Amazon Quietly Rolls Out Support for Passkeys, With a Catch - Slashdot

Posted by msmash

• ›

  by Rosco P. Coltrane ( 209368 ) on Tuesday October 17, 2023 @12:53PM (#63931871)

  using biometric authentication on their device, such as their fingerprint or face scan

  No thanks.

  Biometrics are a Bad Idea[tm]: when your credentials are compromised, you can't change them.

  • Re:

    Got 9 other fingers. I'm saving my middle finger for a fitting finale before my devices start wondering about that 'thumb' attached to my foot I'm using to authenticate.

    Foot auth is wrong? Racist.

  • Re: Hard pass

    But the services do not store your biometrics, only a public key while the private key remains on your device.

    So, if your device gets stolen you remove that passkey from your account. Similar to what you would do if you loose a FIDO stick like a YubiKey or SoloKey.

    Biometrics are only used to access the locally stored private key and you can also use a PIN or password for accessing this.

    • Re:

      But the services do not store your biometrics, only a public key while the private key remains on your device. So, if your device gets stolen you remove that passkey from your account. Similar to what you would do if you loose a FIDO stick like a YubiKey or SoloKey. Biometrics are only used to access the locally stored private key and you can also use a PIN or password for accessing this.

      I don't care.

      I don't use biometrics on any of my devices (mostly all Apple at this time)....and as long as these sites

      • Re:

        In addition, I don't want my ability to log into a site (totally) dependent on having my cell phone with me or working. I can see some benefits to having things tied to a device I'm almost certainly going to have full-time, secure access to but the devil is in the words "almost certainly". Things go wrong and those may be independent of my need to login somewhere. This is (one of the reasons) why I switched from Google Authenticator to Authy, which syncs with multiple devices and has a Windows/Linux cli

  • Re:

    I had to look up passkeys. It seems that it is a key pair, and you hand out your public key. The identity check is then performed on your phone.

    This still makes it a bad idea, even if you choose a biometric check and the biometrics do not leave your phone. Phones are the least secure devices around, and are easily stolen. This video (in German) [media.ccc.de] also show how easy it is to fool the biometric systems

    • Re: Hard pass

      Phone is one option but not the only one, hardware tokens like Yubikeys can also hold passkeys.

      I wish articles like this would stop the focus on biometrics. It is one option to unlock the key storage but not the only one.

    • Re:

      The biometrics are optional, that's just the implementation in order to push adoption over passwords.

      How many people have password123 or something similar. Passkeys are basically SSH keys, how you unlock them is up to you.

      • Re:

        Sure, but a password is still "something you know" rather than something you have (like a security key or biometric) and the former is harder for others, including LEOs, to obtain. Even a dumb password is harder to utilize than a fingerprint or Yubikey...

        Bottom line, as long as sites continue to offer a variety of authentication methods, everyone should be fine.

  • Re:

    Just wait 'till surgeons start offering biometric reconstructive surgery; a whole new biometric you after you've been compromised. I can see a whole new industry growing to deal with the fallout of people having their biometrics stolen/copied. Oh, the joys of laissez-faire capitalism; everyone's misery is their profit!

  • Re:

    Speak for yourself. I am on my 4th full-face transplant [mayoclinic.org].

• I'm assuming he misspoke, or the comment he made wasn't captured correctly, but passkeys do not remove the need for MFA. Even if you use your face, fingerprint, or beard style, you should still use a TOTP based application, or some other alternative security form. SFA, with passkeys, might be slightly better than passwords, but that slight advantage is in no way a replacement for proper MFA.

  • Re: Passkeys don't remove the need for 2FA!

    Thatâ(TM)s an argument against biometrics as a factor, passkeys already are MFA though.

    • Re:

      No, they are not. Or at least they are not MFA on the server side.

      You may protect your passkey with MFA (multi-factor-auth, like password and biometric), but that's just to unlock the passkey. It is then used as a single form of authentication to the server/service.

      I don't blame anyone for misunderstanding. Every article cages passkeys in a slightly different and still inaccurate light, just as the slashdot quote did.

