[yonixw]

From the FAQ [1]:

> Q: Are stored passkeys included in Bitwarden imports and exports?

> A: Passkeys are not included in imports and exports.

I think it's the same for iCloud [2]. That is why I don't love it. I prefer a very long password, and Bitwarden "Device login" that will prompt in my iPhone that will require FaceID (So essentially I have bio login). And 2FA to lower hacking chances. I'm aware I'm still vulnerable to phishing but because there is no export, this is a marriage to Bitwarden. And as much as I love them... I'm not ready yet.

But essentially it's a certificate... so I wonder why no private key export? Maybe because current implementation uses some CA that binds you to the issuer?

[1] https://bitwarden.com/help/storing-passkeys/

[2] https://redd.it/143acl5

[jerf]

I hope they get over that. It's a blob of data. It's no more special than a TOTP secret or a conventional password, and I am completely uninterested in pretending otherwise because of a slick marketing campaign. It's a "thing I know" whether anybody likes it or not and you can't turn it into a "thing I have" just because you won't let me export it from this particular software. (Proof that it is a "thing I know": It fits into Bitwarden, which is a "thing I know" storage mechanism. Anything that can be stored by BitWarden is a thing-I-know.) As long as it's a thing I know you might as well give me the benefits of being a thing I know, since I'm paying the costs of it anyhow.

I back up at the Vaultwarden backend store level anyhow. Probably shouldn't give me that sort of advantage over the commercial option.

[noman-land]

I see this common refrain from people. How is writing something down so that you don't have to remember it a "thing you know"? You literally don't know it. A "thing you know" never leaves your brain, otherwise it becomes a "thing you have".

[jerf]

It comes from the fact there are three fundamental ways to authenticate: a thing you know, a thing you have, a thing you are. You may not "know" a passkey or a TOTP token, but you are using computers in their most fundamental role as bicycles for the mind to "know" them for you. This means they still fit into "thing you know".

Clearly a TOTP token is not a thing you are.

Less clearly, it is not a thing you have. Passkeys and TOTP tokens "want" to be a thing you have, but in the end they aren't. My little proof in my parent post may be small, but I'm quite serious... if you can store it in a password manager, that is proof that it is a thing you know, not a thing you have.

It turns out making a "thing you have" be a true thing you have is very difficult. It may even be impossible, in some sense. Everything that is a "thing you have" seems to be a thing you know masquerading as a thing you have through some security-through-obscurity.

Between that and the fact that "thing you are" has incredibly poor, if not outright dangerous characteristics if you try to scale it up, I'm actually not on board with the "passwords suck because things-you-know suck and we must replace them immediately!" I think they whole argument stinks of a classic engineering mistake of considering only the pros of one option and only the cons of another. I think when you take a holistic view, "thing you know" is the only practical, scalable option of the three basic options. If passkeys make it easier, fine, I'm up for some improvement, but I'm not on board the "passkeys must be a thing you have" and I fully intend to use them as things I know as much as I can and have no intention of letting anyone make my passkeys into objects.

[unethical_ban]

Yep. Thing you have is a passkey that can't be copied at all, like a yuibikey, some physical manifestation that can't be easily cloned. Arguably TOTP is "have" due to being linked to a phone when doing push to a single device.

[lolinder]

Nit: TOTP doesn't include push methods of 2FA, it specifically refers to the algorithm for producing one-time passcodes from the current time and a secret key.

[Spivak]

TOTP is just PAKE with a funny way of writing the password.

We tricked people into using actually secure passwords and password managers by calling it 2FA and devising a scheme where the human does the challenge and the server necessarily must keep that part of the password in plaintext, but in exchange the user doesn't have to type out the long part of the password every time.

[lxgr]

No, TOTP is a weaker version challenge-response authentication (with the challenge being time-based and not provided by the verifying/challenging party).

PAKEs do significantly more; in particular, they are MITM resistant (unlike TOTPs) and provide mutual authentication.

[jerf]

"like a yuibikey, some physical manifestation that can't be easily cloned"

And this is what I referred to by the "things you have" being just "things you know" wrapped in obscurity in practice. If you know the contents of a yubikey, you could store those in your password manager and use the password manager to emulate it.

Mind you, it can be good, solid obscurity. It's fun and educational to read about all the security in your yubikey, and certainly to me in practice it is a "thing I have" because I'm thousands of dollar's worth of hardware and weeks/months/years short of the requisite skills to penetrate one.

