[Lex Computer & Tech Group/LCTG] Passkey Google Chrome update
Seth Silverman
lctg at silverangan.com
Thu Oct 17 07:41:02 PDT 2024
This is really great discussion on Passkeys. There are standards for
Passkeys, but like all standards, interoperability is only as good as
people's interpretation and adherence to the standards. Also,
unfortunately, a very small fraction of websites support passkeys today
so you are still stuck with the other options which are likely no 2FA,
then 2FA via SMS, then 2FA with an authenticator which ironically
demonstrates an inverse relationship between popularity and security.
Keep your passkeys safe!
I do want to point out that it is important that whatever mechanism you
use to store the passkeys should be secure. Biometrics are common, but
if that is not available, please use a strong passphrase to protect your
"vault" and make sure the "vault" is very protected. There have been
exploits in password managers because the vault data has not been
properly protected.
What if you have multiple devices?
As for cross-device synchronization, one thing to keep in mind is that
although it may be less convenient, you can have one passkey for each
device for a particular website. Also, in some scenarios, you can
access a passkey from your mobile device when using a website.
https://allthings.how/how-to-create-and-use-a-passkey-for-another-device-on-windows-11/
Not sure if passkeys on another device is universal in the standard or
only for some websites (or passkey managers) that support it. I've used
it successfully for logging into google services, I believe.
How do you get the passkey prompt to show up?
Also, some websites are less seamless than others. For example, if you
are presented with a username prompt at a website where you have a
passkey, you will have to type in the username (often the e-mail address
associated with the passkey and your account) and after hitting "submit"
or its equivalent, it will prompt you for the passkey.
What I do, if you are interested ...
I happen to use Bitwarden as my password manager, but use Apple for
storing passkeys (works really well if you are in an Apple ecosystem).
Bitwarden's support came much later than Apple's password manager so
I've stayed with Apple. I may play around with Bitwarden to also store
my passkeys as it works on pretty much all platforms (Windows, Mac,
iPhone, presumably Android, has browser extensions for major browsers, etc).
2FA authenticator codes (for sites that use them and don't support passkeys)
In theory, Bitwarden can also handle 2FA authenticator codes, but I
recall someone questioning whether this makes sense because if someone
is able to break into your Bitwarden vault to get your password, they
also can do the 2FA part of the authentication. I happen to use Authy
as it does nice device synchronization of the 2FA accounts, but there
are some questions related to privacy (most big ones apparently send
extra personal information back to the mother ship including Google
Authenticator) that are making me consider an alternative like Apple's
password app. I believe Android has much better open source options,
but they are often not available on iOS devices sadly. I would love to
get suggestions if you have them.
-- Seth
On 10/17/24 6:06 AM, Robert Primak via LCTG wrote:
> Sorry about the transposition. KeepassDX is the app for Android.
>
> As for passkey support for keepass2android and KeepassDX:
>
> https://github.com/PhilippC/keepass2android/issues/2099#issuecomment-2110501145
>
> https://github.com/Kunzisoft/KeePassDX/issues/1421
>
> So it's on the radar, but not yet available. Portability of the
> Keepass database is supported however, and there are Android password
> managers which do use passkeys. This circles back to Bitwarden and its
> open-source fork.
>
> -- Bob Primak
>
> On Thursday, October 17, 2024 at 04:15:03 AM EDT, Drew King
> <dking65 at kingconsulting.us> wrote:
>
>
> Here are some screenshots and accompanying description that might help
> everybody get on the same page with regard to how the stuff works and
> more how much it doesn't work.
>
> I can log into my Amazon account on a desktop computer using my
> passkey that is stored in my password manager KeepassXC, however I
> cannot do the same thing in a browser or in the app on my cell phone.
>
> Not to nitpick, but the Android app name is KeepassDX NOT XD.
>
> There is another very popular Android app that I use called
> Keepass2Android. Neither one of these has been updated to support
> passkeys however there has been discussion in their forums about how
> to do it only one app is developed by a single person as far as I can
> tell and I don't think he knows how to do what he needs to do.
>
> I have passkey set up on my Amazon account, and it is stored in my
> Keepass databases.
