Pass keys

fosterscik

fosterscik

Full time employment: Posting here.
Joined
Jun 3, 2013
Messages
764
Location
Chattanooga
More and more of my financial accounts are using pass keys rather that 2FA via text etc. I knew they were considered more secure but hadn't read any simple explanation of their function. These articles by Mike Piper were very useful and I thought others might want to look at them:
what the heck are passkeys
Getting used to passkeys
 
Last edited:
Almost all my sensitive logins use them, mostly facial, but some are finger activated.
 
fosterscik said:
More and more of my financial accounts are using pass keys rather that 2FA via text etc. I knew they were considered more secure but hadn't read any simple explanation of their function. These articles by Mike Piper were very useful and I thought others might want to look at them:
what the heck are passkeys
Getting used to passkeys
Click to expand...
Thank you for sharing these websites, especially the first one. It is the best explanation of passkeys I have seen so far.
 
Neither Amazon or Google believe that passkeys are sufficient. They still require a secondary authentication to login if they don’t recognize your device. Websites still require you to maintain login/password as backup. You can yet not move passkeys to a different password manager so they serve as a speed bump to the password manager you use. So I don’t see any advantage of passkeys.
 
What if I use an iPhone and MS Windows desktop, do web sites allow for multiple devices ?
 
The idea is great: the web site has no secret to keep. But the implementation is horrible. As RB90 says, there's the multiple device problem. And related is the lost device problem. And worst is the multiple ecosystems for managing passkeys. Generally, users don't know what's going on...a passkey acts just like a password from a UI perspective and the implementations I've seen don't make it clear what's happening. And if they tried to make it clear, there would still be a fraction of the population that wouldn't get it.

One thing that could be done would be to have the process start with the user installing a 3rd party passkey app on all devices. Let's call it UOPK (Universal Open PassKey). UOPK needs to be open source and not "owned" by anyone. The user might need to prove to UOPK that they've installed it everywhere that matters and maybe even take a test to see if they "get it". This would be before any authentication happened and before any web site is involved. Then, rather than the financial sites "pushing" passkeys using one of many passkey ecosystems, the web site would ask to be enrolled in your instance of UOPK. When you open UOPK you would see those domains that you enrolled. There's still the problem of getting those enrolees synchronized across devices. It's easy and secure if the device has a camera, but a little more trouble if it doesn't. I should say I've thought a lot about this problem and was a committer on an open source project that solved this problem. The project never got traction because the big players want to own the system and probably want to build-in back-doors. The "problem" that was a "feature" in the project I worked on was there was nobody to call if something went wrong. The solution was during installation, you had to prove to the app that you printed out things. No proof, you couldn't use the app. Yeah, if your house burned-down with your phone and the paper, you would be locked out, but if you threw your phone in the river and your hard drive crashed on the same day, recovery was possible.

I use Aegis Authenticator for verification tokens. Free and open source. Not the same as the passkey use-case, but similar in the use of public key encryption and similar in that the web site has no secrets to keep. It works for Fidelity, by the way, which is how I make sure I can always get on to her account if I need to. Much more secure than getting an SMS.
 
Last edited:
1Password stores passkeys for you.

A problem that existed before passkeys is that every site has its own login experience. This affects password and passkey performance. So, we soldier on as best we can
 
target2019 said:
1Password stores passkeys for you.
Click to expand...
Storing secrets locally have tons of solutions; when it comes to saving a password or a passkey locally, there's no difference. I use KeePass. Again, free and open source. The paid plans sync between devices, but then you need to trust the closed-source solution provider. But you needn't trust anyone to help you sync...there's, wait for it, yet another open source tool called Syncthing that will make sure a password added on your phone gets added to your computer and the reverse.

But like other FOSS tools, a little bit more challenging to get your head around, especially if you want to keep one set of passwords across all devices. All of these solutions are better now than they used to be due to additional hardware that supports keeping the bad guys from snooping locally (TPM, etc).
 
sengsational said:
Storing secrets locally have tons of solutions; when it comes to saving a password or a passkey locally, there's no difference. I use KeePass. Again, free and open source. The paid plans sync between devices, but then you need to trust the closed-source solution provider. But you needn't trust anyone to help you sync...there's, wait for it, yet another open source tool called Syncthing that will make sure a password added on your phone gets added to your computer and the reverse.

But like other FOSS tools, a little bit more challenging to get your head around, especially if you want to keep one set of passwords across all devices. All of these solutions are better now than they used to be due to additional hardware that supports keeping the bad guys from snooping locally (TPM, etc).
Click to expand...
1Password is cloud primarily, but a local encrypted copy exists. All devices are synced, and family sharing is possible.

