Post AVHjDS0cPrRx75Q1Gy by _dm@infosec.exchange
(DIR) More posts by _dm@infosec.exchange
(DIR) Post #AVHfbokb7DIImKHwrA by lauren@mastodon.laurenweinstein.org
2023-05-03T16:53:53Z
0 likes, 0 repeats
**** The Google passkeys threat model ****So let's pull this together. Google says:"When you create a passkey on a device, anyone with access to that device and the ability to unlock it, can sign in to your Google Account."They then suggest keeping physical control of your devices is easier than watching for phishing attempts.The reality is that every day many phones are stolen and successfully unlocked (or are already unlocked when stolen) by thieves. We've seen the reports lately of iPhone users being totally locked out of their Apple accounts when thieves reset security keys -- and Apple can't help.But whether Android or iPhone, the bottom line is that as I understand this, stolen unlocked phones using passkeys for account security give the thieves complete access to those accounts, until such a time as the rightful owner manages to revoke them -- which could be hours in many situations out in public, far too late.To me, this is putting too much faith in the physical security of the devices, when we KNOW that every day many are stolen, unlocked, and abused. Having passkeys in such situations could make even more accounts instantly vulnerable, given that the passkeys wouldn't need additional authentication to be used by the thief in these scenarios.
(DIR) Post #AVHfvOJd6r3maF0YMq by HistoPol@mastodon.social
2023-05-03T16:57:23Z
0 likes, 0 repeats
@lauren đź‘Ť
(DIR) Post #AVHgbUKF9gMpNxMtgO by yaygya@c.im
2023-05-03T17:04:26Z
0 likes, 1 repeats
@lauren This reliance on physical device security also ignores the fact that there are tons of people in situations where they don't have exclusive physical control over their devices, i.e. people in an abusive relationship or living with overly controlling family members.
(DIR) Post #AVHh1QdJVR4DSkepea by stevenray@sfba.social
2023-05-03T17:09:24Z
0 likes, 0 repeats
@lauren so they’re saying that passkeys trump 2FA? Don’t all of the newer iPhones have facial recognition? Why isn’t that part of the solution?
(DIR) Post #AVHh3FOKH1DlAzVxTs by wonkothesane@mstdn.social
2023-05-03T17:10:04Z
0 likes, 0 repeats
@lauren Yea, I don’t see the advantage to passkeys over yubikeys in terms of security and will probably continue to use those so long as I can
(DIR) Post #AVHh7HMsrkc4SulKwS by _dm@infosec.exchange
2023-05-03T17:10:28Z
0 likes, 0 repeats
@lauren Again, just to be clear, it's insufficient to steal an already unlocked phone. You can try this yourself: user verification (i.e., the screen lock, biometric unlock, etc) is required to sign into google.com with a passkey.
(DIR) Post #AVHhE9Pmpm3ZpHOfbs by lauren@mastodon.laurenweinstein.org
2023-05-03T17:11:30Z
0 likes, 0 repeats
@stevenray Not everyone chooses to use biometric authentication, for a variety of reasons. And yes, passkeys apparently bypass passwords and 2FA on associated accounts.
(DIR) Post #AVHhHa0ePdVlB0H6VE by _dm@infosec.exchange
2023-05-03T17:11:06Z
0 likes, 0 repeats
@lauren The quote you included says exactly this:"When you create a passkey on a device, anyone with access to that device and the ability to unlock it, can sign in to your Google Account."
(DIR) Post #AVHhHaaoFCR0z9ByrY by lauren@mastodon.laurenweinstein.org
2023-05-03T17:12:38Z
0 likes, 0 repeats
@_dm And as I noted in another message, many phones are stolen every day and unlocked by thieves who spied the associated (non-biometric) unlock.
(DIR) Post #AVHhqwPb73ukn8nyiG by _dm@infosec.exchange
2023-05-03T17:18:57Z
0 likes, 0 repeats
@lauren I agree, but that's different than "phones that are stolen unlocked." The threat here is basically the same as if you use a password manager. If you wouldn't trust your phone with a password manager, you should not trust it with passkeys.
(DIR) Post #AVHiWeEL6NSsZ5QVBw by lauren@mastodon.laurenweinstein.org
2023-05-03T17:26:35Z
0 likes, 0 repeats
@_dm Password managers generally don't have the PR push and adoption pressure that passkeys will with Google.
(DIR) Post #AVHigcebojgOZWTCwC by Retreival9096@tech.lgbt
2023-05-03T17:26:30Z
0 likes, 0 repeats
@_dm @lauren My password manager has its own password -- so if someone steals and unlocks my phone, I'm better off than with a passkey. I don't see a good way to have strong encryption of my passwords without that.
