Amazon Quietly Rolls Out Support for Passkeys, With a Catch

Amazon has quietly rolled out support for passkeys as it becomes the latest tech giant to join the passwordless future. But you still might have to hold onto your Amazon password for a little while longer. From a report: The option to set up a passkey is now available on the e-commerce giant's website, allowing users to log in using biometric authentication on their device, such as their fingerprint or face scan. Doing so makes it far more difficult for bad actors to remotely access users' accounts, given that the attacker also needs physical access to the user's device.

But Amazon's implementation of passkeys isn't without issues, as noted by Vincent Delitz, co-founder of German tech startup Corbado, who first documented the arrival of passkey support on Amazon. Delitz noted that there is currently no support for passkeys in Amazon's native apps, such as Amazon's shopping app or Prime Video, which TechCrunch has also checked, meaning you still have to use a password to sign-in (for now). What's more, if you've set up a passkey but previously set up two-factor authentication (2FA), Amazon will still prompt you to enter a one-time verification code when logging in, a move Delitz said was "redundant," since passkeys remove the need for 2FA as they are stored on your device.

Hard pass

[Rosco P. Coltrane]

using biometric authentication on their device, such as their fingerprint or face scan

No thanks.

Biometrics are a Bad Idea[tm]: when your credentials are compromised, you can't change them.

Re:

[Anonymous Coward]

using biometric authentication on their device, such as their fingerprint or face scan

No thanks.

Biometrics are a Bad Idea[tm]: when your credentials are compromised, you can't change them.

Got 9 other fingers. I'm saving my middle finger for a fitting finale before my devices start wondering about that 'thumb' attached to my foot I'm using to authenticate.

Foot auth is wrong? Racist.

Re: Hard pass

[Thanatos81]

But the services do not store your biometrics, only a public key while the private key remains on your device. So, if your device gets stolen you remove that passkey from your account. Similar to what you would do if you loose a FIDO stick like a YubiKey or SoloKey. Biometrics are only used to access the locally stored private key and you can also use a PIN or password for accessing this.

Re:

[cayenne8]

But the services do not store your biometrics, only a public key while the private key remains on your device. So, if your device gets stolen you remove that passkey from your account. Similar to what you would do if you loose a FIDO stick like a YubiKey or SoloKey. Biometrics are only used to access the locally stored private key and you can also use a PIN or password for accessing this.

I don't care.

I don't use biometrics on any of my devices (mostly all Apple at this time)....and as long as these sites

Re:

[fahrbot-bot]

In addition, I don't want my ability to log into a site (totally) dependent on having my cell phone with me or working. I can see some benefits to having things tied to a device I'm almost certainly going to have full-time, secure access to but the devil is in the words "almost certainly". Things go wrong and those may be independent of my need to login somewhere. This is (one of the reasons) why I switched from Google Authenticator to Authy, which syncs with multiple devices and has a Windows/Linux cli

Re:

[Errol backfiring]

I had to look up passkeys. It seems that it is a key pair, and you hand out your public key. The identity check is then performed on your phone.

This still makes it a bad idea, even if you choose a biometric check and the biometrics do not leave your phone. Phones are the least secure devices around, and are easily stolen. This video (in German) [media.ccc.de] also show how easy it is to fool the biometric systems

Re: Hard pass

[Stupendoussteve]

Phone is one option but not the only one, hardware tokens like Yubikeys can also hold passkeys.

I wish articles like this would stop the focus on biometrics. It is one option to unlock the key storage but not the only one.

Re:

[itsme1234]

I wish articles like this would stop the focus on biometrics.

It isn't the articles in themselves, this is the way it's pushed deliberately by Google&co, they want to promote the FAMILIARITY of logging in with biometrics to your phone, because (they think, possibly correctly) people would be lost if you tell them public keys or compare with ssh keys and so on. But logging on with your fingerprint instead of your password is something anyone "understands" (even if it isn't actually just this).

Re:

[guruevi]

The biometrics are optional, that's just the implementation in order to push adoption over passwords.

How many people have password123 or something similar. Passkeys are basically SSH keys, how you unlock them is up to you.

Re:

[fahrbot-bot]

Sure, but a password is still "something you know" rather than something you have (like a security key or biometric) and the former is harder for others, including LEOs, to obtain. Even a dumb password is harder to utilize than a fingerprint or Yubikey ...

Bottom line, as long as sites continue to offer a variety of authentication methods, everyone should be fine.

