This is a most excellent place for technology news and articles.
Proton is also the ONLY passkey provider that I've seen allowing you to store, share, and export passkeys just like you can with passwords!
1Password has had this for several months.
As others have mentioned, Bitwarden also has this. This really feels like an ad.
Agreed. Saying PP four times in two sentences triggers my ad sense. Capitalism never capitulates.
I don't see a way where this isn't an ad, especially with the end and it's frustrating.
i looked at it and it literally says passkeys aren't supported on Android right now. so this is bullshit.
Doesn't Bitwarden already have that feature? https://bitwarden.com/passwordless-passkeys/
Bitwarden currently only supports storing and using Passkeys via the browser extension. You cannot use them on mobile.
Ah I see. Hope to see it brought to mobile soon.
They're rewriting their mobile apps to make it possible
~~Yep, the title is incorrect.~~ reading is hard
No it isn't. Passkeys cannot be used on mobile Bitwarden, only the browser extension.
Passkey storage
Note
Saving and using passkeys are a feature of the Bitwarden browser extension. Other Bitwarden clients can be used to view the saved passkey.
https://bitwarden.com/help/storing-passkeys/
Seems that way? Although I can't seem to create a passkey somehow. Or is that how it works? Should I be able to create one on a free Bitwarden plan?
Edit: only on browser extension, got it.
Is this an ad?
No, an ad would have come out when it was launched, and an ad would try to sell something?
an ad would try to sell something?
You're trying to sell people on Proton over Bitwarden.
all devices
Lies, there's no Linux app yet. As usual, Proton Inc continues to treat Linux users as third-class citizens, all whilst claiming they care about privacy and security.
Edit: They don't even have a macOS app yet lol.
I'm using the browser add-on in Linux across all my browsers. I do have the Bitwarden app for Linux, but to be honest I never open it as it is a pain to have to open a separate app, and then copy and paste. Isn't it just more seamless to let it replace the browser password manager on Linux? If I want to tidy up my Bitwarden vault, I also do that in the browser.
Passwords are used in more places than just browsers though. If there wasn't any need for a dedicated app, why did they bother making one for Windows?
But personally, I dislike Bitwarden as well. I prefer KeepassXC instead, as it works fully offline and I don't need to depend on a cloud-based provider (or spin up a server). The best part about KeepassXC is that it supports auto-typing credentials, so you don't need to copy-paste - and it works across a multitude of apps, such as remote desktop / terminal sessions.
I have the app and the browser extension. I usually open the extension and copy from there rather than use the app for things outside of the browser. It's just quicker.
This is what I do as well. I always have Firefox running and can easily search the extension for whatever password I need and it is just as easy to copy from there as opening another tool.
That being said the iOS app is great for when I am away from my laptop.
Vaultwarden is completely in my hands though
They will have to rip Bitwarden (soon Vaultwarden) from my cold dead hands.
I have a question that is kind of off topic. If I use a password manager and generally use randomized secure passwords, do passkeys offer any additional security?
By practicing good password behavior, I have struggled to see how the benefits of passkeys out weigh the hassles.
Yes, passkeys are not brute-forcible, and are phishing resistant.
Whether or not they provide more security depends on how fully they’re implemented. A service that’s fully implemented them, like PlayStation for example, will remove the password from your account after activating your passkey.
Some websites have half-assed their implementations where you can use a passkey or a password to log in. In that scenario, your account isn’t really any more secure, it’s just a more convenient way to log in.
Are sufficiently long passwords susceptible to brute force attacks?
Don't passkeys get that feature by just being longer?
Are sufficiently long passwords susceptible to brute force attacks?
Yes. Thought obviously the odds of success go down the longer and more complex that password.
Don't passkeys get that feature by just being longer?
Put simply… no. Passkeys aren’t just ”longer passwords” sent to the same place. Unlike passwords, Passkeys aren’t a “shared secret” that you’re sending to the service you’re authenticating to. Passkeys use asymmetric encryption and are neither sent to nor stored on the server you’re authenticating to. Your passkey is a private key stored on your device and secured by biometrics, the paired public key for which lives on the server you created the passkey to authenticate to.
In a traditional brute force operation, you’re sending guesses to a server that knows your password. If you send the correct guess, you get in. It’s also possible to steal the password from the server and brute force that offline.
With a passkey on the other hand, the server uses your public key to encrypt a string in a challenge message, this string can only be decrypted by your passkey. You then send a response that’s encrypted by your private key, which can then only be decrypted by the public key on the server. So the thing you’re sending to the server to authenticate isn’t your passkey, and it’s unique every time you log in.
So could you perform some kind of operation that would technically still be a kind of brute force? Theoretically yeah. But even so you’d be limited to brute forcing against the server, which isn’t very effective even against passwords. However you would not at all be susceptible to offline brute forcing based on the capture of a passkey either in flight by breaking encryption, or by breaching the server, because your passkey never leaves your device.
Thank you, that was a really helpful explanation that I haven't seen elsewhere. It helps a lot and I think I now understand the difference between passwords and passkeys.
I still don't like the hassle inherent in passkeys, but at least I understand it now.
Can I get an explanation on what exactly passkeys are? I already use bitwarden for passwords, is there any good reason to switch to passkeys if that works for me?
Passkeys are a form of passwordless authentication. You store them in Bitwarden like regular passwords, but when you want to access a site that supports them (e.g. eBay) instead of asking for you password and autofilling or copy pasting it from Bitwarden your Bitwarden pops up and asks you if you want to login and it just happens (if you have multiple passkeys associated with a site you can select which you want to use). That's it. No password fields which get autofilled and no password in your clipboard (history).
Sounds a lot like SSO no?
It is a similar experience, but you don't need any infrastructure for it. Everything is handled by your device.
Thanks for the explanation. From the sound of it I'll probably stick with passwords—i like being able to copy them, cause I'm often signing in to an application, not a website, etc.
Does it beat Bitwarden though? Bitwardan has supported at least 2 services for me using passkeys ,one of which is google.
I might be misunderstanding this,but it doesn't seem like proton beat anyone to anything.
Edit for info: https://bitwarden.com/passwordless-passkeys/
They're talking about the fact that Bitwarden doesn't support passkeys on mobile
The point of the post was that Proton Pass is beating Bitwarden right now to having passkeys for mobile (Bitwarden has still not released that), and Proton Pass can actually export passkeys which Bitwarden does not do, so they are improving. I would not say though they are better all round than Bitwarden. I pay for both but am still evaluating the rest of Proton Pass vs Bitwarden especially around tweaks in options. But Proton is showing some innovation and momentum, while Bitwarden is slowing a bit. For those already using Proton they will likely find Proton Pass good enough to use right now.
I started using Strongbox on iPhone & Mac for passkey support Bitwarden is still there too, esp for PC, but I may move to an all KeePass setup.
