple allows you to migrate your passkeys through iCloud. Either they’re using your private to authorize a new private key, or they’re actually physically moving your private key to a new device. In either case, that already disproves that “it never leaves your possession” since a cloud service can move it for you.
All of these points only apply if you don’t pick a decent password/passkey manager and just stick with whatever google/apple gives you.
Do better.
I can see all my Passkeys in painstaking detail and know exactly what has or has not been deleted/modified. I use my own self-hosted services for managing them between devices, so they are never stored on anything but my own hardware in my control.
The only part that leaves my possession is the public key portion of each passkey, which honestly could be published to a list on their homepage and still remain secure.
Here’s an example of a stored passkey, but with values redacted:
"fido2Credentials": [ { "credentialId": "-redacted-", "keyType": "public-key", "keyAlgorithm": "ECDSA", "keyCurve": "P-256", "keyValue": "-redacted-", "rpId": "amazon.ca", "userHandle": "-redacted-", "counter": "0", "rpName": "Amazon", "userDisplayName": "-redacted-", "discoverable": "true", "creationDate": "-redacted-" } ]
Oh yeah? So on Android… How do you get your password manager to work for your passkey storage? Because all I see on android is NFC, USB, and “This device” (which is literally google storage, not your own app). So how do you login to any apps that you’re using passkeys on your phone?
LMFAO, you’ve addressed basically nothing and assume that your answers are sufficient you can fuck right off.
Edit: This is effectively SSL/TLS… Right? So there’s never been a successful attack on that right? Boy do I have a bridge to sell you.
Currently I only use passkeys on desktop while I patiently wait for my password/passkey manager of choice to finish implementing passkey support on Android, just as I’m waiting for most services themselves to implement passkey support in general. It’s a relatively new and emerging technology, adoption always takes time.
When you don’t put any thought into what you’re using and just stick with the defaults you’re given; you’re obviously not going to have an optimal experience. Hence: Do better.
No, this is not basically TLS/SSL. TLS/SSL convinces a client to use a key they’ve just been given, via a public chain of trust that can be manipulated in many ways. This is more akin to the public key authentication of an SSH connection; where the keys are known and trusted long before the connection where they are used is established. This is then also wrapped in TLS/SSL as an additional layer. But TBH as long as you don’t pass persistent login tokens back/fourth, it could be done over plain http. (it wouldn’t secure the data then ofc, but would still securely prove your identity across that connection)
Saw your edit:
It was an example list of companies that allow MFA alongside passkeys, not a list of people with perfect practices. You seemed to think MFA wasn’t even a possibility.
Every company implements things differently. Google establishes ‘trust’ once you’ve signed into a device and doesn’t ask for 2fa after that. It’ll usually prompt you for it on any new-to-your-account device.
Regardless, that’s issue with googles implementation of Passkeys, not Passkeys themselves.