You must log in or register to comment.
I don’t know anything about passkeys but if Microsoft is pushing for them I am immediately suspicious. I am admittedly paranoid but if you have been an adult using a computer over the past ~15 years and aren’t paranoid you haven’t been paying enough attention
If by “passkey” they mean an HSM I’m okay with it
I’d still rather have TOTP as my 2nd factor so I don’t have to plug shit in
I’ve plugged my phone in so many times and it doesn’t detect shit. I’d rather stick with totp/email.
I kinda hate the push towards passkeys. If you have two factor Auth, going to passkeys makes you go back to 1 factor, aka less secured.
There’s also more and more 2FA fatigue attacks going on, and they can affect passkeys too, and if you don’t have a 2FA that involves the user writing a code on the 2FA device, passkeys could be quite possibly worse than passwords
Also, what happens if your device with the passkey fails?
Like the drive craps out?
You are supposed to have two redundant ones. Hooked up to every service. One leaves the house with you, the other stays in a safe, and you rotate them periodically
and nobody is gonna fucking do that lol
Mine are USB-A and USB-C so no two computers can use both. One of them randomly quit working (something in the OS dropped support for it maybe?) but then I think started working again?
At an old job I had a lot of control over my own infra and I used my HSM to log in to my forge. I haven’t used it daily in years now.
Similar problem with 2FA though
Under passkey implementations, you need to unlock the passkey device with biometrics or passwords. Something you are/know (biometrics/passwords) and something you have (passkey).
It’s not impossible to screw it up. Put your passkeys in bitwarden, reuse a password and don’t 2fa that.
My workplace doesn’t allow Bitwarden because ‘it’s not secure’.
It’s easy enough to enforce 2FA on it.
Most of the other online solutions are about the same.
That sort of thing is the push I need to get entirely off of Github
I think this post is about git CLI, not www.github.com.
SSH keys are very secure and you can still encrypt them with a password if you wish.
It’s not about encryption/security it’s about creating something that can’t be phished.
We know that 2fa is secure. But if an attacker can trick you into giving them the code, or typing it in a fake box. Then they own you.
Passkeys are made so that there’s nothing to give, nothing to type. You must control the device.
SSH keys are more like passkeys than passwords.
I’d love to see the state of online banking if everyone were to manage their own ssh keys
In all seriousness, they are similar, but not quite in this context.
There’s a good project on how to make ssh key infra more scalable and innately secure. Then you can use passkeys on top if you’d like.
https://github.com/openpubkey/openpubkey
https://github.com/openpubkey/opkssh
I personally use this on all my servers.
encrypt them with a password if you wish.
SSH keys without passphrases are just fancy credential files sitting in your
.ssh/directory, basically like writing your passwords on paper and leaving it in your desk drawer.but they require chmod 400 and they’re ideally in on an encrypted disk
So the desk drawer is locked and the codes are Luks encrypted.
And for critical stuff, you should also have a password on the key.
If your ssh keys are like a passwords on paper in a drawer, you’re doing it wrong.
TIL some people store SSH keys unencrypted
Yeah, but who wants to type in a password everytime they push/pull?
Take a look at
ssh-agent. It’s bundled with ssh-client and designed to solve this problem.The quick usage is, create a terminal and run:
eval `ssh-agent` ssh-add /path/to/your/encrypted/key1 #type in password ssh-add /path/to/your/encrypted/key2 ... # all commands in this terminal will use the keys above w/o asking you for a password git clone git@githib.com... git push... etcSo, basically you type your credentials once during the life cycle of your terminal.
If you really want to go full power-user, simple run
ssh-agent(without the eval) and you’ll see it just sets some env-vars, which can be imported into any terminal/shell you have open.So, if you put some logic in your shells rc file, you can effectively share a single ash-agent between all your shells, meaning you just need to type your password for your keys once when you log into your system… and your now passwordless for any future terminals you create (this is my setup).
Also, if you’re interested take a peek at the man pages for ash-agent. It has a few interesting features (ie: adding a password lock for your agent, removing keys from the agent, etc).
I have
if [ -z "$SSH_AUTH_SOCK" ] ; then eval $(ssh-agent -s) fiAt the end of .bashrc and
AddKeysToAgent yesIn .ssh/config so that it auto-adds keys I unlock.
I do it.
Every time.And I keep a wired keyboard for it.
I get keyboards probably have more range, but i worry privacy was gone a long time ago.
I see they really wanted to fit the acronym to RAMBO, lol.
But it makes sense. Considering, we keep out mobile phones in around a metre’s reach, it would be trivial to just get that information just from key sounds. Guess I better get one of those high frequency faraday cages, huh?There are a few on audio, I saw one where they read HDMI over the air from 60 ft away.
I’d kinda like to see Bluetooth shored up a bit maybe require a tap to bind every day.