>
> Here are some screenshots:
>
> KeepassXC on Windows, Mac, and Linux REQUIRES the matching KeepassXC
> browser extension to be installed and paired with the database. It is
> the browser extension that detects the website wanting to set up a new
> passkey, and it intercepts that communication. The actual Pass Key
> information is stored in the database in the advanced section under
> additional attributes. Cell phones don't have browser extensions and
> the Android app doesn't know what to do with this data that is stored
> in the database.
>
>
> This next picture is of the Android software KeepassDX and you can see
> in the picture that it sees the passkey information:
>
> These next shots are from Amazon trying to log me in using a passkey
> stored on my cell phone:
>
>
>
> Amazon and Microsoft are asking me to use a QR code and scan it with
> the device that has the pass key but the phone which can scan QR codes
> doesn't know to open my password manager to complete the task. There
> is a breakdown in communication.
>
>
>
> Drew.
>
>
> On 10/17/2024 3:39 AM, Robert Primak wrote:
> From what I researched, KeypassXC is the app for Windows, Mac and
> Linux, and KeepassXD is for Android. If Syncthing is also used, the
> ecosystem could operate entirely without a Cloud account. The database
> could also be stored as the original or a copy on USB media, which
> would make it available to any device as long as you have the USB
> storage with the database on it at hand.
>
> KeypassXC and KeypassXD use the same database format, but reading with
> KeypassXD from an SD Card can be complicated by file system issues.
> (SD Cards use a DOS (FAT) format, which often can't be read by modern
> Android without going through some hoops.)
>
> KeypassXC and KeypassXD looks like a fairly complete solution, with
> the database stored on some sort of modern USB storage like a flash
> drive. An Android phone would also need to be able to connect the
> flash drive to USB-C, which is trivial these days.
>
> Compatibility issues between Google and Microsoft implementations of
> passkeys are not the fault of the standards people. Those companies
> are not using the standards suggested by the FIDO Alliance, but
> proprietary variations. The fault is with them, not the Alliance.
> There is in fact only one standard officially recommended for passkeys.
>
> -- Bob Primak
>
> On Thursday, October 17, 2024 at 01:46:31 AM EDT, Drew King via LCTG
> <lctg at lists.toku.us> <mailto:lctg at lists.toku.us> wrote:
>
>
> Correct.
>
> Right now 99% of the people who have implemented passkeys have no idea
> where they are or how to manage them, they just know that they work
> somehow.
>
> That is one of the reasons why it is a good idea to use a single
> platform for the use and implementation of passkeys. Passkeys are
> still in flux regarding the way they are managed because there's no
> standard for sharing passkey information between different products.
> If you're entirely in an apple ecosystem then you have coordination,
> but if you want to use even one Windows computer it throws everything
> out of balance because there's no sharing between Windows and Apple.
>
> My preference is to have all passkeys stored in my password manager.
> Unfortunately, my password manager is not under management of only one
> developer or organization.
>
> I use an open source password manager on my desktop platform and on my
> mobile devices and the developer of the desktop app and the developer
> of the mobile app are different, and they have not coordinated in any
> way on how to share and use passkeys.
>
> KeepassXC supports passkeys on Windows, Linux and Mac. The information
> stored in the database however does not coordinate with Android or
> Apple mobile devices. Unlike with BitWarden which develops the desktop
> app and the mobile app, Keepass is too open right now.
>
> If you use bitWarden on your PC and on your phone, you can use
> passkeys and have them all stored inside your BitWarden database
> rather than randomly stored in different places on different devices.
> Microsoft stores passkeys one way and Google does it another way.
> Right now, the best way to collect all of your pass keys in one place
> so they can be easily managed is in a password manager that supports
> passkeys across all hardware devices. BitWarden is an example of one
> company that provides passKeys across Android, Apple, Windows, Mac,
> and Linux.
>
> Google is trying to make it easy to use passkeys across Windows and
> Android by having you store all of your password information in their
> browser password manager, which many people don't want to do.
>
> The passkey rollout I thought was going to be clean, but it is not
> turning out to be that way. The password manager that I use on my
> phone, is coded by only one person and that makes it very difficult
> for his customers to count on him to be able to implement passkeys
> with other open source developers that have no connection to him.
>
>
> Drew
>
> On 10/17/2024 1:13 AM, Rich Moffitt wrote:
> Minor point, but something to keep in mind: you're not so much
> deleting the passkeys from the lost device as you are invalidating the
> keys stored on that device for use on a particular service. This also
> means that if you have passkeys for 5 different web sites on a single
> device, you may have to invalidate the passkeys on each of the 5 sites
> independently (unless they all use the same authentication service).
