#androidpasskeysgone — Public Fediverse posts

@ScottHelme "This is mostly a list of things passkeys were never claimed to solve":

1. You skipped the "private key never leaves the device" lie. Note that this vuln: https://seclists.org/fulldisclosure/2024/Feb/15 is unfixed (see https://todon.nl/@ErikvanStraten/116552104781266939).

The alternative, having access to YOUR OWN private keys does not make #BigTech lock-in vendors (i.e. Google, Apple) happy: https://github.com/keepassxreboot/keepassxc/issues/10407.

Btw, also unfixed: iOS/iPadOS passkeys may be used without local auth under certain conditions: https://todon.nl/@ErikvanStraten/115658045799601168 (@timcappalli ).

2. Nobody cares what is considered out of scope for ANY auth. solution, in particular if it they're not told about it. People want to know their risks w.r.t. account takeover and account lockout. We need a safer internet.

3. "Passkeys are not magic": I don't see "what risks remain" in https://scotthelme.co.uk/passkeys-101-an-introduction-to-passkeys-and-how-they-work/ - which is why I objected.

4. Passkeys "are a major improvement over passwords": that depends. If people use a password manager to create unique long random passwords (which they should), and use AutoFill, then the advantages and risks (attestation?) of using passkeys vs passwords are not clear and neither easily comparable.

#Passkeys #AndroidPasskeysGone #ApplePasskeyRisks #Passkey #PasswordManager #AutoFill #Autonomy #BigTechIsEvil #MYprivateKeys #DumbPasswordRules

@ScottHelme "This is mostly a list of things passkeys were never claimed to solve":

1. You skipped the "private key never leaves the device" lie. Note that this vuln: https://seclists.org/fulldisclosure/2024/Feb/15 is unfixed (see https://todon.nl/@ErikvanStraten/116552104781266939).

The alternative, having access to YOUR OWN private keys does not make #BigTech lock-in vendors (i.e. Google, Apple) happy: https://github.com/keepassxreboot/keepassxc/issues/10407.

Btw, also unfixed: iOS/iPadOS passkeys may be used without local auth under certain conditions: https://todon.nl/@ErikvanStraten/115658045799601168 (@timcappalli ).

2. Nobody cares what is considered out of scope for ANY auth. solution, in particular if it they're not told about it. People want to know their risks w.r.t. account takeover and account lockout. We need a safer internet.

3. "Passkeys are not magic": I don't see "what risks remain" in https://scotthelme.co.uk/passkeys-101-an-introduction-to-passkeys-and-how-they-work/ - which is why I objected.

4. Passkeys "are a major improvement over passwords": that depends. If people use a password manager to create unique long random passwords (which they should), and use AutoFill, then the advantages and risks (attestation?) of using passkeys vs passwords are not clear and neither easily comparable.

#Passkeys #AndroidPasskeysGone #ApplePasskeyRisks #Passkey #PasswordManager #AutoFill #Autonomy #BigTechIsEvil #MYprivateKeys #DumbPasswordRules

@ScottHelme "This is mostly a list of things passkeys were never claimed to solve":

1. You skipped the "private key never leaves the device" lie. Note that this vuln: https://seclists.org/fulldisclosure/2024/Feb/15 is unfixed (see https://todon.nl/@ErikvanStraten/116552104781266939).

The alternative, having access to YOUR OWN private keys does not make #BigTech lock-in vendors (i.e. Google, Apple) happy: https://github.com/keepassxreboot/keepassxc/issues/10407.

Btw, also unfixed: iOS/iPadOS passkeys may be used without local auth under certain conditions: https://todon.nl/@ErikvanStraten/115658045799601168 (@timcappalli ).

2. Nobody cares what is considered out of scope for ANY auth. solution, in particular if it they're not told about it. People want to know their risks w.r.t. account takeover and account lockout. We need a safer internet.

3. "Passkeys are not magic": I don't see "what risks remain" in https://scotthelme.co.uk/passkeys-101-an-introduction-to-passkeys-and-how-they-work/ - which is why I objected.

4. Passkeys "are a major improvement over passwords": that depends. If people use a password manager to create unique long random passwords (which they should), and use AutoFill, then the advantages and risks (attestation?) of using passkeys vs passwords are not clear and neither easily comparable.