I had mine on paper for years before i learned about Keepass. I trusted it more than a cloud based manager because someone would have to physically be in my room.
I am a lot more careful these days but that is not beyond the pale for a lot of folks haha
It’s still more secure than password+sms/email
Barely.
It’s different. It’s still two factors if implemented correctly: 1. Possession of the passkey (better if you have a physical token, but passkey on your phone is passable). 2. Knowledge of your password (or bio authentication if you use face id or w/e).
Note you are not giving your password to the website, and if a hacker gets hold of your password they still can’t do anything without your passkey device.
Knowledge of your passwords
Uh… What password?
Passkey should ask for a password for unlocking. If it doesn’t then it’s not implemented correctly.
It’s client specific and my phone requires whatever can unlock the phone and chrome requires either windows hello or a pin if under linux.
Certain implementations do whatever, and as far as the backend is concerned, there’s no way of knowing, unless you want to get into the business of locking down specific vendor keys…
But I say MFA is overrated versus just getting away from generally crappy password factors. Also passkeys are less phish-able than OTP type solutions.
Yes, it’s implementation specific, in this case your phone, or your browser is the passkey “device”. And as long as it’s protected by some form of authentication it’s OK (though I would recommend a hardware token over phones/browsers). If it doesn’t then you shouldn’t be using that “passkey”. Yes, there is no way for the website you are authenticating with to know whether your passkey is safe or not, choosing a secure passkey implementation is (unfortunately) the user’s job. But it’s the same with more traditional 2FAs, e.g. you can store your TOTP secret securely or insecurely, and the website will have no way to know.
Yeah. Passkeys are something I would love if they were a second factor because they are so much better than any other 2fa. And I use my yubikeys as second factors where I can. But why the hell would I not want a password too?
No phishing
Passkeys are always supposed to be protected by another layer of authentication. e.g. a password should be required to unlock the passkey. If your passkey don’t do that, stop using it.
If I provide passkey support and still require a password, most users will get annoyed and not bother. If I provide it as a replacement for password, then I can get them onboard more often. I’d rather have them using passkey than sticking with password.
What happens to the account access if the passkey-registered device dies?
My passkeys are stored in keypass, which I share between multiple devices. Phone, home servers, desktop pc and a flashdrive that stays in my car.
Obviously the flash drive needs to be manually updated but the other devices use syncthing to keep everything up to date.
I get there are some people that have concerns over such a configuration but I’m happy bopping away knowing that if my phone dies, I’ve still got access to accounts / can easily be back up and running on a fresh device.
What happens when that file gets breached?
Same thing as any file full of credentials.
You can have more than one passkey.
You can still use password + 2fa
You can use google oauth.
You can use a YUBI key
You should probably have a primary and secondary auth for every site.
So, losing a passkey isn’t a lost account?
Almost every company has some way to work around the 2FA loss.
I didn’t know about the ability to use more than one passkey per platform. Something I’ll have to investigate further.
Everybody does it differently. GitHub in particular allows multiple
If you are doing development or admin work, I would greatly advise you to pick up a Yubi Key.
My basic setup for any app/site that will allow it is two yubis and one passkey.
One yubi in the safe with next of kin instructions, one on my key ring.
Then any site that supports passkey, I’ll also have one of those there too.
What’s the point of a passkey if you can still use a password
- password + 2FA AND/OR passkey required.
- baby steps, start with getting them secure, then when most are ready start dropping the password
- iron out the kinks, give all apps a chance to implement
- if you only ever login with passkey and it asks you for 2fa, you can scrutinize the page more
You can tell just from the response on this post people aren’t all ready for passkey yet, but you can’t wait fo them to decide they’re ready before you start.
If this isn’t referring to the Git CLI that prompts the user for username and password for a GitHub remote repository and GitHub rejecting password auth, then disregard this rant.
Git and GitHub are two seperate pieces of software. Git is the local client that does all the work and can optionally sync with a remote repository that can be stored in GitHub or GitLab or any other compatible remote. When Git asks for a password to authenticate, it has nothing to do with GitHub. GitHub then rejects that authentication method that Git provided because it believes that the method is insecure.
Wait until we tell them that Java and JavaScript are also different languages that are completely different things.
Both terrible in their own special way.
I mean, that’s just the Git behavior.
not sure why you’re getting downvoted for actually knowing the default behavior for git when interacting with an http remote
Still using Github, the American company owned by Micro$oft, known for deleting repos? I’d consider switching away from them, If you’re able to.
They offer free build time on windows and mac. There are also specific integration for GitHub not available for other platforms. I don’t rely on it for storing my code, just for building. I could spend a month and migrate to a different platform but so far there was no point.
when they tell you to check your email for a code when you just put in your username and password
I hate this. There’s nothing on my Github that’s so valuable it needs protection. It’s just a waste of time when I’m trying to make a bug report or something.
