Microsoft won't let customers opt out of passkey push

Putting all your eggs

into one basket

Then Dropping it... (because of the non opt-out crap)

MS is working hard to piss all its customers off (so that the give MS the finger)

It is almost as if they have been studying the "Rise and Fall of Gerald Ratner".

That didn't end well for him.

"and it avoids the password reuse problem,"

reusing a password isn't a problem. Reusing passwords improperly is a problem. I'd never use my password here on El Reg at my bank, nor my email/web server/FTP, but I use it in a few other places. I do have a password generator/manager for things that require a very strong password, but I don't carry that around with me everywhere so it's much easier to remember a few passwords that I might need when I'm out and about.

That's not a problem with passkeys

It is a problem common to ALL authentication schemes. In order to avoid being totally user hostile, there has to be some "backup" method of authentication if you forget your password, lose access to your passkey, lose your hardware token, change your phone number (if you're using SMS based 2FA) and so on.

The typical reliance on "security questions" which are almost always far more easily guessable/learnable passwords leaves a gaping hole no matter how good your security is on the primary authentication method. The more pick-proof you make your front door, the more that thieves will decide it is easier to get in via the 2nd story window you've left unlocked to have a way in for when you lose your house key.

There are ways to move passkeys between devices, Apple can manage them via iCloud for example - but they are only copied between devices if the user has set the "advanced protection" mode for iCloud which encrypts everything with a user supplied encryption key. That's very secure, but then you have potential recovery issues for that user supplied key so you're just pushing the problem up one level. Apple has solutions for that too, but at some point every solution depends on the user taking some ownership in being able to recover their access if a device is lost/stolen, passwords/encryption keys are lost/forgotten, and so forth.

I'm not sure it is possible to create an authentication method that is both secure from remote exploit, and trivially recoverable for the typical non-technical end user without re-opening the door for remote exploit. The only exception is within a smaller security domain - like if you lose access to your university resources if they have a way you can go to a physical office and present your official ID they can get back your lost access without opening things up to remote attack. But in a general sense for an "internet user" I don't think it is possible to have both security against remote attack and ease of restoration if you lose access.

Re: One ring to rule them all.

Someone mention onion rings? No? Dammit.

Re: One ring to rule them all.

One device to lose and lock you out.

Re: Better security doesn't just stop the scammers

@Lost in Cyberspace - you saved me from typing a reply. So I'll just say "ditto". Microsoft and the other big companies just don't live in the RealWorld™. I've also seen all of the items you describe. It is not unusual.

Some how Microsoft assume that RealLife™ does not happen to people. Account loss now is way more extreme due to what is locked up inside it.

And the absolute worse part is that inability to talk to a human to prove the account has been stolen. I guess they don't have any cash left in the profits to pay people. (Or worse, the AI responses sending you in circles)

Instead just have to sit and watch the scammer have full run of everything.

Just a simple check like looking at the location where the new logins are coming from would be enough to prove the theft...

Re: Better security doesn't just stop the scammers

There are ways around that, but they require an informed and minimally technically competent end user. I'm sure Google and Microsoft both have a way to get back into your account if you've lost your access, but it would require some sort of action by the end user to prepare for that and will be its nature either be complex or leave gaping holes in security.

On my iPhone for instance I have a couple passkeys (not doing anything useful they were just creating because I wanted to know how it worked) but if I lose my iPhone and get another I'll get access to those passkeys. That's because they are getting backed up to iCloud - which for security critical stuff like passkeys only happens if you have set "advanced protection" mode for iCloud, which is not the default. That encrypts your iCloud backup with a key you provide - and puts the onus on you to do something about protecting your access to that key (that's why this mode is not the default)

Apple has two ways of getting back your access to your iCloud encryption key. There's a way you can create a "recovery key" which you can use to restore that access. The other option is you can set up "recovery contacts" which are trusted people who can provide that recovery key to you. I'm not sure of the exact details of how that process works, I saved a copy of that recovery key when I set it up in my safe. But I suppose if someone broke in and stole both my phone and my safe I'd be screwed - if I wanted to protect against that I'd have to store another copy of that recovery key elsewhere like a safe deposit box.

All this is to say that while it is possible to recover your lost access in a secure way, it is not something easy nor should we expect casual users to understand it at all. That's why advanced protection is not the default on the iPhone, but users may assume their passkeys are getting backed up in iCloud and be rudely surprised when they learn otherwise.

Re: Better security doesn't just stop the scammers

Indeed it does not.

It will only redirect them to other targets you own.

Re: Better security doesn't just stop the scammers

This has nothing to do with passkeys.

