Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing… that lives on my phone? What if I lose my phone? What if you steal my phone?

  • Heavybell@lemmy.world
    link
    fedilink
    English
    arrow-up
    153
    ·
    9 months ago

    Until someone can explain to me how I can transfer, manage and control my passkeys without syncing them to some hostile corporation’s cloud infrastructure, passkeys will remain a super hard sell for me.

    • TreeGhost@lemm.ee
      link
      fedilink
      English
      arrow-up
      38
      arrow-down
      2
      ·
      9 months ago

      You can use Bitwarden to store passkeys. Not sure if the self hosted solution has support for it yet though.

      • sailingbythelee@lemmy.world
        link
        fedilink
        English
        arrow-up
        23
        ·
        9 months ago

        I must admit that, despite reading about passkeys a bit, I still don’t understand the actual practicalities. I seem to recall that Bitwarden can store keys, but can’t generate them. If that’s true, who generates the passkey?

        • Spotlight7573@lemmy.world
          link
          fedilink
          English
          arrow-up
          21
          ·
          9 months ago

          Bitwarden can both generate and store them in the browser extension. It can also use them through the browser extension but it can’t yet use them through the mobile apps (they’re working on it).

          • Zeroc00l@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            9 months ago

            Bitwarden pro right? ($10 for the year, totally worth it). My mobile app can create/use them already too.

            • Spotlight7573@lemmy.world
              link
              fedilink
              English
              arrow-up
              5
              ·
              9 months ago

              Don’t need the premium version of Bitwarden to use passkeys. The free version works.

              That said, $10 per year is not a big cost to support the company storing your vault and developing the apps.

      • TheOneCurly@lemm.ee
        link
        fedilink
        English
        arrow-up
        8
        ·
        9 months ago

        Vaultwarden does at least, I’ve been using it with passkeys for the last couple months and it’s been great.

      • Carlos Solís@communities.azkware.net
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        VaultWarden user here - yes you can now use your own self-hosted server to store passkeys and that’s a gigantic game-changer. Just install the BitWarden add-on on a recent version of Firefox and voilà

      • subtext@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        2024.1.2 released with self-hosted server passkey support.

        TBH though I would not trust myself to self host my keys to my digital life when the alternative is $40/year for the whole family. You may have a different perspective though.

        • Carlos Solís@communities.azkware.net
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          You can just use something like YunoHost, and synchronize weekly encrypted backups via Nextcloud or Syncthing to all of your computers. That way, if your server ends up busted for whatever reason, you can just restore it elsewhere and go back to business

    • Dem Bosain@midwest.social
      link
      fedilink
      English
      arrow-up
      26
      arrow-down
      2
      ·
      9 months ago

      I currently use Syncthing to keep my Keepass database updated on my phone, laptop, and home server. Any change anywhere is instantly sent directly to the other 2 devices.

      • drengbarazi@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        1
        ·
        9 months ago

        this is the way

        you can even tweak folders to either send or receive only on some devices

        plus if you really want to be safe you can set file versioning and ignore deletes on a folder to make it strictly backup on more than one device

        no internet connection required, you can set it all on lan

        I think it is my favorite open-source project after Torvalds’ creations

        • fedroxx@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          9 months ago

          How’d you get nextcloud actually working? I’ve tried a few times and it was never stable.

          • Heavybell@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 months ago

            I use the ebuild on Gentoo, combined with some custom nginx config, and a dedicated php-fpm instance just for Nextcloud. Never tried using any of the Docker packages for it so I can’t comment on those.

            Updates involve merging the new package and running webapp-config to link the files into place, running occ upgrade, and refreshing ownership of the php files. Never had a serious problem with it.

      • Carlos Solís@communities.azkware.net
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Can you use SyncThing along with Nextcloud? I currently use Nextcloud to store my data, but the one part where it still lags a bit behind is on Android specifically (you need to manually sync certain changes).

        • Dem Bosain@midwest.social
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          I don’t know anything about Nextcloud. Syncthing is open source, and there are a couple of Android apps. I use Syncthing Fork and don’t have any problems.

