Post AVHesGeF3qErypazse by _dm@infosec.exchange
(DIR) More posts by _dm@infosec.exchange
(DIR) Post #AVHcJXBFP0hDD7LNui by lauren@mastodon.laurenweinstein.org
2023-05-03T16:16:57Z
0 likes, 0 repeats
**** More on Google passkeys ****Just to add since I'm getting more questions. Yes, there has been a rash of people getting locked out of their phones when they're stolen in an unlocked state (or someone spies a PIN, then steals the phone), in various public places. A phone with a passkey would apparently give the person stealing the phone full access to the associated Google accounts, since passkeys BYPASS passwords AND 2-factor. Google briefly mentions the prospect of the wrong party getting access to devices, but glosses over it. -L
(DIR) Post #AVHclQJsVJwQ2ZgBua by i_understand@mastodon.social
2023-05-03T16:21:57Z
0 likes, 0 repeats
@lauren In FIDO passkeys being used as passwordless authentication generally have a PIN.
(DIR) Post #AVHd4RRQYdWN1PHMrg by lauren@mastodon.laurenweinstein.org
2023-05-03T16:25:27Z
0 likes, 0 repeats
@i_understand That's only because the associated devices don't always have dependable screen locks (e.g. desktops). Though I noticed that you can't create a passkey at all under Ubuntu in my testing, even with FIDO keys. But for most (portable) devices, the passkey model appears to be depending on the devices' own locks. If someone gets hold of an unlocked device, it looks like game over if they move fast. And that happens a lot in public places.
(DIR) Post #AVHdf6rw0aIjvqA8Fk by _dm@infosec.exchange
2023-05-03T16:31:54Z
0 likes, 0 repeats
@lauren @i_understand Hmm, isn't it the RP's choice if they want to require user verification, which would then prompt the user for a screenlock even if the screen is already unlocked?
(DIR) Post #AVHdjNEP7D8fpyhnvc by i_understand@mastodon.social
2023-05-03T16:32:48Z
0 likes, 0 repeats
@lauren I believe the PIN is there to provide a 2nd factor.What you have is the passkey, what you know is the PIN.I personally wouldn't use a "passwordless" solution for authentication without a PIN on an account I consider critical.Also, left still largely undiscussed is the difference between authenticating and unlocking.
(DIR) Post #AVHdtY6lWwxST0z77w by lauren@mastodon.laurenweinstein.org
2023-05-03T16:34:40Z
0 likes, 0 repeats
@i_understand My understanding is that anyone past the DEVICE lock (e.g. phone PIN), doesn't need more to use the passkeys. Stolen unlocked phone means full access. Google even says this, but tries to play it down.
(DIR) Post #AVHeCFEHwedJPyPzGK by i_understand@mastodon.social
2023-05-03T16:38:01Z
0 likes, 0 repeats
@lauren Well, what they say is:๐๐๐ฌ๐ฌ๐ค๐๐ฒ๐ฌ ๐๐ซ๐ ๐ ๐ฌ๐ข๐ฆ๐ฉ๐ฅ๐ ๐๐ง๐ ๐ฌ๐๐๐ฎ๐ซ๐ ๐๐ฅ๐ญ๐๐ซ๐ง๐๐ญ๐ข๐ฏ๐ ๐ญ๐จ ๐ฉ๐๐ฌ๐ฌ๐ฐ๐จ๐ซ๐๐ฌ. ๐๐ข๐ญ๐ก ๐ ๐ฉ๐๐ฌ๐ฌ๐ค๐๐ฒ, ๐ฒ๐จ๐ฎ ๐๐๐ง ๐ฌ๐ข๐ ๐ง ๐ข๐ง ๐ญ๐จ ๐ฒ๐จ๐ฎ๐ซ ๐๐จ๐จ๐ ๐ฅ๐ ๐๐๐๐จ๐ฎ๐ง๐ญ ๐ฐ๐ข๐ญ๐ก ๐ฒ๐จ๐ฎ๐ซ ๐๐ข๐ง๐ ๐๐ซ๐ฉ๐ซ๐ข๐ง๐ญ, ๐๐๐๐ ๐ฌ๐๐๐ง, ๐จ๐ซ ๐๐๐ฏ๐ข๐๐ ๐ฌ๐๐ซ๐๐๐ง ๐ฅ๐จ๐๐ค, ๐ฅ๐ข๐ค๐ ๐ ๐๐๐.So they're claiming the phone unlock as the 2nd factor for authentication.Should google want to re-authenticate, will they lock the screen first? I don't know.
(DIR) Post #AVHeHBGK7e54Ytivuy by lauren@mastodon.laurenweinstein.org
2023-05-03T16:38:57Z
0 likes, 0 repeats
@_dm @i_understand Google says: "When you create a passkey on a device, anyone with access to that device and the ability to unlock it, can sign in to your Google Account."
(DIR) Post #AVHegjfFLzCaUtZCgC by i_understand@mastodon.social
2023-05-03T16:43:32Z
0 likes, 0 repeats
@lauren for full disclosure, I use a hardware key to secure my google account.I intend to stick with that for now.
(DIR) Post #AVHesGeF3qErypazse by _dm@infosec.exchange
2023-05-03T16:45:38Z
0 likes, 0 repeats
@lauren @i_understand Indeed, ability to unlock = uv. My point was only that if someone steals your already-unlocked phone they cannot pass the uv. FWIW, specific to the Google account, if you are signed in on your phone and someone has your phone and screen lock, they can access your account. Because it's signed in on your phone. But there are certainly scenarios where Passkeys may not be right for you. E.g. if you never sign into banking apps on your phone, you also may not want to use Passkeys for those banks. For most users, Passkeys are more secure than passwords, but certainly not for everyone all the time.
(DIR) Post #AVHmOSlkEKUWWDP7SK by samalone@twit.social
2023-05-03T18:09:51Z
0 likes, 0 repeats
@lauren Have you actually tested this?The Passkey specification lets the service (Google) specify that biometrics should always be required to activate the Passkey. If Google is using this flag, I donโt think that Passkeys would increase your security risk.
(DIR) Post #AVHmdF6fJFUsUMElEm by lauren@mastodon.laurenweinstein.org
2023-05-03T18:12:36Z
0 likes, 0 repeats
@samalone This seems unlikely. First, G appears to list "screen lock" separately from face and fingerprints. Second, *requiring* people to use biometric phone locks for this would trigger a firestorm of protests -- many people choose not to use biometrics for a range of reasons (including legal concerns), even assuming that their devices are so equipped.
(DIR) Post #AVHmmgXUgVYQAyHwm0 by lauren@mastodon.laurenweinstein.org
2023-05-03T18:14:16Z
0 likes, 0 repeats
@samalone In a corp environment you could probably do this. In the Google overall user population this would seem impractical. It would be viewed as trying to coerce people to use biometrics, a very sensitive subject.
(DIR) Post #AVIWCpQ4mnTnBUevPE by i_understand@mastodon.social
2023-05-04T02:22:30Z
0 likes, 0 repeats
@samalone @lauren Google specifically mentions PIN.
(DIR) Post #AVIWCq4qLE5bDvjTwu by lauren@mastodon.laurenweinstein.org
2023-05-04T02:43:07Z
0 likes, 0 repeats
@i_understand @samalone And phone unlock pins are the most common vector for stolen phones.
(DIR) Post #AVIWej9veiUzsOPSQC by lauren@mastodon.laurenweinstein.org
2023-05-04T02:48:16Z
0 likes, 0 repeats
@i_understand @samalone Typically, these phones are stolen by thieves who have already learned the PIN, or can easily crack typical simple ones.