There's also more and more 2FA fatigue attacks going on, and they can affect passkeys too, and if you don't have a 2FA that involves the user writing a code on the 2FA device, passkeys could be quite possibly worse than passwords

[–] RamenJunkie@midwest.social 7 points 1 day ago (2 children)

Also, what happens if your device with the passkey fails?

Like the drive craps out?

[–] twice_hatch@midwest.social 2 points 1 day ago

You are supposed to have two redundant ones. Hooked up to every service. One leaves the house with you, the other stays in a safe, and you rotate them periodically

and nobody is gonna fucking do that lol

Mine are USB-A and USB-C so no two computers can use both. One of them randomly quit working (something in the OS dropped support for it maybe?) but then I think started working again?

At an old job I had a lot of control over my own infra and I used my HSM to log in to my forge. I haven't used it daily in years now.

[–] Electricd@lemmybefree.net 1 points 1 day ago

Similar problem with 2FA though

[–] rumba@lemmy.zip 8 points 2 days ago (1 children)

Under passkey implementations, you need to unlock the passkey device with biometrics or passwords. Something you are/know (biometrics/passwords) and something you have (passkey).

It's not impossible to screw it up. Put your passkeys in bitwarden, reuse a password and don't 2fa that.

[–] RedFrank24@lemmy.world 5 points 1 day ago (1 children)

My workplace doesn't allow Bitwarden because 'it's not secure'.

[–] rumba@lemmy.zip 2 points 1 day ago

It's easy enough to enforce 2FA on it.

Most of the other online solutions are about the same.

[–] ronigami@lemmy.world 6 points 2 days ago

That sort of thing is the push I need to get entirely off of Github

[–] ramjambamalam@lemmy.ca 72 points 3 days ago (2 children)

I think this post is about git CLI, not www.github.com.

SSH keys are very secure and you can still encrypt them with a password if you wish.

[–] jonjuan@programming.dev 45 points 3 days ago (4 children)

encrypt them with a password if you wish.

SSH keys without passphrases are just fancy credential files sitting in your .ssh/ directory, basically like writing your passwords on paper and leaving it in your desk drawer.

[–] rumba@lemmy.zip 9 points 2 days ago

but they require chmod 400 and they're ideally in on an encrypted disk

So the desk drawer is locked and the codes are Luks encrypted.

And for critical stuff, you should also have a password on the key.

If your ssh keys are like a passwords on paper in a drawer, you're doing it wrong.

[–] tauonite@lemmy.world 10 points 2 days ago

TIL some people store SSH keys unencrypted

[–] Sasquatch@lemmy.ml 15 points 3 days ago (2 children)

Yeah, but who wants to type in a password everytime they push/pull?

[–] LedgeDrop@lemmy.zip 41 points 3 days ago (1 children)

Take a look at ssh-agent. It's bundled with ssh-client and designed to solve this problem.

The quick usage is, create a terminal and run:

eval `ssh-agent`
ssh-add /path/to/your/encrypted/key1
#type in password
ssh-add /path/to/your/encrypted/key2
... 

# all commands in this terminal will use the keys above w/o asking you for a password 
git clone git@githib.com...
git push... 
etc

So, basically you type your credentials once during the life cycle of your terminal.

If you really want to go full power-user, simple run ssh-agent (without the eval) and you'll see it just sets some env-vars, which can be imported into any terminal/shell you have open.

So, if you put some logic in your shells rc file, you can effectively share a single ash-agent between all your shells, meaning you just need to type your password for your keys once when you log into your system... and your now passwordless for any future terminals you create (this is my setup).

Also, if you're interested take a peek at the man pages for ash-agent. It has a few interesting features (ie: adding a password lock for your agent, removing keys from the agent, etc).

[–] bandwidthcrisis@lemmy.world 3 points 2 days ago

I have

if [ -z "$SSH_AUTH_SOCK" ] ; then
    eval $(ssh-agent -s)
fi

At the end of .bashrc and

AddKeysToAgent yes

In .ssh/config so that it auto-adds keys I unlock.

[–] ulterno@programming.dev 1 points 2 days ago (2 children)

I do it.
Every time.

And I keep a wired keyboard for it.

[–] ramjambamalam@lemmy.ca 2 points 23 hours ago (1 children)

Get a load of Ross Ulbricht ovah here!

[–] ulterno@programming.dev 0 points 13 hours ago

Well, the main reason I do it every time is because I'm just too lazy to setup pinentry.
But yeah, for the Bluetooth keyboard, I realise I better get off it.

[–] rumba@lemmy.zip 4 points 2 days ago (1 children)

https://www.tomshardware.com/tech-industry/cyber-security/researchers-snoop-data-from-air-gapped-pcs-ram-sticks-by-monitoring-em-radiation-from-23-feet-away

I get keyboards probably have more range, but i worry privacy was gone a long time ago.

[–] ulterno@programming.dev 1 points 1 day ago (1 children)

I see they really wanted to fit the acronym to RAMBO, lol.
But it makes sense. Considering, we keep out mobile phones in around a metre's reach, it would be trivial to just get that information just from key sounds. Guess I better get one of those high frequency faraday cages, huh?

[–] rumba@lemmy.zip 4 points 1 day ago (1 children)

There are a few on audio, I saw one where they read HDMI over the air from 60 ft away.

I'd kinda like to see Bluetooth shored up a bit maybe require a tap to bind every day.

[–] ulterno@programming.dev 1 points 1 day ago (1 children)

I saw one where they read HDMI over the air from 60 ft away.

Wow! Was that stuff even EMCD compliant?

[–] rumba@lemmy.zip 3 points 1 day ago (1 children)

You can read the cables, you can read the transceivers in the video card, in a lot of the screens you can even read the panel changing itself.