(DIR) Post #AVHigdHxSR9sXYsdGq by lauren@mastodon.laurenweinstein.org
2023-05-03T17:28:23Z
0 likes, 0 repeats
@Retreival9096 @_dm That is the obvious point. If someone spies the phone password and steals the phone -- happens every day to many people -- they would not be able to use those passkeys if those had an authentication mechanism *separate* from the phone lock.
(DIR) Post #AVHjDS0cPrRx75Q1Gy by _dm@infosec.exchange
2023-05-03T17:34:13Z
0 likes, 0 repeats
@lauren So your complaint is that password managers make users insecure, but most users don't use them? 🤷
(DIR) Post #AVHjRtNxQauc4eDnPM by dfrancis@mstdn.social
2023-05-03T17:36:52Z
0 likes, 0 repeats
@lauren This sounds like passwords only with different steps. :p
(DIR) Post #AVHjTs3JM4TuWEVXns by _dm@infosec.exchange
2023-05-03T17:35:33Z
0 likes, 0 repeats
@lauren To be clear, I think it's really important that users have a choice here. Nobody is forced to use passkeys, and for some users, they are not the right option. I do think for the vast majority of users, password managers--or passkeys--make users safer, and I think that's a strongly held consensus among most of us working in the field.But, ultimately, informed choice is really important.
(DIR) Post #AVHjTsiQtBNIZlkNto by lauren@mastodon.laurenweinstein.org
2023-05-03T17:37:14Z
0 likes, 0 repeats
@_dm Again, as I noted originally, I wrote of the desirability of killing off passwords years ago. But the key word in your post above is INFORMED. And that's the rub.
(DIR) Post #AVHpNdiWL8io2vC9tQ by feld@bikeshed.party
2023-05-03T18:43:21.095160Z
0 likes, 0 repeats
you can probably hide a yubikey in your bum
(DIR) Post #AVHpdwlJIafhkLHA6S by lauren@mastodon.laurenweinstein.org
2023-05-03T18:46:20Z
0 likes, 0 repeats
@feld @yaygya That's probably overdoing it, unless one is into that sort of thing.
(DIR) Post #AVHpnn1iLkFERrdsMS by feld@bikeshed.party
2023-05-03T18:48:17.194754Z
0 likes, 0 repeats
it may be required if you're in a dangerous situation at home. But at least that's one passkey they can't get by taking your computer or phone.
(DIR) Post #AVHpxOOIncqqwDmofw by lauren@mastodon.laurenweinstein.org
2023-05-03T18:49:51Z
0 likes, 0 repeats
@feld @yaygya True.
(DIR) Post #AVHrI2lWUu17u43iG8 by hanscees@social.sargasso.nl
2023-05-03T19:04:40Z
0 likes, 0 repeats
@lauren They not only need the device, but also your pincode or biometric features.Safe enough imho.
(DIR) Post #AVHrvJUMFs7Z3xkt4C by lauren@mastodon.laurenweinstein.org
2023-05-03T19:11:51Z
0 likes, 0 repeats
@hanscees In the news lately, a massive rash of stolen phones where the PIN or simple password has been spied, the phone stolen, and users locked out of their account permanently. Massive problem, especially with Apple, who refuses to help.
(DIR) Post #AVHsqNtAZGBZDSZewC by hanscees@social.sargasso.nl
2023-05-03T19:22:09Z
0 likes, 0 repeats
@lauren you should use fingerprint. But anyway every control can be hacked and paskey, if used wisely is pretty good. It's not perfect.
(DIR) Post #AVHtePZaa1g2v1Gp5E by lauren@mastodon.laurenweinstein.org
2023-05-03T19:31:13Z
0 likes, 0 repeats
@hanscees Not all devices have fingerprint capability (only one of my many devices does). Many people choose not to use biometric authentication when available, for a variety of reasons, including legit legal concerns in some cases.
(DIR) Post #AVHuQbHULwcF89mYi0 by mackaj@mastodon.me.uk
2023-05-03T19:39:53Z
0 likes, 0 repeats
@lauren I thought that passkeys still had to be biometrically authenticated before use, even on an open phone. Makes no sense otherwise.
(DIR) Post #AVHvAw1BaLf4lZFbfc by lauren@mastodon.laurenweinstein.org
2023-05-03T19:48:18Z
0 likes, 0 repeats
@mackaj I have not seen anything to indicate that (for Google at least) biometric authentication is required. They specifically list fingerprints, face scans, AND screen locks. They have said that anyone who can unlock your phone can use the passkeys, they did not specify biometric unlock. Obviously many users cannot or will not use biometric authentication on their particular devices, telling them they cannot use passkeys would seem impractical.
