Do you people trust companies with passkeys?

I feel like big tech have started pushing for passkeys really hard lately. Microsoft has been asking me if I want to switch to passkeys pretty consistently. Google just automatically brings up the passkey registration fingerprint scan system dialogue every single time I’ve been signing in on Android. Without even asking if I want a passkey or not, it just does it without saying anything. I think the intention is pretty clear, an unknowing person sees the completely random fingerprint scan dialogue, doesn’t think much of it, scans their fingerprint, a passkey gets created automatically.

Well, I fell for their trick. I’ve been avoiding the passkey dialogue pretty consistently for a while now, but just now I was signing in while distracted and accidentally tapped my finger on the scanner by reflex on the prompt. I guess I have a passkey now. Yay.

I did some digging on my Google account settings and the internet, and I couldnt find a way to completely remove the passkey. It seems you can only disable the use of passkeys, but the passkey itself remains. There is also a setting called “Skip password when possible”, which is clearly what has been causing the non-stop passkey prompts. It’s on by default. It’s a shame I’m only aware of it now that its too late.

Theoretically, the passkey standart itself should be private and secure. Throughout the process, the biometric information used for the cryptographic challenges never leaves the device, and the server only gets access to a signature that has been signed with the client’s private keys that it can use to authenticate but can’t derive the private keys back from because of complicated math I didn’t spend enough energy to understand. Google automatically syncs the passkeys with its private keys with E2EE in the Google Password Manager tied to the account, which is where I start to get uncomfortable because I can’t bring myself to trust Google with E2EE.

What do you people think?

  • trilobite@lemmy.ml
    1·
    1 day ago

    I’ve been wanting to get more into this nitrokey business but haven’t done my research. Are you using it for all your day to day authentication? Can it be used for websites? Logging onto laptops, etc?

    • utopiah@lemmy.ml
      1·
      12 hours ago

      Yep. To give you some example I login to my self-hosted forge this way. I also use PAM on my desktop to login this way. I also sudo this way. Unfortunately I don’t use this on my phone anymore as I switched to GrapheneOS which requires GooglePlay Services for this kind of auth mechanism (with possible work around https://codeberg.org/s1m/hw-fido2-provider that I didn’t try yet).

      Please note I’m no security expert but to clarify few things are important precisely when you are not a professional :

      • does it support standards? Basically acronyms like TOTP, FIDO, U2F, are what you should be looking for
      • is it supported without additional software by supporting standards? can you use e.g. PAM on Linux with it or does it need a companion “app” somehow?

      If the answer to either is “maybe” then I recommend before buying you search online and insure it does work with your specific setup. If the answer though is yes to standards and no to additional software then you are, unless there is a weird bug basically, pretty sure to be able to use it however you want, wherever you want.

      Sidenote that it’s the same heuristic for IoT. If you buy a “brandname smart thing” then you probably need their idiosyncratic stack whereas if you rely on standards, e.g. Zigbee or ZWave, then you are nearly guaranteed a smooth experience.

      Hope that helps. I know that navigating acronyms can be tricky but IMHO here it’s worth investing a tiny bit of time to recognize them.

      Finally as we are talking about open hardware and security I would also add 3rd party audits. I don’t have the competency to insure that the hardware and software implementation are cryptographically safe. I can test that it does in some case what it claim to do, e.g. lock after 3 failed attempt, but could some kind of weird collision hash or bad pseudorandomness be used to practically limit the pool of potential keys or passwords? I don’t have the knowledge for that. I also can’t trust that NitroKey did it right based on the claim of their website. So… audits help bridge that gap in trust. If I can’t trust the vendor and I don’t have the expertise despite being entirely open then I look for others who did verify on my behalf.