this post was submitted on 21 Sep 2023
150 points (100.0% liked)

Technology

59440 readers
3634 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Summary

GitHub has officially launched its passkeys security feature into general availability, following a two-month beta testing period. Passkeys enable cloud-synced authentication using cryptographic key pairs, allowing users to sign in to websites and apps with their screen-lock PIN, biometrics, or a physical security key. This technology combines the security benefits of passwords and two-factor authentication (2FA) into a single step, simplifying secure access to online services. GitHub's move aligns with industry efforts, including collaborations between major tech companies like Google, Apple, Microsoft, and the FIDO Alliance, to make passwordless logins a reality across devices, browsers, and operating systems. Passkeys are seen as a significant step in enhancing security in the software supply chain, a vital aspect of the cybersecurity landscape.

top 25 comments
sorted by: hot top controversial new old
[–] Asudox@lemmy.world 17 points 1 year ago (2 children)

Cool and all but I won't use them if I can't store them offline locally on my device. I am not going to use Google's passkey storage system.

[–] Raisin8659@monyet.cc 4 points 1 year ago (1 children)

There are two types of passkey. Syncable and device-bound. (see https://fidoalliance.org/passkeys/). Theoretically, the device-bound passkeys never leave the device and users don't have any access to it except to use it for authentication. The syncable type will first and foremost be synced by the platforms themselves (Google, Microsoft, and Apple), but eventually the 3rd-party password managers will be allowed to be sync providers, but possibly only on newly-released OSes.

As far as I know, the passkey implementations currently on Android and Windows are device-bound; they are not synced to the cloud.

[–] Asudox@lemmy.world 1 points 1 year ago

Windows currently doesn't sync, but GMS Android does.

[–] TurboLag@lemmings.world 1 points 1 year ago (1 children)

I haven't used passkeys yet, but I would hope that you can have multiple keys per site, not just one. So, after going through some initial pain of setting up each individual device, it should be nice having local-only keys for each of them, which you could revoke at any time.

Password managers are also adding support for passkeys, so you should be able to sync them if you so wish.

[–] Asudox@lemmy.world 1 points 1 year ago

I would use a U2F physical key to secure the password manager as securing the passkeys with a password sounds dumb. Passkeys are here to replace passwords as a more secure alternative. What's the logic behind securing them behind the thing it is supposed to replace?

[–] suckmyspez@lemmy.world 11 points 1 year ago (3 children)
[–] Raisin8659@monyet.cc 6 points 1 year ago (1 children)

Firefox ESR 102.15 & windows 11 (Hello) seem to work fine.

[–] Asudox@lemmy.world 2 points 1 year ago (1 children)

Windows 11 was going to add native support for passkeys, is that what you're referring to, perhaps? Because not even the nightly builds of Firefox have passkey support yet.

[–] Raisin8659@monyet.cc 1 points 1 year ago (1 children)

It works for Google, Adobe, and Github for me, on Firefox; those are all the sites I use that support passkeys. It even works with Firefox on Android 13.

Do you have Windows hello enabled? You may want to investigate this more.

[–] Asudox@lemmy.world 1 points 1 year ago

Firefox on Android does have this functionality. Desktop doesn't yet.

[–] dinckelman@lemmy.world 2 points 1 year ago* (last edited 1 year ago) (1 children)

~~Out of all the platforms my password manager suggested, only PayPal refused to work on Firefox. I couldn't figure out the Microsoft sign-up though~~ Disregard, this is actually Paypal's fault

[–] ripcord@kbin.social 3 points 1 year ago

Weird, PayPal works fine for me too

[–] SirQuackTheDuck@lemmy.world 1 points 1 year ago

Firefox fully supports webauthn, so sites doing feature checks will be fine.

Sites doing User Agent checks can burn in hell

[–] steve228uk@lemmy.world 9 points 1 year ago (2 children)

I can’t believe Nintendo beat them 😅

[–] Raisin8659@monyet.cc 4 points 1 year ago

And Tiktok!

[–] Swarfega@lemm.ee 1 points 1 year ago (1 children)

Although from testing with Firefox on Android, Nintendo doesn't work for me. I can register a key but then when trying to login it tells me there are no keys stored on the device. I get the feeling the key is being stored somewhere in Firefox but the login is only looking on the device.

It works fine in Firefox in Windows though.

[–] vrighter@discuss.tchncs.de 2 points 1 year ago

doesn't work on firefox on linux either. Other sites work

[–] 601error@lemmy.ca 9 points 1 year ago (1 children)

Time to google ‘passkey’. This word seems to have appeared out of nowhere in the past six months or so with several of my tech services.

[–] Raisin8659@monyet.cc 10 points 1 year ago (1 children)
[–] 601error@lemmy.ca 2 points 1 year ago
[–] 4am@lemm.ee 6 points 1 year ago (1 children)

Is this webauthn? Or a custom protocol?

[–] Raisin8659@monyet.cc 6 points 1 year ago (1 children)

It is a FIDO alliance protocol. This is meant to replace/supplement password, not as 2FA. The sites I use that implement it, Google, Adobe, and Github use it to supplant both the password and 2FA. Cool thing about it is more less: 1) unphishable 2) doesn't matter if the website's passphrase data leaks.

[–] BlueBockser@programming.dev 3 points 1 year ago

Webauthn isn't just for 2FA, it's for user user authentication through public key cryptography. Passkeys are Webauthn, but the former is a better marketable term.

[–] autotldr@lemmings.world 3 points 1 year ago

This is the best summary I could come up with:


GitHub is formally launching its passkeys security feature into general availability, two months after first debuting it in beta.

Passkeys offer cloud-synced authentication using cryptographic key pairs, allowing users to sign in to websites and apps with the same screen-lock PIN or biometrics they use for their devices, or a physical security authentication key.

Way back in May last year, Google, Apple, GitHub’s parent Microsoft and the FIDO Alliance teamed up to make passwordless logins a reality across devices, browsers and operating systems, meaning that users won’t have to re-enroll multiple times.

And the companies have been gradually expanding passkey support in the intervening months, with Google introducing support for Google Accounts in May, while just today Microsoft revealed that Windows 11 will now enable users to manage their passkeys.

GitHub plays a pivotal role in the software supply chain, allowing millions of developers and companies to collaborate on open source and proprietary software development projects.

However, a spate of cybersecurity incidents have pushed the issue of software security to the forefront of political agendas around the world, including the Biden administration, which issued an executive order and published a cybersecurity strategy that called for large tech companies to ensure their systems are more robust.


The original article contains 257 words, the summary contains 205 words. Saved 20%. I'm a bot and I'm open source!

[–] CoffeeBot@lemmy.ca 2 points 1 year ago

Huh, I just enabled it last night hahaha