Legacy is also preserved for my vaults, and the rest of the family.
 
I don't mind using pass keys but they really don't replace passwords.
 
It is very secure but: I am not aware that Charles Schwab Corporation, Fidelity Investments, E*TRADE, etc. support passkeys. Even less so the even more secure form: a passkey stored on a hardware device such as: 🔐YubiKey.

1775216132643.png
 
fosterscik said:
More and more of my financial accounts are using pass keys rather that 2FA via text etc. I knew they were considered more secure but hadn't read any simple explanation of their function. These articles by Mike Piper were very useful and I thought others might want to look at them:
what the heck are passkeys
Getting used to passkeys
Click to expand...
Can you give us names? I think Vanguard and Capital One supports it. Who else?
I know Fidelity is working on passkey via YoubiKey support.

Passkey support = Native FIDO2/WebAuthn
 
Last edited:
Vanguard supports Yubi Key and Fidelity supports authenticator apps
 
RetMD21 said:
Vanguard supports Yubi Key and Fidelity supports authenticator apps
Click to expand...
Vanguard yes.
What Fidelity supports is not passkey. Fidelity has some of the weakest protection because it does not even support Hardware RSA tokens.
 
Onda said:
Vanguard yes.
What Fidelity supports is not passkey. Fidelity has some of the weakest protection because it does not even support Hardware RSA tokens.
Click to expand...
Fidelity supports authenticator apps which are superior 2FA vs text/email
 
RetMD21 said:
Fidelity supports authenticator apps which are superior 2FA vs test/email
Click to expand...
But **number one, they are not passkeys, and number two, they are inferior to hardware tokens like Schwab and E*TRADE support through RSA Security SecurID hardware authentication.
 
Onda said:
they are inferior to hardware tokens like Schwab and E*TRADE support through RSA Security SecurID hardware authentication.
Click to expand...
If you are referring to Fidelity's support of TOTP via an authenticator app, can you please explain why they are inferior to RSA Security SecurID hardware authentication?
 
MdaPetralia said:
If you are referring to Fidelity's support of TOTP via an authenticator app, can you please explain why they are inferior to RSA Security SecurID hardware authentication?
Click to expand...
You cannot hack into:

1775219708515.png
 
Careful thinking that Yubikeys are secure.

It’s possible to mess up their implementation, as Vanguard has done, and provide you with a false sense of security.

Vanguard with Yubikey is pointless

I know there are some members that use a Yubikey and possibly with Vanguard. I haven't seen this mentioned here, so I figured it's worth sharing. I experienced this myself and there's a long thread on Bogleheads where it's discussed. I recently decided to up my security and ordered a couple of...
www.early-retirement.org www.early-retirement.org
 
Most users assume that their security stance will remain rock solid through thick and thin. Because the threat constantly evolves, well, you'll find out how good your provider and method actually are.
 
Onda said:
You cannot hack into:
Click to expand...
Anything is hackable, that includes RSA Security SecureID. See link below that talks about a hack attack in 2011.
RSA finally comes clean: SecurID is compromised

I would prefer an "all-in-one" security hardware token if it was available across all my financial institutions/banks but until then, I will continue to use TOTP for its connivence and portability (i.e. can use on multiple devices/platforms) for 2FA.
 
The RSA breach was due to an employee of Lockmart getting phished. The tech was not hacked.
 
MdaPetralia said:
I would prefer an "all-in-one" security hardware token if it was available across all my financial institutions/banks but until then, I will continue to use TOTP for its connivence and portability (i.e. can use on multiple devices/platforms) for 2FA.
Click to expand...
I can use 1 RSA key with multiple accounts.
 
Last edited:
I read the article about passkeys posted. Sounds like GPG, public / private keys, a challenge that gets signed, signature proves identity. Make sure the private key is secured on your device as that could be a vector of attack. Use hard disk encryption to secure the key.
 
You must log in or register to reply here.

Similar threads

Markola
Question for the Software Engineers, with a rant.
2 3
pjigar
P
H
Ideas for tracking investments that gives asset allocation
2 3
FlyingCircus
FlyingCircus
target2019
Barcelona - Fall 2025
target2019
target2019
jollystomper
A proposal for a flat tax on retirement account withdrawals
2 3
Dtail
D
Romer
My Social Security Age evaluation based on my circumstances, your situation is likely different
2 3
RetiredHappy
R

Latest posts

Back
Top Bottom