(DIR) Post #AVHvMgDm8yITFQjwMi by lauren@mastodon.laurenweinstein.org
2023-05-03T19:50:08Z
0 likes, 0 repeats
@mackaj In fact, here it is explicit that biometrics are not required: "When you add a passkey to your Google Account, we will start asking for it when you sign in or perform sensitive actions on your account. The passkey itself is stored on your local computer or mobile device, which will ask for your screen lock biometrics or PIN to confirm it's really you."
(DIR) Post #AVHvc7rvdI33L5t1Jg by lauren@mastodon.laurenweinstein.org
2023-05-03T19:53:15Z
0 likes, 0 repeats
@mackaj And: "In fact, if you sign in on a device shared with others, you should not create a passkey there. When you create a passkey on a device, anyone with access to that device and the ability to unlock it, can sign in to your Google Account."
(DIR) Post #AVHvzYhu0yNLElN1uq by mackaj@mastodon.me.uk
2023-05-03T19:57:23Z
0 likes, 0 repeats
@lauren I won't be recommending this to anyone who just uses a PIN then, that's just all kinds of stupid. PINs are not secure. Don't use them myself.
(DIR) Post #AVHxNcrIKaRj16nsNU by lauren@mastodon.laurenweinstein.org
2023-05-03T20:12:57Z
0 likes, 0 repeats
@mackaj I believe you'll find that PIN use is very very high.
(DIR) Post #AVHxn8YBdf9sXy1xEO by lauren@mastodon.laurenweinstein.org
2023-05-03T20:17:38Z
0 likes, 0 repeats
@mackaj I should add that even on my very recent phone with fingerprint capability, it's very hit or miss, especially when not sitting on a flat surface. No wonder so many people revert to PINs, etc. even if they've tried biometrics. Face stuff never worked for me in my tests.
(DIR) Post #AVHyr9OoWaeMIA7lNA by mackaj@mastodon.me.uk
2023-05-03T20:29:30Z
0 likes, 0 repeats
@lauren You should show this to people. If it doesn't scare them off using a PIN I don't know what will. PINs can be brute forced in a day !https://youtube.com/shorts/iatS86r1Hnk?feature=share
(DIR) Post #AVHzrol8qfuQWRRx32 by alpinefolk@sunbeam.city
2023-05-03T20:40:38Z
0 likes, 0 repeats
@lauren @mackaj nope. You can’t convince me to use biometrics to unlock my phone.Forcing you to unlock your phone with biometric data is too easyhttps://www.wired.com/story/police-unlock-iphone-face-id-legal-rights/
(DIR) Post #AVI0KQzKJBKrC9jKS0 by lauren@mastodon.laurenweinstein.org
2023-05-03T20:46:02Z
0 likes, 0 repeats
@alpinefolk @mackaj True.
(DIR) Post #AVI0WvUGjtz3GG9y8e by lauren@mastodon.laurenweinstein.org
2023-05-03T20:48:20Z
0 likes, 0 repeats
@mackaj Good luck. Most people won't change, because they figure the bad stuff "will never happen to them." Similar battle as 2FA.
(DIR) Post #AVI0n5W1DqkozqgVyi by mackaj@mastodon.me.uk
2023-05-03T20:51:10Z
0 likes, 0 repeats
@lauren I don't have to convince most people. Just those who are close to me and that I care about. I can do that, and already have.
(DIR) Post #AVI1Q0DgqSr5rlfRuy by lauren@mastodon.laurenweinstein.org
2023-05-03T20:58:16Z
0 likes, 0 repeats
@mackaj I've been working on this for many years. One problem is that even for those I've convinced to use 2FA (for example), when I check back later it turns out many have turned it off. Painfully, I know high level computer professionals who refuse to turn on 2FA, on the assumption that they use good passwords and don't share them, etc.
(DIR) Post #AVI1ZGsIIAOa7v4ytk by mackaj@mastodon.me.uk
2023-05-03T20:49:11Z
0 likes, 0 repeats
@alpinefolk Fine. Then use a proper password, even a short one is better than a PIN.@lauren
(DIR) Post #AVI1ZHVHxBaU4rK7g8 by alpinefolk@sunbeam.city
2023-05-03T20:51:42Z
0 likes, 0 repeats
@mackaj @lauren yes I agree with this
(DIR) Post #AVI1ZIA3VcCI7IOgDo by lauren@mastodon.laurenweinstein.org
2023-05-03T20:59:55Z
0 likes, 0 repeats
@alpinefolk @mackaj I've pushed this idea, but often the response is that the keyboards are just too small even for entering a few letters without error. And on some phones this is definitely true, especially with eyesight that isn't perfect -- or if you have big fingers. Or both.