And in every example the reason has been the same: People think when they lose a phone or switch provider they need to get a new phone number???

If your phone is stolen, you ask your provider for a REPLACEMENT SIM instead of signing up for a brand new contract... Problem solved.

Re: Passkeys are a bad idea, or at least badly implemented

Welcome to hotel Microsoft. The default behaviour will be your MS account saving all your passkeys for all your apps/online services. Who's going to leave then?

Re: Passkeys are a bad idea, or at least badly implemented

Yes, it's very convenient for the machines where you have biometrics and only need access from that machine

There is no reason passkeys can't be transferred between the various pieces of hardware you own, so long as you "bless" them appropriately. That's already possible within your (Apple/Google/Microsoft) ecosystem, the missing piece is to make it possible outside of your ecosystem. That's something they are working on, and maybe it is partially there already (my "other hardware" is Linux so I'm assuming it will take longer to get there than it will between the big three)

My ideal would be to keep the passkeys on my iPhone (where they are secured, securely backed up, and can be securely recovered if I lose my phone) and have it talk via bluetooth to my PC so when I login to the Reg it would tell my browser "access passkey for www.theregister.com" and my browser would talk to the Fedora/GNOME key manager which would talk via bluetooth to my iPhone (which I would have previously allowed to talk to my Linux PC if asked for a passkey) and my phone would require me to authenticate via Face ID if I hadn't done so within a configurable number of minutes (because I don't want to keep looking at my phone for every login) and then provide the passkey to the Linux PC which could use it to login to the Register. I suspect we're a few years away from it being this smooth, but we'll get there faster for people staying inside the "big three" ecosystems.

Re: Passkeys are a bad idea, or at least badly implemented

Passkeys aren't a bad idea. The technology underpinning them—WebAuthn, FIDO2, etc.—is sound, and has been sound for years. But the current marketing push, redefinition of terms, confusing technical landscape, and improper security posture of basically every layperson using them, has provided the vast majority of end users no tangible benefit.

The term "passkey" was created (by Apple as far as I know) to help signal-boost WebAuthn and related technologies. It was and is a marketing term, with no relation to the FIDO Alliance or the FIDO/WebAuthn specifications. The actual result of this independent third-party push has been endless confusion on what a "passkey" even is, with vendors fighting over the exact definition. Meanwhile, over a decade of existing technical and end-user documentation that talks about WebAuthn/CTAP/FIDO2/FIDO/U2F never mentions "passkeys". I've met people that think passkeys are a completely separate technology, incompatible with WebAuthn... And in some cases, that may even be true.

Current consensus is passkeys are "probably WebAuthn credentials". But who knows what anyone actually means by that when they say it.

I've been using hardware security keys for years for all of my credential needs, and not only does it make signing in faster compared to having to remember/type out passwords, it's substantially more secure. Each site with FIDO2 compatibility gets a separate credential on each of my keys, so if I lose one I can revoke the credentials that specific key stored. Everyone else with OATH 2nd factor gets that. Where a password is required, I use a static password stored on the key, combined with an easy to remember prefix/suffix—or a generated and saved password for services I don't think I'll need to log into without my password manager handy. In my opinion, this is the best security posture you can take—but there's absolutely no way you could get your average end user to adopt it... Meanwhile so many implementations of such forced security I've seen by providers has been lackluster to the point of irrelevance.

Re: Passkeys are a bad idea, or at least badly implemented

> I also need access to things from multiple machines, most of them lacking biometrics, including in places where, guess what, there's no cell service. So passkey on phone fails even if I wanted to put all my security on the phone.

how do you currently do this? Password manager on every device? So that would mean every device has your passkeys... Or do you type your passwords in to devices that you don't trust enough for a password manager on them? Because passkeys would mean NOT giving those untrusted devices a copy of your authentication credentials.

The way this works is that the device you want to log in with displays a QR code which you scan with your phone. Then you authenticate with your phone (biometrics?) and your phone uses Bluetooth or WiFi or whatever way it has to talk to the computer to act as its authentication device. The computer sends the challenge and server name, then the phone signs the challenge and gives the signature to the computer to send to the website. This works without an internet connection (except the part where the service you are trying to sign in to is a web page!). It also is also not vulnerable to phishing sites.

All of the issues people have with passkeys are due to the fact that they want to store them on a single device instead of a password manager... Read various comments above for multiple examples of people having the exact same problem with passwords stored on a single device.

Re: There is no security.

You have to suppose nothing is entirely secure and everything is compromised (including people, but that's the weakest link in all systems)...

