News: 0175074699

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Google Passkeys Can Now Sync Across Devices On Multiple Platforms (engadget.com)

(Thursday September 19, 2024 @05:30PM (BeauHD) from the widely-supported dept.)


Google is [1]updating its Password Manager to [2]allow users to sync passkeys across multiple devices , including Windows, macOS, Linux, and Android, with iOS and ChromeOS support coming soon. Engadget reports:

> Once saved, the passkey automatically syncs across other devices using Google Password Manager. The company says this data is end-to-end encrypted, so it'll be pretty tough for someone to go in and steal credentials. [...] Today's update also brings another layer of security to passkeys on Google Password Manager. The company has introduced a six-digit PIN that will be required when using passkeys on a new device. This would likely stop nefarious actors from logging into an account even if they've somehow gotten ahold of the digital credentials. Just don't leave the PIN number laying on a sheet of paper directly next to the computer.



[1] https://blog.google/technology/safety-security/google-password-manager-passkeys-update-september-2024/

[2] https://www.engadget.com/apps/google-passkeys-can-now-sync-across-devices-on-multiple-platforms-160056596.html



So what's the advantage of passkeys again? (Score:3)

by 93 Escort Wagon ( 326346 )

I thought the whole argument in favor of passkeys was "the secret never leaves your device". If you're synching your passkeys across devices, what's the security advantage to this?

It sure seems to me that it's quickly become just a password that's managed by someone else instead of you... and without 2FA, to boot.

Re: (Score:3)

by Pinky's Brain ( 1158667 )

No, that was the original FIDO philosophy. A big reason for passkeys was syncing, to a large extent forced by Apple I assume.

In the Apple ecosystem the passkeys are protected from OS level exploits. You can have full kernel level access and it won't give you the passkeys. I doubt Google can give that guarantuee with just TPMs.

Re: (Score:2)

by unrtst ( 777550 )

From: [1]https://en.wikipedia.org/wiki/... [wikipedia.org]

> * No Server-Side Credential Storage : The private part of a credential is never stored on a server

Syncing the private key to multiple devices means the private key is getting passed around on the network and almost certainly stored by Google.

[1] https://en.wikipedia.org/wiki/WebAuthn#Advantages_over_traditional_password-based_authentication

Re: (Score:2)

by Pinky's Brain ( 1158667 )

Google can arbitrarily push an update to steal all your passkeys regardless.

You have to trust google, but you don't have to trust the servers of other companies to protect the private part of the passkey.

Re: (Score:2)

by bhcompy ( 1877290 )

If it's not customer friendly in some way, people won't use it. The security advantage of doing this is that it's still an improvement over today's options, which are all more friendly with password managers and authenticator apps that sync across devices.

Re: (Score:2)

by Rujiel ( 1632063 )

"If it's not customer friendly in some way, people won't use it."

Every huge tech company dragging its customers kicking and screaming into using 2FA over the last few years would probably share my disagreement with that point.

Re: (Score:2)

by bhcompy ( 1877290 )

If you give people no other option, then they're forced to use it. That said, many vendors offer a variety of MFA options these days, so people choose based on what meets their cross-section of security and convenience.

Re: (Score:2)

by AmiMoJo ( 196126 )

No, the argument was that the secret never gets stored on the server.

With a password, even if it's hashed it can be recovered with a dictionary attack or just brute force. And that's assuming they did the hashing properly - better to just remove the possibility entirely.

Passkeys only require a public key to be stored.

Another advantage is that it eliminates password rules and the possibility of them being weak.

Stealing credentials (Score:4, Insightful)

by sunderland56 ( 621843 )

> "it'll be pretty tough for someone to go in and steal credentials"

Unless you work for Google.

And, Google has not proven to be trustworthy with my personal information.

Re: Stealing credentials (Score:2)

by LindleyF ( 9395567 )

I'm not certain if that's mathematically true. I am certain that the vast majority of Google employees will not have this access.

Re: (Score:2)

by AmiMoJo ( 196126 )

Chrome has had password sync since the start. So far no examples of them being stolen.

You can also set your own password for them, and again no examples of that being stolen.

You can of course use your own sync server, or just not enable it.

Mozilla has a similar feature in Firefox. Most browsers do.

How can they communicate between secure domains? (Score:2)

by Pinky's Brain ( 1158667 )

All the existing secure domains except Apple's don't seem designed for syncing. Can they truly protect passkeys from OS level root exploits this way? I think not.

I'll absolutely adopt this google product, (Score:3)

by Bill, Shooter of Bul ( 629286 )

I'll absolutely adopt this google product, right after they resurrect google reader. Sorry Google, fool me once shame on you, Fool me 296 times, shame on me (https://killedbygoogle.com/).

Re: (Score:2)

by Bill, Shooter of Bul ( 629286 )

Fucking hell, Google, you killed chromecast?!? https://www.theverge.com/2024/8/6/24214471/google-chromecast-line-discontinued. I feel like I need to stud that page every other day to figure out which of my devices/services will be nerfed.

For Phishing Non-Enthusiasts Only (Score:1)

by thomasboyles ( 9324709 )

Passkeys solve the problem of someone phishing a user into giving them their password. Great. These potentially solve for 36% of data breaches as of 2023. However, Google and Apple want to make the device you're logging in from the same device as the passkey. They also don't allow an admin to turn passkeys off as a factor from the accounts admin console. This means that a thief who manages to grab an unlocked phone or a laptop from an unwitting mark has her device and entire login. Appreciating that this li

Re: (Score:2)

by Pinky's Brain ( 1158667 )

You can still demand a device bound passkey, but how is it actually a solution to the described threat? When they are logged in, they are logged in.

As for the cross service persistence of the login, can't you just set user verification required with webauthn? Then they will need to re-enter pin/biometric for the new login.

So a passkey only for new devices? (Score:2)

by OneOfMany07 ( 4921667 )

I'm sure having a special password that we never use, except when adding new devices, will solve this password... I mean passkey, security problem.

And that having easy, effective visibility into where our information exists would be too hard for them to implement. That warning users about new devices connecting to sensitive personal data is impossible to do effectively.

Linux Dominates Academic Research

A recent survey of colleges and high school reveals that Linux, Open Source
Software, and Microsoft are favorite topics for research projects. Internet
Censorship, a popular topic for the past two years, was supplanted by Biology
of Penguins as another of this year's most popular subjects for research
papers.

"The Internet has changed all the rules," one college professor told
Humorix. "Nobody wants to write papers about traditional topics like the
death penalty, freedom of speech, abortion, juvenile crime, etc. Most of the
research papers I've seen the past year have been computer related, and most
of the reference material has come from the Net. This isn't necessarily
good; there's a lot of crap on the Net. One student tried to use 'Bob's
Totally Wicked Anti-Microsoft Homepage of Doom' and 'The Support Group for
People Used by Microsoft' as primary sources of information for his paper
about Microsoft."

A high school English teacher added, "Plagarism is a problem with the Net.
One of my students 'wrote' a brilliant piece about the free software
revolution. Upon further inspection, however, almost everything was stolen
from Eric S. Raymond's website. I asked the student, "What does noosphere
mean?" He responded, 'New-what?' Needless to say, he failed the class."