    • Flying_Hellfish@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      edit-2
      9 months ago

      Depends on where the line is as far as evil goes. Most of the popular password managers are now starting to support storing passkeys.

    • Tau@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      2
      ·
      9 months ago

      Browsers can save them and extensions like, KeepassXC, can behave like a passkey provider

      • Heavybell@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        9 months ago

        That’s something, but isn’t half the benefit meant to be storing them in the TPM? Also, that won’t help if you’re logging into a game or app, surely? Would love to be wrong on that, of course.

        • Spotlight7573@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          1
          ·
          9 months ago

          Many apps now do the ‘app opens the browser for login’ process instead of having the login in their actual app. They don’t have to implement all the different ways to log in then, they can just use the same system that their normal account management stuff on their site uses.

          You can get greater security with hardware-backed solutions like a TPM but the adoption rate was not great. I think the goal is to improve things over passwords, even if the credentials are then available on multiple devices via a sync or a password database file. Perfect being the enemy of good and all that. Hardware options still exist and you can still use them; they use the same WebAuthn standard that passkeys use.

        • IHawkMike@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          Yeah, I personally will only use hardware solutions for passkeys – YubiKeys and TPM-backed WHFB creds.

          But the other reply makes a very good point about adoption being more important than perfection since, even with software-backed passkeys, you still have the benefit of the secret never leaving the client.

        • Tau@sopuli.xyz
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          Also, that won’t help if you’re logging into a game or app, surely?

          MicroG has added support for passkeys already

    • johannesvanderwhales@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      9 months ago

      You can create passkeys on individual devices without cloud syncing them. This is a normal usage pattern. How exactly this will be handled depends on the implementation.

      • Heavybell@lemmy.world
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        1
        ·
        9 months ago

        I already use KeePass, but as far as I know it doesn’t do passkeys, only passwords?

          • Heavybell@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            9 months ago

            I have been super hesitant to look into KeePassXC, should I give it a chance?

            Of course, unless I can also access these features on my phone it doesn’t really matter…

            • Spotlight7573@lemmy.world
              link
              fedilink
              English
              arrow-up
              4
              ·
              9 months ago

              Yeah, unfortunately passkey support on mobile outside of what the OS/browsers provide is kind of not there at the moment but it’s being worked on. Android 14 apparently has some kind of framework for integrating in third-party passkey providers. At this point, you should view passkeys as an additional, more convenient and secure way to log in on the platforms it’s supported on, not necessarily the only way to log into an account.

            • Flumpkin@slrpnk.net
              link
              fedilink
              English
              arrow-up
              2
              ·
              9 months ago

              I recently switched to KeePassXC and it looks nicer and is easier to use. The also include some addon functionality into the app so you don’t need to trust that. The only downside is that it doesn’t automatically fills the browser text fields, you have to click on a green icon in the text field - but that is more secure. They also have an android app.

        • ikidd@lemmy.world
          link
          fedilink
          English
          arrow-up
          9
          arrow-down
          3
          ·
          9 months ago

          Bitwarden does passkeys supposedly. Haven’t tried it myself yet because I don’t know what to make of passkeys.

          • Spotlight7573@lemmy.world
            link
            fedilink
            English
            arrow-up
            8
            ·
            9 months ago

            Currently Bitwarden’s passkey support is limited to the browser extensions not the apps but from my experience it works relatively well. When logging into a site you just select the passkey from the extension popup and it logs you in.

            Example passkey registration:

            • Click create a passkey button in the accounts settings page
            • Bitwarden extension pops up with a list of matching accounts
            • Select the account in your password manager that you want to associate the passkey with
            • Click Save passkey button
            • The account now has a new passkey associated with it that’s stored in your Bitwarden vault

            Example login:

            • Click sign in with passkey button on the login page
            • Bitwarden extension pops up with a list of matching accounts from your vault
            • Select the account you want to sign in with
            • Click Confirm button
            • You’re signed in
    • frizop@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      9 months ago

      Enpass stores the passkey in their db, can be used cross platform and has browser extensions and local (or WiFi) syncing.