This is zero trust.

In practice, many ways exist to make something really secure. Another security measure is that people like me and us all probably aren't going to be targeted by state-sponsored hackers, etc.

So we have fairly secured mechanisms.

The idea that security is about control... tin foil hat, etc. I don't discuss that part.

Re: There is no security.

Passkeys use the same cryptography that the rest of the world uses.

If you can break that, you don't log in to random people's email accounts... you tell your bank that the Bank of England just transferred a couple of billion £ in to your bank account.

Re: Once breach to breach it all

Passkeys aren't accessible to the OS, or at least they aren't supposed to be. They'd be secured by the security chip on the device (Secure Enclave on iPhone/Mac, TPM on PC, whatever Android calls theirs) and you'd access it via biometrics (or a password on your phone if you are too paranoid to use biometrics)

That protects it against remote exploit, or even remote compromise of your phone. Physical security is beyond the scope of what passkeys are intended to do.

Re: So, passkeys

Indeed this is just SSH keys for logging in to services via web browser. The crucial thing being “do you trust this machine”. If said machine is stolen or irreparably damaged, unless there is some second way in (eg an app where you can kill all other sessions and block until you can recover the situation, you’re basically stuffed, about this much: https://youtu.be/Bex5LyzbbBE?si=uc0HnIYEm6eqeLGv

Re: So, passkeys

Please read something about asymmetric cryptography. At least the very high-level summary in the article.

Re: So, passkeys

12 upvotes for someone who clearly doesn't understand Passkeys. Standards round here have fucking plummetted.

Re: This why we need a Pi-based alternative.

It has nothing to do with "Use Pi!". If you stop exposing yourself to cloud infrastructure, that'll fix (almost) everything. You don't need a passcode to access your own [desktop] copy of LibreOffice, now do you??

Re: Unmentionables

My company used to use those dongles. Now it's a program on the computer. There's no longer a need for a thief to be burdened by carrying two things.

Re: "No password entry or 2FA step is required."

Passkeys are not stored in your browser. I think you are misunderstanding how they work.

The browser doesn't store them, the operating system does - and they are stored in the secure area like the TPM or the phone's equivalent so someone who breaks into your PC can't just read a file and steal them. When the browser encounters a site using passkeys for login it can request the passkey for that site from the OS which authenticates the user (typically biometrics, but it could be a password if you don't like biometrics or your device doesn't support them) before it can be used to access the site.

An additional 2FA step would be meaningless because you already have two factors. One you have the device containing the passkey. Two you have authenticated to the device using either biometrics or a password to be able to utilize the passkey.

The passkey is not only more convenient, but more secure.

You can't phish a passkey.

every single provider that I've currently used a passkey for also accepts username and password login with 2fa

Of course they do. Passkeys are only getting started - Microsoft has supported them for less than a year and it requires Windows 11 which a minority of PC users are using. No site will be able to go passkey only for a few years yet, except maybe some internal corporate sites where they have a captive audience they know will have the necessary requirements down and can be forced to use them.

You could have made the same arguments about 2FA, since pretty much every site that supports 2FA simultaneously supported single factor authentication for a long time. Many STILL do. When sites doing 2FA with SMS finally move to something better, you can be sure they will continue supporting SMS based 2FA for at least a year and maybe essentially forever rather than force everyone to use TOTP or passkeys or whatever that are more secure but are also more difficult for less technical users to understand (and those types of users don't WANT to understand or learn anything new, they were pissed when you forced them to type in a code delivered by SMS a few years back)

Umm... Passkeys aren't something you buy. A website asks your device to generate one, then when you want to log in the website asks your device to sign a challenge using the passkey it previously generated and registered.

Example flow for a user wanting to save on the device they are currently using:

Create passkey: You click the "create passkey" button on the relevant website, select the current device, then you touch your fingerprint reader.

Log in: You click "Log in using passkey" (Microsoft are getting rid of this step) then you touch your fingerprint reader.

Of course if you want to use your laptop but have your passkey on your phone there is the additional step of selecting the device to use when logging in. The first time you scan a QR code, after that you select it from a list.

IT people who understand passkeys love them because they provide complete protection from phishing attacks, are completely un-bruteforeceable, and can not be compromised by malware (unless you're saving them in a software password manager and the malware is in the kernel of course).

Users love them because they can log in by just pressing their fingerprint scanner.

If you waste a lot of time fucking around with passwords, you should use passkeys instead. They are idiot proof. However I do not know what windows 7 support is like... (The actual APIs used by passkeys have existed since the early internet explorer days, however the specific type of certificate is new)