But there is still a sense in which it fails to be the platonic manifestation of a true "thing you have" because underneath the hood it's still a thing you know. At scale this matters.

At scale, biometrics also has the problem of becoming a thing you know. Again, in the platonically perfect world where, I dunno, authentication mechanisms have access to Star Trek transporters and can analyze you down to the atomic level to be sure you are you (though even Star Trek had trouble with the shapeshifters in Deep Space 9!), then, yes, it would be truly a "thing you are". But in the real world, where a biometric auth still involves presenting a sensor with some sort of input that it will agree is you, it still degenerates into a "thing you know" as you try to scale the system up. You can make it more and more difficult to fool the sensor, but then, that raises the price of the sensor and the risk of false negatives, both of which make it hard as you scale up. Which is why I think biometrics authentication is very powerful, but generally should be reserved for very important things and used as a mix of other methods, or, alternatively, used for things that hardly matter at all, but I think it's quite dangerous in the vast middle. I would be very concerned if my bank account could have arbitrary operations done on it just by presenting my fingerprint.

I don't actually mean this as "criticism" of things you know and things you are, because, like I've said in both cases, they do have their uses in the real world. I just think if you want to deeply understand the question of authentication, as they scale up, they all turn into a "thing you know" for a sufficiently motivated attacker, and in the discussions we have on HN we are generally talking about the largest possible scales, so this matters. I think that's an important aspect of understanding these systems, using them for security, understanding the attack surfaces and likelihoods, and properly modeling them. I see a lot of people making bad cost/benefit analyses because, for instance, they don't realize that biometrics are in the end a "thing you know" and that fingerprints can be faked, faces can be faked, etc., and that you can't model them as what you'd really like a platonic "thing you are" to be. They degenerate into "thing you know" at quite practical scales, depending on what goodies you are keeping behind those authentication barriers.

[SAI_Peregrinus]

> there are three fundamental ways to authenticate: a thing you know, a thing you have, a thing you are.

Rather observations of each of those things. A "thing you are" is in practice just a "thing you have". You have a finger, with a fingerprint on it. That gets measured, and that measurement can be faked or your finger can be taken from you.

And of course "things you have" can usually be duplicated with sufficient effort. Even "physically unclonable functions" just rely on process variation in semiconductor manufacturing, with sufficient effort (FIB workstation for manual trimming) it's likely possible to clone even those.

[addicted]

Any half decent sophisticated user on the internet has not remembered passwords for half a decade at least.

Nearly everyone is storing it in password managers.

So has that changed passwords into not being “thing you know”?

[noman-land]

  So has that changed passwords into not being “thing you know”? 

Yes? If you write your password down on a piece of paper it becomes something you have, no?

[afiori]

Protocol-wise the difference is that a TYH* requires an interaction by the user.

An app generating OTP codes is a TYH while the secret used to generate the token is a TYK.

A password manager is a TYH while the passwords inside are TYK

In general every (non-quantum) TYH possess some kind of TYK that can be used to duplicate the TYH.

In the name of security sometimes there are locks around the TYK, sometimes physical other times software.

In the case of passkeys the inability to export them makes them TYH.

* "Thing you have" is too long

[charcircuit]

The server is not checking if you have a piece of paper. It is checking if you can produce a piece of information.

If someone steals your paper, copies the password to their phone, and then returns your paper, then the attacker can log in without that piece of paper. In a true "something you have" if you have that something then it is impossible for someone to login to your account.

[afiori]

I agree with the general sentiment but every non-quantum "thing you have" can be duplicated.

PS: I suspect that you could make a 2FA protocol capable of detecting duplication of the thing you have by having the app generate signed codes like "this is the n-th code I have generated" and have the server remember the n as a logical clock to detect duplicates and "time travel".

AFAIK only bank-type apps would use something this sophisticated

[GoblinSlayer]

Password database is often protected with a master password, so accessing it requires a thing you know.

[Racing0461]

Agreed. unless its stored in a tpm module or on an actual piece of hardware like a yubikey, no amount of software (especially a browser plugin written in javascript let alone low level drivers for an OS) can turn a "thing i know" into a "thing i have".

[SheinhardtWigCo]

It is special - it should be a reference to an asymmetric key stored in hardware. But it's not clear whether they are actually doing this.

[ryan29]

Some snippets from the FAQ [1].

> The public key is stored on the website and the private key is stored on your device or in your passkey provider, e.g. your Bitwarden Vault.

