Bitwarden passkey support starts rolling out through the browser extension
Bitwarden passkey support starts rolling out through the browser extension
I have yet to get a Yubikey, mostly because I'm scared of losing or breaking it.
That's why you should get two.
And if you only need FIDO2/passkeys, the Security Key series is half the cost ($25) of the Yubikey 5 ($50) and all you really lose is OpenPGP and PIV (smart card) functionality.
Now I like playing with all the features of the 5, but most people should just need FIDO2.
I looked into this a year ago and most sites did not offer to register a second key, so if you lose your key, you can kiss many of your accesses goodbye. I would never have the key to my digital life on a keychain... The idea is good, but it will cause huge damage if you lose your HW key. On the other hand, if you are cautious and use different PWs and a password manager with 2FA, you are quite safe.
You can store alternative 2FA methods and backup codes in a safe place just in case your YubiKey fails.
I have had three of them on my keyring for years (one old personal, one newer personal and one for work) and even though they sometimes get lodged between the keys and a separate ring I have on the main ring none of them ever even got close to looking damaged (excluding some mild fading of the print on the oldest one).
Oh, nice! Doesn't look like it's hit the Firefox Addons repo yet, but I'll be looking forward to it when it does.
uh. for the slower ones.... how does this improve security? 🤔
edit. thanks @lemmyvore@feddit.nl, @azron, @russjr08@outpost.zeuslink.net i still dont really get it, but feel confident to trust you guys on this one.
My understanding is:
Passkeys are like a password + 2FA mashed together. If someone steals your "passkey password" they still can't use it to login without the hardware component. That means phishing is harder. Since passkeys are generated for the user from their hardware it also forces better hygiene on the user by not allowig any password duplication.
A downside is it is tied to hardware and a provider that can cause problems witb loss of device or when you change devices but it is hard to say how painful that is going to be.
[edited for a bit more clarity]
Passkeys are client-driven.
When you visit a website you'd like to login to, your browser generates a public/private key pair and gives the public key to the site.
When you want to login:
Now both website and browser are sure the other is legit, there are no passwords involved, the login process is standardized and can be upgraded with new protocols and cyphers whenever needed, you can't be phished, you can't be tricked by a fake domain that looks in Unicode like the correct one, and if anybody breaks in and steals the public key they can't do anything with it.
This is the best primer that I've found: https://www.eff.org/deeplinks/2023/10/what-passkey
The main advantage is that, like hardware security keys, they're immune to Man in the Middle phishing attacks, but are far simpler to use so should hopefully see much more widespread use.
Lmao
Heres the Actual link to bitwarden blog:
https://bitwarden.com/resources/october-2023-spotlight-bitwarden-introduces-passkey-two-step-login-for-all/
The site is actually asking me for login now via Google or something else. In recent times, many sites like Howtogeek or MakeUseOf have kinda paywalled unless you login. It works properly with adblocker (uBlock Origin) once I login though.
Adguard ftw
The point is its a shitty thing to do and I would rather not give them any attention especially since the entire thing is explained in a blog post on bitwardens site.
Doesn't happen on uBO
Works fine with Fennec (F-Droid) and uBlock Origin
I have all my filters enabled on Firefox uBO and it gets rid of that