#Passkeys #AndroidPasskeysGone #ApplePasskeyRisks #Passkey #PasswordManager #AutoFill #Autonomy #BigTechIsEvil #MYprivateKeys #DumbPasswordRules

@ScottHelme "This is mostly a list of things passkeys were never claimed to solve":

1. You skipped the "private key never leaves the device" lie. Note that this vuln: https://seclists.org/fulldisclosure/2024/Feb/15 is unfixed (see https://todon.nl/@ErikvanStraten/116552104781266939).

The alternative, having access to YOUR OWN private keys does not make #BigTech lock-in vendors (i.e. Google, Apple) happy: https://github.com/keepassxreboot/keepassxc/issues/10407.

Btw, also unfixed: iOS/iPadOS passkeys may be used without local auth under certain conditions: https://todon.nl/@ErikvanStraten/115658045799601168 (@timcappalli ).

2. Nobody cares what is considered out of scope for ANY auth. solution, in particular if it they're not told about it. People want to know their risks w.r.t. account takeover and account lockout. We need a safer internet.

3. "Passkeys are not magic": I don't see "what risks remain" in https://scotthelme.co.uk/passkeys-101-an-introduction-to-passkeys-and-how-they-work/ - which is why I objected.

4. Passkeys "are a major improvement over passwords": that depends. If people use a password manager to create unique long random passwords (which they should), and use AutoFill, then the advantages and risks (attestation?) of using passkeys vs passwords are not clear and neither easily comparable.

#Passkeys #AndroidPasskeysGone #ApplePasskeyRisks #Passkey #PasswordManager #AutoFill #Autonomy #BigTechIsEvil #MYprivateKeys #DumbPasswordRules

@WeirdWriter : thank you for demystifying the asymmetric cryptography aspect of passkeys.

See also https://todon.nl/@ErikvanStraten/116552022706029032

#Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports

@WeirdWriter : thank you for demystifying the asymmetric cryptography aspect of passkeys.

See also https://todon.nl/@ErikvanStraten/116552022706029032

#Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports

@WeirdWriter : thank you for demystifying the asymmetric cryptography aspect of passkeys.

See also https://todon.nl/@ErikvanStraten/116552022706029032

#Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports

@WeirdWriter : thank you for demystifying the asymmetric cryptography aspect of passkeys.

See also https://todon.nl/@ErikvanStraten/116552022706029032

#Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports

@jtb : yes, but AFAIK passkey private keys cannot be exported from "Apple Passwords" and neither from "Google Passwords". Which are probably used most.

Why would people install a third party password manager (often payed, and/or a privacy/security risk - remember Lastpass) if your phone comes with such an app and they're unaware of the risks?

Edited to add: my Feb. 2024 write up on Full Disclosure still mostly applies.

Screenshots, chronological:

1) Top right: contents of Google Password Manager after creating a passkey on https://webauthn.io

2) Left: tapping the "Delete data" button in https://chrome.google.com/sync

3) Bottom right: contents of Google Password Manager after tapping the "Delete data" button in https://chrome.google.com/sync. The passkey is gone.

People are wrongly made to believe that Google passkeys are stored safely on their device; they are not.

@rmondello @brandonbutler

#AndroidPasskeysGone #Passkeys #AccountLockout

@jtb : yes, but AFAIK passkey private keys cannot be exported from "Apple Passwords" and neither from "Google Passwords". Which are probably used most.

Why would people install a third party password manager (often payed, and/or a privacy/security risk - remember Lastpass) if your phone comes with such an app and they're unaware of the risks?

Edited to add: my Feb. 2024 write up on Full Disclosure still mostly applies.

Screenshots, chronological:

1) Top right: contents of Google Password Manager after creating a passkey on https://webauthn.io

2) Left: tapping the "Delete data" button in https://chrome.google.com/sync

3) Bottom right: contents of Google Password Manager after tapping the "Delete data" button in https://chrome.google.com/sync. The passkey is gone.

People are wrongly made to believe that Google passkeys are stored safely on their device; they are not.