> Passkeys are often able to sync across your devices, however not all platforms support this yet.

So it sounds like it's not stored in hardware. It'll be interesting to see how it works if solutions that use a TPM or similar start to emerge. I have nearly 1000 passwords and many of them are shared with colleagues, parents, siblings, etc.. I can't even imagine a way you could make that work if the private key is owned by a TPM (aka a hardware bound key) and needs to be enrolled somehow prior to becoming usable.

What happens if I have 500 passkeys backed by keys in a TPM and I get a new computer?

1. https://bitwarden.com/resources/passkeys-faq/

[tw04]

> What happens if I have 500 passkeys backed by keys in a TPM and I get a new computer?

In theory the same thing that happens today with a yubikey - you have multiple devices with valid keys.

[Groxx]

A big part of passkeys is that they are (often) not in hardware, so they can be synced.

[SV_BubbleTime]

If it is just a pointer a hardware, even more reason to let you export it.

[m-p-3]

The idea is that the key never, EVER leave the hardware or password manager. What you do is have multiple Passkeys on separate devices per account.

Kind of like how you should generate SSH private keys on the local machine and never leave this particular system, and you then add their public keys to the server you will connect to. You can them revoke access to each machine independently.

[jopsen]

From: https://bitwarden.com/help/storing-passkeys/

> Saving and using passkeys are a feature of the Bitwarden browser extension. Other Bitwarden clients can be used to view the saved passkey.

So sadly, like TOTP I can't trust bitwarden to only keep my keys in an HSM on the server.

I really wish exporting would be impossible. Today, I need to add my primary and backup passkey devices whenever I signup for a service.

If keys were only stored on the server, then I could use it as a level of indirection.

[SheinhardtWigCo]

You're not really vulnerable to phishing if you use a password manager with a browser extension.

Cross-platform import/export for passkeys is considered a "nice-to-have" because you can always just add a new device via other established factors (email/SMS).

So, what's the point, then? Why can't passkeys just be strings that I can extract via biometric authentication?

The answer: everyone pushing this has a significant interest in making it harder to migrate between operating systems and password managers.

It's a land grab.

[jiveturkey]

https://matduggan.com/passkeys-as-a-tool-for-user-retention/

> It is also, as currently implemented, one of the most effective platform lock-ins I've ever seen.

[lxgr]

> Why can't passkeys just be strings that I can extract via biometric authentication?

As much as that lock-in annoys me personally – I could absolutely see this become a tech support scam attack vector. "Please share your passkey with us for authentication by going to your device's settings and selecting the 'export passkey' option"...

> you can always just add a new device via other established factors (email/SMS)

That gives the relying party some agency about requiring additional authentication to add devices though, of treating devices added under dubious circumstances as less trusted, or simply of sending a security notification to the customer.

Exporting a passkey leaves no relying-party-side traces.

[SheinhardtWigCo]

> "Please share your passkey with us for authentication by going to your device's settings and selecting the 'export passkey' option"

This doesn't seem materially different from "please go to your emails and find the six-digit code we just sent you".

> Exporting a passkey leaves no relying-party-side traces.

Not if it's only useful for getting a device-bound session token. Everything you listed is already commonplace.

[jesseendahl]

>This doesn't seem materially different from "please go to your emails and find the six-digit code we just sent you".

Exactly, that's the problem lxgr is pointing out. Those six-digit codes can (and often are) phished by e.g. tech support scam attackers. lxgr is pointing out the same exact attack could be done against an exported passkey.

[hedora]

So you’re saying this phishing attack:

We have to rename and re-enroll your device token so your laptop can still log in.

Click “I registered this credential” when you get the alert about it so your old credential that you added before will still work.

Is harder to pull off than:

Go to your password manager and export the entire database locally stored passwords. Now, print it out and read this 200 character string to me over the phone, or just email the file to me.

[veeti]

Can't we just put a 100px blinking red text that says "Do not share this with anyone or it's your own fault" and be done with it?

[lxgr]

It would be great if that were actually 100% effective, but unfortunately phishing still happens despite such warnings.

In a situation where a message on a screen tells a person to do x, and a person on the phone tells them to disregard it because it’s a computer error or whatever and do y, some percentage of people will do y.

The only way to prevent that is for there to be only one option – the safe one. Sometimes that has unacceptable other implications of course; this might well be such a case.

[magicalhippo]

> In a situation where a message on a screen tells a person to do x, and a person on the phone tells them to disregard it because it’s a computer error or whatever and do y, some percentage of people will do y.

It's the human version of prompt injection attack.

[GoblinSlayer]

Rename "export passkey" to "backup passkey". Or backup whole database.

[cheriot]

Maybe the authors saw this comment because the page you link to says, "A: Passkeys imports and exports will be included in a future release."

[imran-iq]

That's really a shame, I know keepassxc has (recently) added support for passkeys, but does it also support import/exporting them? I only found this comment[0] in the github issue.

EDIT: According to the pr[1] it does support import/export

---

0: https://github.com/keepassxreboot/keepassxc/issues/1870#issu...

1: https://github.com/keepassxreboot/keepassxc/pull/8825

[rstuart4133]

> But essentially it's a certificate...

I'll put upfront that I'm no expert in any of this, but ... unlike passwords and certificates, attestation is a thing for passkeys. The thing being attested to is "the private key of this cert is being secured by X". X might be YubiKey in the case of a FIDO2 key, or Google or Apple in the case of passkeys.

This aspect of passkeys made me uncomfortable with them. If Google is going to attest they manage your passkey, then it follows the aren't giving a copy to anybody, including you. That means if you lose your Google account you've lost control of your ID. But note: that's control, not the keys themselves. You probably will have a copy of them on a phone, so you can still use them until that phone dies. But when it does you've in a world of pain because you can't backup / transfer / copy them - only Google can do that. In effect you don't own your Google passkey - Google does.

I don't know if Bitwarden does attestation now, or if the are planning to implement it in the future. But if either of those things are true they can't give you a copy of the key, ever.

This still makes me uncomfortable. But I can see why it is so. You and I may be capable of protecting a private key, but my mother and 99% of the rest of the planet aren't. Your bank or whoever trusting me on my say so isn't going to work, so the end result of us never being able to manage our own keys is inevitable. We have to put them in the hands of a 3rd party the bank or whoever can trust.

And it is ameliorated by another aspect of FIDO2 / passkeys: unlike passwords where you can only have one per site, sites are expected to support many FIDO2 keys for the same person. And, you are expected to keep several of them and authenticate each of them at every site you use. So you might have a Google one, and a Bitwarden one, and maybe even a Keypass one. If you did you solve the "Google owns my ID" problem, but it's such a pain in the arse to do I don't see it happening.

We've seen several iterations of this concept: FIDO, WebAuthn/FIDO2, and now passkeys. I'd like to see one more: some way of bundling up a whole pile of passkeys from different providers, so when I establish a new account on a web site, I register all of them. That would make maintaining a bunch of PassKeys trackable. Right now, the reality is bugger all people are going to do it. And as a consequence, a good chunk of the planet is going to end up with Apple / Google / whoever owning their identities. And of course some of them are going to lose their relationship they had with there ID manager, and wake up one day to discover themselves wiped from the digital planet.

[wkat4242]

I hate attestation with a passion. But luckily Apple has not implemented it and nobody wants to lock all Apple users out. So at least right now it's not a thing in practice.

[lxgr]

Apple used to support it for their non-synced platform credentials. They fortunately got rid of it for synchronized passkeys.

[briHass]

Yep. The end game of this is that web applications will, either through laziness or a sense of 'better security', only accept passkeys attested by Google/Apple/MS and/or those backed by TPM with non-exportable keys. You have to register with the FIDO Alliance to obtain an attestation GUID, and unsurprisingly, only the big guys are on the list: https://github.com/passkeydeveloper/passkey-authenticator-aa...

This move by Bitwarden clearly shows that they believe products that allow you to export/backup your keys will be blackballed, so they played it safe and blocked that.

[lxgr]

My government's e-signing web application (which stores private keys on the vendor's servers for all citizens, but that's another story) already does that.

It used to not even accept Yubikeys, only a fairly unknown other brand; now they finally do support Yubikeys, but only the "FIDO L2" certified kind, i.e. the FIDO and "security key" models, but not the most common plain Yubikey ones...

[camkego]

The repo README for the link you provided says "This is a community-driven list of known passkey provider AAGUIDs to assist with naming passkeys in end user passkey management interfaces (e.g. account settings)."

It also says: "It is not intended to be used for any other purpose and could go away at any time."

Finally it looks like anyone can contribute attached to an implementation according to the Readme

[pests]

It does say it will come in a future version now. The FAQ has been edited since the comment with the original quote.

[lxgr]

> But essentially it's a certificate... so I wonder why no private key export? Maybe because current implementation uses some CA that binds you to the issuer?

It's a private key, not a certificate (at least not without using attestation).

But there is currently no portable specification of WebAuthN credentials; each authenticator is free to implement its own storage backend, and in fact some hardware authenticators deterministically re-derive the private key from an internal secret and the key handle before each signature.

Others store a randomly generated key in local storage, indexed by the key handle; yet others encrypt a randomly generated key and make that encrypted key part of the key handle.

The point being: Not all implementations can even support key imports, and there's no standardized serialization format for key exports yet.

[camkego]

It does seem like a real "lock-in" move.

[wkat4242]

But. If you run your own vaultwarden there must be a way to export it.

[lxgr]

Vaultwarden never sees the unencrypted vault contents though, does it? The way to export would be in the client applications, not the storage implementation.

[wkat4242]

Oh good point yes.

At least the clients are open source so it should be possible to write an exporter.

[halJordan]

It's just a false issue. You generate more key pairs when you have more devices. You get a new pw manager? Revoke the old ones and generate new ones. You get a new device? Revoke the old ones and generate new ones. Passkeys are a commodity.

It was a benefit that keys were device locked until the brain trust told you it was user hostile.

[Racing0461]

+1. Lastpass was the love child until they got sold and sold out. I switched over to bitwarden but after being burned, keeping it basic with no lock in for now.

[noname120]

In which way did you get burned while using Bitwarden?

[tech234a]

I think they meant they were burned by Lastpass and are now less trustful of password manager services.

[emptysongglass]

Is this true for all of the incumbent password managers? If so, it seems like the worst of software lock-in.

[eviks]

what's the phishing risk if bitwarden autofills only on the correct domains stored in the vault?

[vorpalhex]

Mobile apps, slightly tweaky domain names (which happens normally), much less fancy xss type attacks, plus general data exfil.

[eviks]

Mobile BW app also wouldn't fill a password for a different domain

[kiwijamo]

Can confirm this. Additionally, the Bitwarden app on mobiles also checks the app name (i.e. the 'com.company.appname' not the 'user friendly' name). It takes an extra step to 'force' Bitwarden to use a username/password if the name/domain does not match the name/domain(s) recorded against the username/password which adds a nice bit of friction.

[lxgr]

There not even being an extra step is still much safer, no?

[vorpalhex]

If I can't get my password thing to autofill on a mobile app (because the mobile app is on a different domain) then it's just annoying because I have to copy and paste over secrets.

That's the wrong thing twice over.

The password app should be as useful to me as a user as it can while still helping me be safe. "Hey, we can't confirm these creds are correct for this app. Do you still want to proceed?"

[josteink]

> what's the phishing risk if bitwarden autofills only on the correct domains stored in the vault?

The whole point of passkeys is that they should be tied to a specific domain, and thus be nonphisable.

If Bitwarden allows reuse for different domains, that would be (as I understand it) a violation of the spec and a bug in their implementation.

[kiwijamo]

Silly question perhaps, but what happens if a certain website changes to a different domain. E.g. a takeover of Company B by Company A who then decides to migrate all Company B passkeys to Company A and removes assets hosted under the Company B domain. This is easily sorted with existing tools but with passkeys... how?

[pests]

If they had time to prepare I'm sure they could develop a flow to get you a passkey on the new domain first. Similar to how YouTube used to do a bunch of cross-domain redirects (to plant cookies) to get Google+ login support back in the day.

[neurostimulant]

You might not get a head up when you're forced to change your domain though. For example, recently a huge number of .ml domains are dead and people that used them must scramble to migrate to another domain. The problem is some apps like mastodon (and now passkey) don't support changing domains unless the old domain is still accessible.

[lxgr]

It still wouldn't be a security problem, since WebAuthN includes the hash of the visited domain in the signature.

So even if Bitwarden would go blatantly out of spec and allow usage of a passkey created on and scoped to a.com on b.com, the assertion signature would effectively say "I want to login to b.com", which a.com would simply reject.

That's what makes it so much harder to phish than auto-filled passwords (which could still be MITMed e.g. through usage of attacker-installed TLS certificates).

[eviks]

The question was about the password alternative the op was describing

[nsokolsky]

What stops anyone from forking their client and adding an "Export" button?

[blibble]

export doesn't help if it's a TPM wrapped key

and websites can check the attestation on the registration to make sure it came from an apple/infineon/titan TPM