>
>
> On Wed, Oct 16, 2024, 10:04 PM Drew King via LCTG <lctg at lists.toku.us
> <mailto:lctg at lists.toku.us>> wrote:
>
> All,
>
> Additional info regarding Passkeys:
>
> This is an article that covers a lot of information and answers a
> lot of questions about passkeys. One question that was asked this
> morning at the meeting was what happens if you lose your device
> that you installed a passkey on. If somebody has your device and
> they can log into it or unlock it then they have your passkeys.
> This article covers how to log into your Google account from a
> computer and delete passkeys that are on your lost or stolen device.
>
> https://support.google.com/accounts/answer/13548313?hl=en&sjid=13375659196123546943-NA
> <https://support.google.com/accounts/answer/13548313?hl=en&sjid=13375659196123546943-NA>
>
>
>
> --
> Drew King
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> Virus-free.www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>
>
> <#m_5783206719160869362_m_-3868915287918397107_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> ===============================================
> ::The Lexington Computer and Technology Group Mailing List::
> Reply goes to sender only; Reply All to send to list.
> Send to the list: LCTG at lists.toku.us <mailto:LCTG at lists.toku.us>
> Message archives: http://lists.toku.us/pipermail/lctg-toku.us/
> <http://lists.toku.us/pipermail/lctg-toku.us/>
> To subscribe: email lctg-subscribe at toku.us
> <mailto:lctg-subscribe at toku.us> To unsubscribe: email
> lctg-unsubscribe at toku.us <mailto:lctg-unsubscribe at toku.us>
> Future and Past meeting information: http://LCTG.toku.us
> <http://LCTG.toku.us>
> List information: http://lists.toku.us/listinfo.cgi/lctg-toku.us
> <http://lists.toku.us/listinfo.cgi/lctg-toku.us>
> This message was sent to rich at richmoffitt.org
> <mailto:rich at richmoffitt.org>.
> Set your list options:
> http://lists.toku.us/options.cgi/lctg-toku.us/rich@richmoffitt.org
> <http://lists.toku.us/options.cgi/lctg-toku.us/rich@richmoffitt.org>
>
> --
> Drew King
>
>
> ===============================================
> ::The Lexington Computer and Technology Group Mailing List::
> Reply goes to sender only; Reply All to send to list.
> Send to the list: LCTG at lists.toku.us <mailto:LCTG at lists.toku.us>
> Message archives: http://lists.toku.us/pipermail/lctg-toku.us/
> <http://lists.toku.us/pipermail/lctg-toku.us/>
> To subscribe: email lctg-subscribe at toku.us
> <mailto:lctg-subscribe at toku.us> To unsubscribe: email
> lctg-unsubscribe at toku.us <mailto:lctg-unsubscribe at toku.us>
> Future and Past meeting information: http://LCTG.toku.us
> <http://LCTG.toku.us>
> List information: http://lists.toku.us/listinfo.cgi/lctg-toku.us
> <http://lists.toku.us/listinfo.cgi/lctg-toku.us>
> This message was sent to bobprimak at yahoo.com.
> <mailto:bobprimak at yahoo.com.>
> Set your list options:
> http://lists.toku.us/options.cgi/lctg-toku.us/bobprimak@yahoo.com
> <http://lists.toku.us/options.cgi/lctg-toku.us/bobprimak@yahoo.com>
> --
> Drew King
>
>
>
> ===============================================
> ::The Lexington Computer and Technology Group Mailing List::
> Reply goes to sender only; Reply All to send to list.
> Send to the list:LCTG at lists.toku.us Message archives:http://lists.toku.us/pipermail/lctg-toku.us/
> To subscribe: emaillctg-subscribe at toku.us To unsubscribe: emaillctg-unsubscribe at toku.us
> Future and Past meeting information:http://LCTG.toku.us
> List information:http://lists.toku.us/listinfo.cgi/lctg-toku.us
> This message was sent tolctg at silverangan.com.
> Set your list options:http://lists.toku.us/options.cgi/lctg-toku.us/lctg@silverangan.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.toku.us/pipermail/lctg-toku.us/attachments/20241017/5951088c/attachment.htm>
More information about the LCTG
mailing list