Why has Firefox not removed third-party cookies, despite the fact that Chrome has begun phasing them out?
Spotlight7573 @ Spotlight7573 @lemmy.world Posts 10Comments 270Joined 2 yr. ago
Spotlight7573 @ Spotlight7573 @lemmy.world
Posts
10
Comments
270
Joined
2 yr. ago
Don't need the premium version of Bitwarden to use passkeys. The free version works.
That said, $10 per year is not a big cost to support the company storing your vault and developing the apps.
People also don’t have a backup device though.
And that's a problem with most authentication factors and with how most systems don't rely on just the password anymore. If you don't have a backup device, you're going to run into issues.
KeePassXC is working on it but I haven't seen anything about the original KeePass.
Passkeys are protected by either your device's password/passcode (something you know) or your device's biometrics (something you are). That provides two factors when combined with the passkey itself (something you have).
The benefit of the password is only available if you know your password for your accounts or if you have a password manager. People can only remember a limited number of passwords without resorting to systems or patterns. Additionally, with many accounts now knowing the password is not enough to log in, you must either be logging in from an existing device or perform some kind of 2FA (TOTP, SMS, hardware security key, etc). So you already need to have a backup device to log in anyways. Same with a password manager: if you can have a copy of your vault with your password on another device then you can have a copy of your vault with your passkey on another device. Nothing gets rid of the requirement to have a backup device or copy of your passwords/passkeys if you want to avoid being locked out.
Bitwarden can both generate and store them in the browser extension. It can also use them through the browser extension but it can't yet use them through the mobile apps (they're working on it).
While there are some extensions that do this, last I saw Google didn't use Chrome for populating Search:
https://blogs.perficient.com/2017/03/15/does-google-use-chrome-to-discover-new-urls-for-crawling/
Yeah, unfortunately passkey support on mobile outside of what the OS/browsers provide is kind of not there at the moment but it's being worked on. Android 14 apparently has some kind of framework for integrating in third-party passkey providers. At this point, you should view passkeys as an additional, more convenient and secure way to log in on the platforms it's supported on, not necessarily the only way to log into an account.
Basically, but with a separate public/private key pair per login so they aren't able to link your identity between sites or accounts with it and also synced or stored in a password manager so you don't lose them.
Currently Bitwarden's passkey support is limited to the browser extensions not the apps but from my experience it works relatively well. When logging into a site you just select the passkey from the extension popup and it logs you in.
Example passkey registration:
- Click create a passkey button in the accounts settings page
- Bitwarden extension pops up with a list of matching accounts
- Select the account in your password manager that you want to associate the passkey with
- Click Save passkey button
- The account now has a new passkey associated with it that's stored in your Bitwarden vault
Example login:
- Click sign in with passkey button on the login page
- Bitwarden extension pops up with a list of matching accounts from your vault
- Select the account you want to sign in with
- Click Confirm button
- You're signed in
Passwords are known (or accessible in a password manager) by the user and the user gives one to a site to prove they are who they say they are. The user can be tricked into giving that password to the wrong site (phishing).The site can also be hacked and have the passwords (or hashes of the passwords leaked), exposing that password to the world (a data breach).
With passkeys, the browser is the one checking that it's talking to the right site before talking by making sure the domain name matches. Passkeys also don't send a secret anywhere but instead use math to sign a message that proves they are the returning user. This security is possible because there is a public key and a private key. The user is the only one with a public key. The authenticity of the message is guaranteed by math by checking it with the public key that the user provided to the site when they registered their passkey. The site doesn't need access to the private key that the user has to verify the message so there's nothing sensitive for the site to leak.
In practical terms, instead of having to have your password manager autofill the username and password and then do some kind of second factor, it just signs a message saying "this is me" and the site logs you in.
I haven't seen anything about the original KeePass supporting them but KeePassXC is working on it:
Many apps now do the 'app opens the browser for login' process instead of having the login in their actual app. They don't have to implement all the different ways to log in then, they can just use the same system that their normal account management stuff on their site uses.
You can get greater security with hardware-backed solutions like a TPM but the adoption rate was not great. I think the goal is to improve things over passwords, even if the credentials are then available on multiple devices via a sync or a password database file. Perfect being the enemy of good and all that. Hardware options still exist and you can still use them; they use the same WebAuthn standard that passkeys use.
Exactly. You could have access to your password manager on your computer or a backup hardware security key instead. It doesn't have to all be tied to just one phone, just like you don't have to have just one house or car key.
For many people it works well as a trade-off between security and convenience. It may not be for everyone though and that's okay. Nothing stops you from using a password/passcode to secure your passkey instead.
Banks are certainly behind the times and 'bank-grade security' is a joke in terms of what authentication methods they offer. I understand that they are slow to change anything though.
It's probably overkill for most people but I would love to have a system that lets me choose what combination of factors together work to login rather than just 'password and something else'. Something like A,B,C are on the account and you can use A+B or B+C to login. It'd be great for those who don't necessarily want to trust SMS-based one-time passwords (due to SIM swapping, theft, etc) if we could require something else along with it.
That said, the way passkeys are typically used satisfy multiple factors at once:
Password to unlock your password database that stores your passkey: something you know, the password + something you have, the database
Biometric to unlock your phone that has your passkey: something you are, fingerprint or face + something you have, the phone
The person who broke their phone screen wasn't mad about not being able to access the data on it in this case, but rather that they couldn't receive a text message as the second factor to log in to their bank. Having a backup wouldn't have mattered, they couldn't receive the text. Like it or not, having two-factor authentication on accounts is a necessity with the phishing and malware problems out there. Having multiple (secure) factors attached to your account is the best protection against getting locked out.
The breaking of a phone and loss of the data on it can still be protected against by having backups in other locations or offline, like you have.
If you already have a central point to lose everything in the form of a password manager, is it any worse? What's the difference between a random password stored in your password manager that you don't remember versus a private key stored in your password manager that you're not expected to remember? You've always needed to make backups or have alternative ways to get in (recovery codes, customer support channels, etc), nothing about that has changed when going from passwords to passkeys. When passkeys are supported on sites, there can be no autofill issues (password or TOTP), no password complexity requirements, no worries about how they are hashing them on the server side, no phishing issues, etc. That's an improvement over the system we have now.
And for those that don't have a password manager, they are likely reusing passwords. Passkeys prevent the risk of password reuse and the risk of phishing.
By default the big three (Chrome, Safari, Edge) store them via their normal syncing processes (Google Passwords, iCloud Keychain, Edge's password manager). If you use a different password manager (e.g. Bitwarden) it's handled by their normal processes (cloud, syncing a database file, etc). I don't believe there is a way to export a passkey from most of these at the moment but you can almost always have multiple passkeys attached to an online account so you can always just add your new password manager to your account as another passkey.
There is a way to use a key backed by the hardware that is not exportable such as using a TPM or a physical USB security key but I believe that most are pushing the synced ones for the convenience of the end user.
Not sure how Chrome's alternatives for providing relevant ads are harder to block when you can just turn them off (and examine the data it's collected) in the settings. These systems are what Chrome is able to do at the moment to work towards blocking third party cookies. They do have an incentive to make something that they know works well for them though, I'll give you that.