Glad to see another person who is not keen on the passkeys. I have the feeling it is being hyped and perhaps without good reasons. Therefore I was glad to share this blog post when I saw it on Mastodon. btw, the blog post author turns out to be the software developer of similar software like Authentik and Keycloak. In other words, not just the average Linux user :)
I really think that we should have just iterated on passwords. Switch to a PAKE and keep improving password-manager
UX and pushing most users to auto-generated passwords. So much was lost by switching to a system that most users
don’t understand.
When I search with a search engine for PAKE I don’t find anything useful. Got a link ?
I like your reasoning about just using passwords. However, my experience is that a scary amount of users are using the same rather weak password for lots of different accounts. And a still scary amount of users does get tricked into phishing emails. What I like for myself is have a bunch of security keys and use them as much as possible for important logins.Some applications allow for five different security keys to be configured.And this could theoretically also be a way to use 2FA within teams. One team person does the login, adds a key, then let’s the second team member put in their key and so on.
a scary amount of users are using the same rather weak password for lots of different accounts
This is true, but you can force them to use a random password just as easily as you can force them to use a randomly generated key. The end UX can look basically identical if you want it to. My point is that this is basically a UX problem. Instead of just making the change we are inventing this new protocol to shuffle along a UX change at the same time. Maybe part of this is because the change has major unaddressed downsides that would be too obvious to slip by if made as an incremental upgrade to passwords.
One team person does the login, adds a key, then let’s the second team member put in their key and so on.
There is no reason you can’t have multiple passwords associated with an account.
Glad to see another person who is not keen on the passkeys. I have the feeling it is being hyped and perhaps without good reasons. Therefore I was glad to share this blog post when I saw it on Mastodon. btw, the blog post author turns out to be the software developer of similar software like Authentik and Keycloak. In other words, not just the average Linux user :)
When I search with a search engine for PAKE I don’t find anything useful. Got a link ?
I like your reasoning about just using passwords. However, my experience is that a scary amount of users are using the same rather weak password for lots of different accounts. And a still scary amount of users does get tricked into phishing emails. What I like for myself is have a bunch of security keys and use them as much as possible for important logins.Some applications allow for five different security keys to be configured.And this could theoretically also be a way to use 2FA within teams. One team person does the login, adds a key, then let’s the second team member put in their key and so on.
Thanks. I see you shared it two years ago on Lobsters and got a fair amount of comments. 👍
https://en.wikipedia.org/wiki/Password-authenticated_key_agreement
Cloudflare also had a fairly good post a while ago about a newer PAKE algorithm: https://blog.cloudflare.com/opaque-oblivious-passwords
This is true, but you can force them to use a random password just as easily as you can force them to use a randomly generated key. The end UX can look basically identical if you want it to. My point is that this is basically a UX problem. Instead of just making the change we are inventing this new protocol to shuffle along a UX change at the same time. Maybe part of this is because the change has major unaddressed downsides that would be too obvious to slip by if made as an incremental upgrade to passwords.
There is no reason you can’t have multiple passwords associated with an account.
This PAKE post by Cloudflare is way over my head, but very good to see that new things are explored to make security really better.