@rmondello @brandonbutler

#AndroidPasskeysGone #Passkeys #AccountLockout

@jtb : yes, but AFAIK passkey private keys cannot be exported from "Apple Passwords" and neither from "Google Passwords". Which are probably used most.

Why would people install a third party password manager (often payed, and/or a privacy/security risk - remember Lastpass) if your phone comes with such an app and they're unaware of the risks?

Edited to add: my Feb. 2024 write up on Full Disclosure still mostly applies.

Screenshots, chronological:

1) Top right: contents of Google Password Manager after creating a passkey on https://webauthn.io

2) Left: tapping the "Delete data" button in https://chrome.google.com/sync

3) Bottom right: contents of Google Password Manager after tapping the "Delete data" button in https://chrome.google.com/sync. The passkey is gone.

People are wrongly made to believe that Google passkeys are stored safely on their device; they are not.

@rmondello @brandonbutler

#AndroidPasskeysGone #Passkeys #AccountLockout

@jtb : yes, but AFAIK passkey private keys cannot be exported from "Apple Passwords" and neither from "Google Passwords". Which are probably used most.

Why would people install a third party password manager (often payed, and/or a privacy/security risk - remember Lastpass) if your phone comes with such an app and they're unaware of the risks?

Edited to add: my Feb. 2024 write up on Full Disclosure still mostly applies.

Screenshots, chronological:

1) Top right: contents of Google Password Manager after creating a passkey on https://webauthn.io

2) Left: tapping the "Delete data" button in https://chrome.google.com/sync

3) Bottom right: contents of Google Password Manager after tapping the "Delete data" button in https://chrome.google.com/sync. The passkey is gone.

People are wrongly made to believe that Google passkeys are stored safely on their device; they are not.

@rmondello @brandonbutler

#AndroidPasskeysGone #Passkeys #AccountLockout

@rmondello : what makes passkeys strong:

1. Software checks the domain name, which makes phishing hard;

2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);

3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.

The rest is marketing (including the -hyped- asymmetric cryptography).

The "advantage" of denying the owner access to their own private keys hardly makes sense as long as session cookies are not device-bound.

The disadvantage of not being able to back up ones own private keys is the risk of vendor lock-in and the underestimated huge risk of account lockout [1]. And the latter leads to the necessity of being able to log in using weak authentication after the user loses access to their private keys.

@brandonbutler

[1] https://seclists.org/fulldisclosure/2024/Feb/15

#Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports

@rmondello : what makes passkeys strong:

1. Software checks the domain name, which makes phishing hard;

2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);

3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.

The rest is marketing (including the -hyped- asymmetric cryptography).

The "advantage" of denying the owner access to their own private keys hardly makes sense as long as session cookies are not device-bound.

The disadvantage of not being able to back up ones own private keys is the risk of vendor lock-in and the underestimated huge risk of account lockout [1]. And the latter leads to the necessity of being able to log in using weak authentication after the user loses access to their private keys.

@brandonbutler

[1] https://seclists.org/fulldisclosure/2024/Feb/15

#Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports

@rmondello : what makes passkeys strong:

1. Software checks the domain name, which makes phishing hard;

2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);

3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.

The rest is marketing (including the -hyped- asymmetric cryptography).

The "advantage" of denying the owner access to their own private keys hardly makes sense as long as session cookies are not device-bound.

The disadvantage of not being able to back up ones own private keys is the risk of vendor lock-in and the underestimated huge risk of account lockout [1]. And the latter leads to the necessity of being able to log in using weak authentication after the user loses access to their private keys.

@brandonbutler

[1] https://seclists.org/fulldisclosure/2024/Feb/15

#Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports

@rmondello : what makes passkeys strong:

1. Software checks the domain name, which makes phishing hard;

2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);

3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.

The rest is marketing (including the -hyped- asymmetric cryptography).

The "advantage" of denying the owner access to their own private keys hardly makes sense as long as session cookies are not device-bound.

The disadvantage of not being able to back up ones own private keys is the risk of vendor lock-in and the underestimated huge risk of account lockout [1]. And the latter leads to the necessity of being able to log in using weak authentication after the user loses access to their private keys.

@brandonbutler

[1] https://seclists.org/fulldisclosure/2024/Feb/15

#Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports