[gerwim]

What is this post ranting about? Pushing your keys to big tech? There is no difference if you use Chrome’s password manager for passwords or passkeys.

You can save passkeys on your own network if you use Bitwarden or if you want, write your own solution.

For 99% of the internet users, passkeys are much better than passwords.

[echohack5]

Here's a workflow:

1. Normally I run everything on my own devices, use 1Password, 2FA, etc, but rarely I need to use a locked down device and manually and painstakingly enter 100+ character passwords and 2FA keys. Installing anything on the device is out of the question, but I need to use a web browser and auth using these credentials. Copy and paste and externally using any devices to connect with the system is prohibited.

How does doing a FIDO2 dance work in this scenario?

[konha]

> Copy and paste and externally using any devices to connect with the system is prohibited.

Like a keyboard? In which case: How do you enter your password?

Is that a common scenario? Where you can use a (presumably) usb attached keyboard but you cannot insert your security key?

[hedora]

Air-gapping the machine running a web browser from the machine that stores your passwords seems completely reasonable to me.

So does preventing people from plugging random USB devices into shared machines.

[konha]

Passkeys have a fallback flow where they show a qr code you can scan from the screen of the device you want to log in to. Requires bluetooth though to prove you are "near" the device. I guess that's also disabled on these hypothetical locked down devices?

[hedora]

I can't imagine that working correctly on a machine at a library.

Also, connecting via bluetooth defeats the purpose of air-gapping.

[keep_reading]

And yet all the non-technical folks you give this advice to will look at you like you have two heads. This is completely unreasonable unrealistic user-unfriendly advice

[hedora]

Many people use shared computers at our local library. I can afford a nice quiet office and big monitor at home, but many people cannot.

I imagine they either memorized their passwords, wrote them on a piece of paper, or stored them on an (air gapped from the library machine) cell phone.

[echohack5]

There is a keyboard and mouse attached to the server already, but few if any services run, and if they do they're fairly locked down, or in some degraded state.

It's not a server I need to access often in this way. But I think these necessary-but-limited-use scenarios will be interesting should passkeys really catch on like passwords did.

[JohnFen]

> Is that a common scenario? Where you can use a (presumably) usb attached keyboard but you cannot insert your security key?

I don't know how common it is, but this is the exact issue that makes passkeys a nonstarter for me.

[heliostatic]

This is covered by the cross-platform scenario. It's not super elegant, although I'd say it's easier than typing 100+ random characters (and also trusting that the locked down device doesn't have any key logging?). Lots of providers have their own FAQ, but here's one: https://www.corbado.com/passkeys/faq#:~:text=Passkeys%20have....

[barkingcat]

why does this need a technical solution? Just type in the password. Presumably if the system is important enough to be airgapped and needs a 100+ character randomized password (without copy paste and without hardware keys), it is important enough for you to spend the time to memorize and type in the passwords.

Otherwise, it is just security theatre if you won't even spend the time to make absolutely sure that 1) you are typing into an authorized device that won't log your key strokes, and 2) that using any other "assistance" mechanisms represents a breach in the security of this system.

Just friggin memorize it and type it in. For me, I memorize my bank password and PIN even though it's very complicated. This information is important enough for me to commit the time and not cheapen out by "relying on a tool". Of course, I keep it in my password manager as a record, but in daily use I absolutely do not say to the teller: oh I need to look it up. I recite to the bank my passphrase and other id confirmation by memorization, I know it even better than my own phone number.

If you need multiple people to log in, each person should have a different password, only memorized by that person alone.

If the person can't memorize it, I would say either change the design of the system or fire this person because "they had one job: to memorize and type in this password".

[bonton89]

> You can save passkeys on your own network if you use Bitwarden or if you want, write your own solution.

And then google or whoever will block login because your device attestation flag (part of the spec) doesn't say the right version of Chrome or Android. Maybe the website just won't let you login with firefox anymore "because hackers use it".

Don't worry, Apple zeroes out their flag (for now) so you'll just have to pretend to be an Apple device to get in (for now). Assuming the service in question doesn't have an axe to grind with Apple anyway.

[psanford]

Android passkeys return `fmt:none` as well if you ask for an attestation certificate.

Its pretty weird to claim that this is a big lock-in risk when both of the major players are not supporting attestation certificates for consumer use cases.

And the one well known site (vanguard) that was requiring an attestation certificate no longer does.

[Ringz]

> Android passkeys return `fmt:none` as well if you ask for an attestation certificate.

But for how long?

[aftbit]

How exactly does this work? I have Bitwarden and Firefox on Linux. I have been unable to get Passkeys to work at all, using either Bitwarden or my YubiKey. Is Firefox just not supported?

[gerwim]

You need version 2023.10 (or higher) for both extension and server for it to work.