sry my comment was not clear i meant proton.

They’re rewriting their mobile apps to make it possible

By “Share”, I assumed with other password managers that supported PassKeys.

It doesn’t necessarily have to be a file, it could be the config like a TOTP code is.

When you say bitwarden syncs between PC and phone, which service does it sync with on these platforms? I didn’t know bitwarden synced with any other service.

People are perfectly within their rights to be rubbed up the wrong way.

Find another way to try and bring people to your point of view

Thanks for your great example of condescension for clarity. A little unsolicited feedback though… other people, unaware of your virtuous intent, might view it as a petty attempt to belittle a stranger on the internet. Other than that, a solid comment. B+

… that’s condescending.

Can you give an actual example of this or are you just making a broad accusation against anyone that uses something other than Proton?

The quote you are referring to is about people who have such specialised security needs that they choose to self-host. i.e. its about people who won’t use Proton because it doesn’t suit their needs. The only ‘accusations’ in the post are against Google & Microsoft, who are accused of buying the souls of their users and selling their data - which I think is a fair accusation. No other company or service is referred to, explicitly or implicitly.

No accusations intended. My point is if you’re clued up enough to be comfortable making your own decisions then fill your boots. I’m not here to convince you. The “aggressive” advertising is the only way they are able generate revenue. And I’m fine with that compared to the alternatives. I find it far more disrespectful to have my data skimmed and monetised by a system of exploitative consumption.

You can disable it from proton mail settings

No just have “Proton for Business newsletter” disabled but I see many of their mails say only once a quarter etc. So seems they don’t send out every month.

True, and the reverse is also true when a product is bad. I blog usually about what I’m interested in testing out, and when I see if may be worth me moving to a different service.

Firstly, the point was made that the passkey functionality in Proton Pass is free (no account needed or “selling”) and that is for unlimited logins. Anyone can just use it. I pay for, and am still using Bitwarden. I posted about this because it is interesting that Pass has implemented passkeys for mobile, while I still wait for Bitwarden, so I’m interested in testing this out with Proton Pass. I post about all sorts of things that I find interesting, and sometimes I do switch my services across if I find it can match or better what I already use. That’s the bottom line.

I was just as interested when I was considering moving from LastPass to Bitwarden, but then I was accused of “selling” free Bitwarden to people. Everyone must make up their own minds as their circumstances are different. But if no-one posted about what they found interesting, we’d have no Lemmy, and we’d all forever just stay stuck on whatever we personally know. Certainly Bitwarden and Proton Pass are not the only good password managers out there, but this week I was interested to see an article about Proton Pass, and I had not even known they’d rolled out passkeys yet. It seems like quite a few others did not either.

I’m sure others also post about what new stuff 1Password has just rolled out, and I’d be interested to hear about that too. That is how I decide whether I want to try something better.

If I wanted to try to sell something, I’m sure Proton Pass probably has some loyalty link for paid accounts, but no, you did not see me sharing anything like that. I mentioned the access was free.

Ah thanks for explaining that. It just makes it then difficult to fully move to passkeys with Bitwarden, which is why I’ve been waiting so long, and why I never stayed using Google or Apple’s passkeys.

It’s not a race and I would not even start to use passkeys until I know they can move with me across devices and OSs. Also, most sites that do offer passkeys, still offer highly insecure password resets which really undermines the security that passkeys should offer. I waited a long time for Bitwarden to start with passkeys, and they were going to be the answer to fully portable passkeys (I’ve been waiting so that I know my passkeys will work across all my devices and OSs). Now I’m waiting for mobile implementation before I can get going. I do hope they will also be offering exporting of passkeys, like you can currently export your passwords to other services.

I have the app and the browser extension. I usually open the extension and copy from there rather than use the app for things outside of the browser. It’s just quicker.

Have you used KeepassXC or BitWarden? Just curious.

Just like the Bitwarden app on Android, the Proton Pass one sits in the background to help with auto-fill on any browser form, irrespective of which browser it is.

Are sufficiently long passwords susceptible to brute force attacks?

Yes. Thought obviously the odds of success go down the longer and more complex that password.

Don’t passkeys get that feature by just being longer?

Put simply… no. Passkeys aren’t just ”longer passwords” sent to the same place. Unlike passwords, Passkeys aren’t a “shared secret” that you’re sending to the service you’re authenticating to. Passkeys use asymmetric encryption and are neither sent to nor stored on the server you’re authenticating to. Your passkey is a private key stored on your device and secured by biometrics, the paired public key for which lives on the server you created the passkey to authenticate to.

In a traditional brute force operation, you’re sending guesses to a server that knows your password. If you send the correct guess, you get in. It’s also possible to steal the password from the server and brute force that offline.

