this post was submitted on 07 Aug 2024
512 points (98.5% liked)

Technology

59300 readers
4750 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Spotlight7573@lemmy.world 108 points 3 months ago (5 children)

With a breach of this size, I think we're officially at the point where the data about enough people is out there and knowledge based questions for security should be considered unsafe. We need to come up with different authentication methods.

[–] fmstrat@lemmy.nowsci.com 35 points 3 months ago (1 children)
[–] zer0squar3d@lemmy.dbzer0.com 9 points 3 months ago (1 children)

You get a private key! And you get a private key! And you get a private key!

[–] Nurgus@lemmy.world 5 points 3 months ago

Indian accent: Hello, this is Microsoft support. Your private key is being hacked and you need to give it to us immediately for safe keeping.

WCGW?

[–] floofloof@lemmy.ca 29 points 3 months ago (1 children)

We have different authentication methods. The hard bit is persuading people to use them.

[–] Spotlight7573@lemmy.world 2 points 3 months ago

Before people can be persuaded to use them, we have to persuade or force the companies and sites to support them.

[–] QuarterSwede@lemmy.world 10 points 3 months ago (2 children)
[–] ag10n@lemmy.world 9 points 3 months ago* (last edited 3 months ago) (2 children)

Tying a password to a browser or device isn’t going to make it any easier. Use a password manager and set unique string passwords for everything. If the app supports it, use FIDO physical keys instead of Passkeys

[–] 1984@lemmy.today 8 points 3 months ago (2 children)

Even better would be to use certificates instead of passwords. What if every website gave you a certificate signed by them, and you store that in your password manager automatically.

Maybe that's what passkeys are.. Haven't read up on them at all.

[–] Spotlight7573@lemmy.world 6 points 3 months ago

Basically with passkeys you have a public/private key pair that is generated for each account/each site and stored somewhere on your end somehow (on a hardware device, in a password manager, etc). When setting it up with the site you give your public key to the site so that they can recognize you in the future. When you want to prove that it's you, the website sends you a unique challenge message and asks you to sign it (a unique message to prevent replay attacks). There's some extra stuff in the spec regarding how the keys are stored or how the user is verified on the client side (such as having both access to the key and some kind of presence test or knowledge/biometric factor) but for the most part it's like certificates but easier.

[–] Passerby6497@lemmy.world 1 points 3 months ago

I really wish SQRL had taken off. It's a lot like pass keys, but it used a central certificate to mint per-site certificates (along with per user per site certs if memory serves) and had proper methods of rolling it in and rotating the keys assigned to your account.

[–] QuarterSwede@lemmy.world 4 points 3 months ago (1 children)

… passkeys basically do all this without you having to know how. Your device /is/ the physical key and /you/ are the secondary auth. It honestly doesn’t get any easier for the user.

[–] ag10n@lemmy.world 1 points 3 months ago (1 children)

What options are there for migrating passkeys to a new device? Easy to lock you into that iPhone and you must use their migration tool when you upgrade. Or I just carry it on my keychain, no vendor lock in.

[–] QuarterSwede@lemmy.world 1 points 3 months ago* (last edited 3 months ago) (1 children)

3rd party password managers are already adding passkey support. Passkeys isn’t an Apple only security technology. FIDO has its place but passkeys is the future for most people like it or not.

[–] ag10n@lemmy.world -1 points 3 months ago (1 children)

Do I need a subscription service for this passkey supported password manager? Or I can just buy a hardware key that can be used on my phone or any device, password manager supported or not. Seems like the freedom and portability of a physical key, like a key to your home or car makes a ton of sense.

Passkeys are based on and supported by the FIDO alliance.

https://fidoalliance.org/passkeys/

[–] QuarterSwede@lemmy.world 0 points 3 months ago (1 children)

You don’t need a subscription as you well know since you know what they’re based on. And I meant FIDO physical keys as you were alluding to. Why would I ever want another device to use with a device that already has biometric auth? That last a barrier of entry that’s too high for most people.

[–] ag10n@lemmy.world 1 points 3 months ago

Passkeys are a replacement for passwords, not a second factor like requiring a physical key.

Why would I reduce the number of factors and also entrust what should be something I know to a vulnerable key store.

https://www.bleepingcomputer.com/news/security/new-tpm-20-flaws-could-let-hackers-steal-cryptographic-keys/

[–] fmstrat@lemmy.nowsci.com 5 points 3 months ago

Until you realize Apple allows the iPhone to airdrop them. Ugh.

[–] Uli@sopuli.xyz 3 points 3 months ago (3 children)

Pirate keys for sure. Not using one is just asking for a stranger to grab your booty.

[–] scottmeme@sh.itjust.works 6 points 3 months ago

I want a stranger to grab my ass sometime

[–] ThePantser@lemmy.world 2 points 3 months ago

But I enjoy a booty grabbing.

[–] dexterous@programming.dev 1 points 3 months ago

Pirate keys for sure.

Arrr.... SA to ye all!

[–] NotMyOldRedditName@lemmy.world 1 points 3 months ago* (last edited 3 months ago)

Start using Yubikeys and telling companies that don't support them to support them.