      • Re: Passkeys don't remove the need for 2FA!

        Itâ(TM)s interesting since the creators tend to think thatâ(TM)s enough. The server is able to verify (and require) through user verification that a challenge was presented and answered correctly by the user. I assume that doesnâ(TM)t protect from the theoretical device that always returns yes, I do not know how they deal with the potential for nefarious authentication devices other than advising people not to use them. I am not a fan of the synced keys that are common with cell phones since

  • Re:

    I kind of miss the days when someone hacking my Amazon account merely meant a 'bad' book might show up at my doorstep. Unreal how you can be abused from that domain these days. Instead of returning a book, you might be faced with returning the entire fucking car that used to deliver limited liability before.

    • Re:

      Amazon is pretty good with customer service. If they send you an entire car and you were hacked, they might even tell you to keep the car since they don't have a delivery driver to bring it back.

      I have tons of shit monthly from Amazon that poorly or wrongly delivers stuff (wrong item delivered, wrong number, cosmetically damaged in shipping), they always tell me to keep it, even expensive stuff like weapons, LEGO and bulk food items.

  • • Re:

      That's only regarding Passwords + TOTP (Or another factor), Passkeys + TOTP is always going to be better than Passkeys alone. The more factors you can add, the better off you'll be, that is why using an SSH key + TOTP is considered better than an SSH key alone. In fact, most security people would tell you to protect the SSH key with a Passcode, and using a Password and TOTP on top of that, giving you SSH Key (Passphrase protected) + Password + TOTP.

      • Re:

        Sure, you can add more but the point stands that passkeys are themselves a 2FA. I think they strike the right balance of security vs. ease of use. Many more average people will use passkeys than a multifactor authentication app.

  • Re:

    The idea is that passkeys are the alternative MFA.

    MFA is more easily fooled. Most people have a phone which has pretty decent locking and security capabilities and an always-on TLS connection to some cloud, so as long as you keep your 'vault' there, and wipe the vault when you lose control over your phone, passkeys are immensely more secure. You should still maintain an (offline) backup of your private keys, but those should only be unlocked using very complex (or physical) means.

    • Re: Passkeys don't remove the need for 2FA!

      They are also phishing resistant, unlike TOTP.

    • Re:

      Okay, so assume your passkey is your phone, and it will handle your biometrics sign in + always on TLS connection. If you then pair that with a Yubi Key, and require X hour based TOTP to validate against a second factor, how is that not better / more secure? That way even if someone got my phone, and fooled it, they would still need my Yubi key, which I don't keep with my phone. Add on top of that some kind of RSA key, and now you're cooking with jet fuel, because I can passphrase the RSA key, so my SSH

      • Re:

        Okay, so assume your passkey is your phone, and it will handle your biometrics sign in + always on TLS connection. If you then pair that with a Yubi Key, and require X hour based TOTP to validate against a second factor, how is that not better / more secure? That way even if someone got my phone, and fooled it, they would still need my Yubi key, which I don't keep with my phone. Add on top of that some kind of RSA key, and now you're cooking with jet fuel, because I can passphrase the RSA key, so my SSH / P

        • Re:

          Right, but the idea is to have MFA no matter what with a separation. The only password I memorize is the one to get into my password manager, because everything else is inside of that. My average password is some randomized collection of 64 characters that get randomized when I sign up for a service, and get changed every X months. I actually don't know what my Slashdot password is, because there's no need to remember it. The only thing I do know, it's not shared with any other service.

          • Re:

            Right, but the idea is to have MFA no matter what with a separation. The only password I memorize is the one to get into my password manager, because everything else is inside of that. My average password is some randomized collection of 64 characters that get randomized when I sign up for a service, and get changed every X months. I actually don't know what my Slashdot password is, because there's no need to remember it. The only thing I do know, it's not shared with any other service.

            You don't think tha

  • Re:

    you should still use a TOTP based application

    Please pardon, I'm a bit acronym challenged today...what is "TOTP" please?

• If Amazon would let me use a U2F key instead of the current authenticator apps they allow.