With a passkey on the other hand, the server uses your public key to encrypt a string in a challenge message, this string can only be decrypted by your passkey. You then send a response that’s encrypted by your private key, which can then only be decrypted by the public key on the server. So the thing you’re sending to the server to authenticate isn’t your passkey, and it’s unique every time you log in.

So could you perform some kind of operation that would technically still be a kind of brute force? Theoretically yeah. But even so you’d be limited to brute forcing against the server, which isn’t very effective even against passwords. However you would not at all be susceptible to offline brute forcing based on the capture of a passkey either in flight by breaking encryption, or by breaching the server, because your passkey never leaves your device.

Passkeys can’t be lost or stolen in the same way passwords can. They aren’t something you need to learn and are at risk of forgetting, and unlike passwords they never leave your device so they can’t be intercepted, or stolen in a server side data breach. In order for a passkey to be stolen, somebody would need to both steal your phone, and force you at gunpoint to unlock access to the passkey using biometrics.

So they’re much, much harder to lose or “steal”, and the only way they can be stolen, could similarly be used against you to steal your password.

deleted by creator

That’s a reasonable decision. While passkeys are usually considered much safer than passwords they are not really common. It is mostly the big services (Google, Microsoft, eBay) which have implemented them. Also Bitwarden only supports them on desktop as they are currently working on mobile support. But this will change and as they follow a standard it will be no problem to log into apps with passkeys as the support widens.

It is a similar experience, but you don’t need any infrastructure for it. Everything is handled by your device.

For an authentication flow to qualify as two factor authentication, a user must verify at least two factors - and each must be from the following list:

• something they know, like a password
• something they have, like a phone or security key
• something they are - fingerprints, facial recognition (like FaceID), iris scans, etc…

Passkeys require you to verify a password or authenticate with biometrics. That’s one factor. The second factor is having the passkey itself, as well as the device it’s on.

If you login to your password manager on your phone and use your fingerprint to auth, that’s two factors right there.

That’s because it’s not 2FA, strictly speaking. The second factor is whatever the device uses to verify you. So, essentially:

You go to a webpage, then go to sign up. Instead of inputting a password, you just input some ID, like a username or email. The device generates a cryptographic handshake with the webpage and your ID. You don’t (can’t, unless you can memorize a string of thousands of letters and numbers and be really good at math with prime numbers) have to remember it.

Now, when you go to login to that page again, the device just remembers and exchanges the keys with the webpage for you. That is NOT 2FA. But, you can configure your device to require another verification (most do). So, when you go to login, then the device asks you to use your fingerprint, or a remembered PIN. Or whatever that confirms that the one handling the device is indeed you before sharing encryption keys with the webpage. This is sorta 2FA, but not really because the webpage is delegating the second factor to the same device actually doing the login. Which might be compromised altogether, but that already happens with most 2FA implementations.

If you go to a second device, and wish to login, then your second device will fallback to other 2FA versions, like sending a OTP to the verified email or phone, or asking you to verify on the one device that is already logged in.

A passkey that’s generated on any given device is tied to that device, and is never sent to the server you’re authenticating to. What’s sent instead is a time based challenge/response that functions similarly to TOTP except that it’s not based on a shared secret like TOTP is. Since the Passkey is both a file, and is tied to the device you generated it on, it satisfied the something you have factor. Then in order to use a Passkey to authenticate, you need to unlock access to it using either biometrics (something you are) or a PIN (something you know).

Now storing your passkeys in a password manager does muddy the process of it a bit. The “something you have” part is no longer a device, but the key file itself, which is still arguably “something you have” but it is to a degree less secure than keeping it tied to a device. But you can think of storing passkeys in a password manager similarly to storing your TOTP in your password manager. It’s a tradeoff.

I know that with 1Password, even if I authenticate to my vault using my master password, when I go to use any particular passkey, it still requires biometrics.

Why shouldn’t these features require money?

It’s $10 per YEAR. This is an extremely reasonable price given the importance of the service.

Bitwarden employees need to eat too.

Hm. I guess I’ve never had the need for offline support so I didn’t notice. Though IMAP works so other clients could take care of that.

Why did you compare the lowest tier with Proton Unlimited?

• Proton Unlimited: $120/500GB/15 addresses. Add cost for SimpleLogin to manage masked addresses.
• Fastmail Standard: $50/30GB/600 addresses. Masked addresses built in at no extra cost.

I don’t know your storage requirements but for me, I never went over the 15GB free limit in Gmail after many years of use so I don’t see 30GB ever being a problem.

Edit: After more looking, SimpleLogin may be included with Unlimited? Still… Unlimited is expensive. This may have been what caused me to start looking elsewhere. I had been paying for Proton Mail Plus plan for a few years before I started looking at implementing masked email addresses and got frustrated with the price to use SimpleLogin features which weren’t included in Plus.