(DIR) Post #AVI2AVw1GILJY7a3m4 by infiniterecursion@nerdculture.de
2023-05-03T21:06:37Z
0 likes, 0 repeats
@lauren @mackaj I think, the hurdle with MFA is, that even the simplest solutions still require a lot of technical understanding.Like, using several yubikeys (storing some in a secure location and carrying one), copying the secret, copying the backup keys (on a piece of paper; storing it such that it can be found again. Not all services allow for keys, hence auth apps are needed. ...
(DIR) Post #AVI2MgAd222glmDNE8 by lauren@mastodon.laurenweinstein.org
2023-05-03T21:08:52Z
0 likes, 0 repeats
@infiniterecursion @mackaj It's all a moving target of course. Meanwhile, phishing attacks pour OUT from Gmail in a seemingly continuous stream directed at non-Gmail users.
(DIR) Post #AVI5bTXmYiXbobn9Ae by smallsco@oldbytes.space
2023-05-03T21:45:00Z
0 likes, 0 repeats
@lauren What do you think about using a password manager such as 1Password to store the passkeys, as opposed to the device itself?That way, even if the device is unlocked while stolen, the thief would still need to unlock the password manager.It does add a small amount of additional friction to the sign-in process, but only if you aren’t already using a password manager. And as a bonus you don’t need to generate separate passkeys for each device.
(DIR) Post #AVI5lsoPT25b4xX28W by lauren@mastodon.laurenweinstein.org
2023-05-03T21:47:03Z
0 likes, 0 repeats
@smallsco I choose not to use any third-party password managers, other than the one integral to Chrome, and that in "encrypted local password" mode (that is, the passwords are not stored in the clear at Google and Google does not have the key).
(DIR) Post #AVI5pc7BUNMaS55myG by lauren@mastodon.laurenweinstein.org
2023-05-03T21:47:43Z
0 likes, 0 repeats
@smallsco The passkey model is (AFAIK) completely independent from passwords per se, by the way.
(DIR) Post #AVI6JzR9LJBBTHup17 by smallsco@oldbytes.space
2023-05-03T21:52:36Z
0 likes, 0 repeats
@lauren Agree, perhaps “password manager” is an outdated term if it can store passkeys as well. But that’s what I’m used to calling them.I’m thinking about a world in the future where passkeys have eliminated passwords entirely, how do we get around the issue of device theft that you brought up? The password manager feels like a good solution to that. It could be something in the cloud like 1password, or something entirely on-device, but in either case it provides another layer of security with protection in this scenario, as I understand it.
(DIR) Post #AVIGRG5YpTGIgVvEI4 by Vrimj@mastodon.sandwich.net
2023-05-03T23:46:32Z
0 likes, 0 repeats
@lauren This is why I want a physical key that I can wear like a ring or watch strap that is not my phone and attached to my body.
(DIR) Post #AVIMvYnwPMrV8wVrHc by olisuritz@mastodon.social
2023-05-04T00:59:09Z
0 likes, 0 repeats
@lauren how’s this situation any different than if your phone is stolen and the thief has your passcode to access all your iCloud passwords with 2FA our iCloud passwords and Google Authenticator for 2FA?
(DIR) Post #AVIWObuootp8mEemfo by lauren@mastodon.laurenweinstein.org
2023-05-04T02:45:21Z
0 likes, 0 repeats
@olisuritz Authenticator is 2FA of course. But passkeys bypass both 2FA *and* passwords. And typically, those passwords are not the same as a phone PIN!
(DIR) Post #AVIZ2WViXBQDVQ4k1g by olisuritz@mastodon.social
2023-05-04T03:14:55Z
0 likes, 0 repeats
@lauren on an iPhone, all you need to access the iCloud-stored passwords is the PIN code.
(DIR) Post #AVIbfYQvWFaQffZdtw by jaanus@mastodon.justtact.com
2023-05-04T03:44:17Z
0 likes, 0 repeats
@lauren @rmondello hi Ricky - any thoughts on the thread? Check it out, interesting discussion on passkeys threat model.I thought of it as a security-conscious user. I’ve been securing some of my accounts with hardware security keys lately. Added to Apple account, works fine.What I would like to do, is to say, “for these high-stakes accounts, periodically/always require a security key to use the passkey.” Or the account provider could enforce this.