Our ability is to remote sense EMF is absolutely ridiculous these days.

Then there's crap like the espionage where they change fan speeds. Or flash an infrared proximity sensor on a cell phone to exfiltrate data.

[–] ulterno@programming.dev 2 points 1 day ago

in a lot of the screens you can even read the panel changing itself

I thought that stuff went away with CRTs.
But I guess that makes sense. We could hear CRTs with out ears, now we just need more sensitive equipment.

[–] ThunderQueen@lemmy.world 8 points 3 days ago

I had mine on paper for years before i learned about Keepass. I trusted it more than a cloud based manager because someone would have to physically be in my room.

I am a lot more careful these days but that is not beyond the pale for a lot of folks haha

[–] Evotech@lemmy.world 2 points 1 day ago (1 children)

It’s not about encryption/security it’s about creating something that can’t be phished.

We know that 2fa is secure. But if an attacker can trick you into giving them the code, or typing it in a fake box. Then they own you.

Passkeys are made so that there’s nothing to give, nothing to type. You must control the device.

[–] ramjambamalam@lemmy.ca 4 points 1 day ago (1 children)

SSH keys are more like passkeys than passwords.

[–] Evotech@lemmy.world 1 points 1 day ago* (last edited 1 day ago) (1 children)

I’d love to see the state of online banking if everyone were to manage their own ssh keys

In all seriousness, they are similar, but not quite in this context.

There’s a good project on how to make ssh key infra more scalable and innately secure. Then you can use passkeys on top if you’d like.

https://github.com/openpubkey/openpubkey

https://github.com/openpubkey/opkssh

I personally use this on all my servers.

[–] ramjambamalam@lemmy.ca 1 points 23 hours ago (1 children)

I’d love to see the state of online banking if everyone were to manage their own ssh keys

Most people couldn't figure out how to download a binary release from a GitHub repo, much less clone it, regardless of HTTP or SSH.

[–] Evotech@lemmy.world 1 points 18 hours ago* (last edited 18 hours ago)

True, not the point though

[–] malwieder@feddit.org 31 points 3 days ago (1 children)

Passkeys use public key authentication. This makes them very resistent to phishing attacks. It's also not possible for a phishing site to request authentication via a passkey created on a the original website.

[–] ronigami@lemmy.world 4 points 2 days ago (1 children)

In practice, they use Face ID, which has privacy implications.

[–] malwieder@feddit.org 6 points 2 days ago

In practice, they either use system authentication if you use the implementation bundled with iOS/Android - and sure, that can be Face ID if setup, or other forms of biometric authentication. Both operating systems have APIs that allow password managers to provide their own implementation of passkeys, and in that case you have to authenticate with your password manager - sure most of them support using system authentication (biometrics) as well, but this could also be a master password or hardware key (which work very similar to passkeys by the way).

I'd argue if you don't assume that whatever system you're using is reasonably secure/private, you probably shouldn't enter any passwords on that system either. This isn't a passkeys vs. passwords problem.

[–] YtA4QCam2A9j7EfTgHrH@infosec.pub 23 points 3 days ago (3 children)

Yeah. Passkeys are something I would love if they were a second factor because they are so much better than any other 2fa. And I use my yubikeys as second factors where I can. But why the hell would I not want a password too?

[–] nialv7@lemmy.world 19 points 3 days ago

Passkeys are always supposed to be protected by another layer of authentication. e.g. a password should be required to unlock the passkey. If your passkey don't do that, stop using it.

[–] jbk@discuss.tchncs.de 1 points 1 day ago

No phishing

[–] jj4211@lemmy.world 6 points 3 days ago

If I provide passkey support and still require a password, most users will get annoyed and not bother. If I provide it as a replacement for password, then I can get them onboard more often. I'd rather have them using passkey than sticking with password.

[–] nialv7@lemmy.world 19 points 3 days ago (1 children)

It's different. It's still two factors if implemented correctly: 1. Possession of the passkey (better if you have a physical token, but passkey on your phone is passable). 2. Knowledge of your password (or bio authentication if you use face id or w/e).

Note you are not giving your password to the website, and if a hacker gets hold of your password they still can't do anything without your passkey device.

[–] RustyNova@lemmy.world 10 points 3 days ago (1 children)

Knowledge of your passwords

Uh... What password?

[–] nialv7@lemmy.world 23 points 3 days ago (1 children)

Passkey should ask for a password for unlocking. If it doesn't then it's not implemented correctly.

[–] jj4211@lemmy.world 9 points 3 days ago (1 children)

It's client specific and my phone requires whatever can unlock the phone and chrome requires either windows hello or a pin if under linux.

Certain implementations do whatever, and as far as the backend is concerned, there's no way of knowing, unless you want to get into the business of locking down specific vendor keys...

But I say MFA is overrated versus just getting away from generally crappy password factors. Also passkeys are less phish-able than OTP type solutions.

[–] nialv7@lemmy.world 7 points 2 days ago* (last edited 2 days ago)

Yes, it's implementation specific, in this case your phone, or your browser is the passkey "device". And as long as it's protected by some form of authentication it's OK (though I would recommend a hardware token over phones/browsers). If it doesn't then you shouldn't be using that "passkey". Yes, there is no way for the website you are authenticating with to know whether your passkey is safe or not, choosing a secure passkey implementation is (unfortunately) the user's job. But it's the same with more traditional 2FAs, e.g. you can store your TOTP secret securely or insecurely, and the website will have no way to know.

[–] REDACTED@infosec.pub 0 points 1 day ago (1 children)

It's still more secure than password+sms/email

[–] JcbAzPx@lemmy.world 7 points 1 day ago

Barely.