(DIR) Post #AVIbhLR6oSgcwNVr60 by lauren@mastodon.laurenweinstein.org
2023-05-04T03:44:26Z
0 likes, 0 repeats
@olisuritz I don't do Apple.
(DIR) Post #AVJ22yGsDbH2H4hLWa by _dm@infosec.exchange
2023-05-04T08:39:46Z
0 likes, 0 repeats
@lauren @Retreival9096 Sure. This is an implementation choice. Other implementations, like 1Password's, will presumably support secondary knowledge factors, just like they do for passwords. The nice thing about open standards like Passkeys is that they enable user choice.
(DIR) Post #AVJeji681Sgkp9TkZ6 by lauren@mastodon.laurenweinstein.org
2023-05-04T15:53:25Z
0 likes, 0 repeats
@_dm @Retreival9096 My point is that Google's implementation is weak in this regard. Considering how much damage abuse of passkeys could do to users, I feel that Google has tried to make this TOO simple at the risk of users' security.
(DIR) Post #AVJi9MioQ8Ujv2UveS by _dm@infosec.exchange
2023-05-04T16:31:34Z
0 likes, 0 repeats
@lauren @Retreival9096 Sure. You're entitled to think that. That's what's great about user choice. Your threat model is not everyone's threat model.
(DIR) Post #AVKme1dJTJ78SulERs by skarra@infosec.exchange
2023-05-05T04:56:34Z
0 likes, 0 repeats
@lauren Thank you for thinking and writing about the threat models. While you think through these and related issues, please do also think about what roles Google and Apple play in the passkeys implementation today, and what role a 1Password could play in the future, and whether that future "1Password implementation" is of the same nature of the current "Google implementation" are of a similar nature. Hint: they aren't.You rightly point out "many people" get their phones stolen daily. You could also consider how many people get phished or have their passwords compromised in other ways.I would also point out that setting up recovery phone and recovery email on your Google account provides some chance of recovering your account even if a thief changed your account credentials. You could research that as well.There are many concepts to think through here for someone who is interested! Most users don't care to think through all this and expect security by default.
(DIR) Post #AVLbnavghn4oCgfxeC by lauren@mastodon.laurenweinstein.org
2023-05-05T14:27:54Z
0 likes, 0 repeats
@skarra You can rest assured that I've thought all of this through in significant detail. I've been working on these issues since the first ARPANET site at UCLA -- literally the first site on the Internet -- and have worked inside Google twice. I am intimately familiar with the statistics regarding phishing, etc., the parameters of security capabilities at Google and elsewhere, and the ways in which ordinary users do (or more often do not) use those facilities to protect themselves, including being involved in many Google account recovery situations for users. Thanks for your comments.
(DIR) Post #AVTyK3JExghOJMXjii by cazabon@mindly.social
2023-05-09T15:19:54Z
0 likes, 0 repeats
@lauren Ars Technica has an introduction to passkeys today.AIUI, it's just public-key authentication by another name. Then it should be as secure as you are able to keep the private key, well, private. The biggest risk is in sync tools, which would need to share the private-key half of the passkey amonst multiple machines.But it's not needed; you can have a different keypair for every device, the cost being a bit of storage for the provider. Then you can revoke any device individually...
(DIR) Post #AVU1NY897rsIdGiH68 by lauren@mastodon.laurenweinstein.org
2023-05-09T15:54:18Z
0 likes, 0 repeats
@cazabon The problem is Google's specific implementation, which permits the keys to be used by anyone who can unlock the phone, even when it has a weak lock that can be easily spied or cracked.
(DIR) Post #AVU9B35TW6XyVp0vHk by lauren@mastodon.laurenweinstein.org
2023-05-09T17:21:42Z
0 likes, 0 repeats
@cazabon And this is why I like FIDO keys. They are normally physically SEPARATE from the phones. Compromise of (typically weak) phone locks does not compromise the private keys!
(DIR) Post #AVUQrO5jVq7X2SuQCm by cazabon@mindly.social
2023-05-09T20:39:38Z
0 likes, 0 repeats
@lauren Indeed. If I had a cellphone, I wouldn't assume much about its security (or lack thereof) and wouldn't put anything important on it, much less the "keys to the (personal information) kingdom".Looking forward to your article/essay on Google's passkeys.
(DIR) Post #AVbdCHI2YRAfa973OC by Silv@fosstodon.org
2023-05-13T08:01:02Z
0 likes, 0 repeats
@lauren Passkeys are a great as a 2FA method, but are a terrible idea for single-sign-on. Yeah, no thanks Google.