Re:

[guruevi]

Hence why my PassKey TOTP (phone) unlocks with all of something I know, something I have and something I am, which unlocks it for a period of time.

If you use PassKeys on an iDevice it can detect through various means that you are not unique or in an odd location or not physically near the device you are authenticating at, so it can lock itself pre-emptively (and this is all on the chip without use of the cloud or sending your data anywhere).

Re:

[VeryFluffyBunny]

Just wait 'till surgeons start offering biometric reconstructive surgery; a whole new biometric you after you've been compromised. I can see a whole new industry growing to deal with the fallout of people having their biometrics stolen/copied. Oh, the joys of laissez-faire capitalism; everyone's misery is their profit!

Re:

[sinij]

Biometrics are a Bad Idea[tm]: when your credentials are compromised, you can't change them.

Speak for yourself. I am on my 4th full-face transplant [mayoclinic.org].

Re:

[peragrin]

How do i submitt biometerics for my laptop? Corporate laptop? Company desktop?

I can think of one device i own which i can use passkeys on. Only one. Out of a dozen i use. Tablets computers etc.

Until they install a nfc reader in every keyboard, so i can swipe my phone over any keyboard to provide authentication then it really isnt useful

Re:

[itsme1234]

I can think of one device i own which i can use passkeys on. Only one. Out of a dozen i use. Tablets computers etc.

The main way this is envisioned to be used is to have the passkey in the phone (additionally backed up with Google or Apple, possibly locked with your account/device password or something, but anyway a way to recover on a new phone) and then all other devices would ask for it over bluetooth. There is a fairly tight way to pair the browser with the mobile so you can't (even for users who would c

Re:

[AmiMoJo]

The idea with biometrics is that the sensor can tell the difference between your real fingerprint/face, and a copy.

While no sensor is completely impossible to fool, the chances of someone going to the effort needed to do it is low enough that it's better than an easily observed 4 digit PIN.

Re:

[Rosco P. Coltrane]

the chances of someone going to the effort needed to do it is low enough

Low enough is not good enough when you can't change the compromised creds.

Re:

[AmiMoJo]

It clearly is good enough though. Most people don't change their signature regularly, for example, and those are much easier to copy.

Re:

[Rosco P. Coltrane]

So your yardstick to assess whether biometrics are a good enough solution is that people are happy enough with something that's completely terrible, counterfeited for centurie, and which led countless thousands to suffer identity theft with consequences they couldn't shake out for years?

Biometrics may be 99.99% secure (they are not, but let's assume). When you fall into that 0.01%, it's gonna be even harder to prove someone stole your identity than it is now when someone imitates your signature - because ev

Maybe that's the reason for the "quietly?"

[PhrostyMcByte]

Seems like they understand there's a gap still.

Passkeys don't remove the need for 2FA!

[Murdoch5]

I'm assuming he misspoke, or the comment he made wasn't captured correctly, but passkeys do not remove the need for MFA. Even if you use your face, fingerprint, or beard style, you should still use a TOTP based application, or some other alternative security form. SFA, with passkeys, might be slightly better than passwords, but that slight advantage is in no way a replacement for proper MFA.

Re: Passkeys don't remove the need for 2FA!

[Stupendoussteve]

Thatâ(TM)s an argument against biometrics as a factor, passkeys already are MFA though.

Re:

[unrtst]

That's an argument against biometrics as a factor, passkeys already are MFA though.

No, they are not. Or at least they are not MFA on the server side.

You may protect your passkey with MFA (multi-factor-auth, like password and biometric), but that's just to unlock the passkey. It is then used as a single form of authentication to the server/service.

I don't blame anyone for misunderstanding. Every article cages passkeys in a slightly different and still inaccurate light, just as the slashdot quote did.

Re: Passkeys don't remove the need for 2FA!

[Stupendoussteve]

Itâ(TM)s interesting since the creators tend to think thatâ(TM)s enough. The server is able to verify (and require) through user verification that a challenge was presented and answered correctly by the user. I assume that doesnâ(TM)t protect from the theoretical device that always returns yes, I do not know how they deal with the potential for nefarious authentication devices other than advising people not to use them. I am not a fan of the synced keys that are common with cell phones since

Re:

[geekmux]

I kind of miss the days when someone hacking my Amazon account merely meant a 'bad' book might show up at my doorstep. Unreal how you can be abused from that domain these days. Instead of returning a book, you might be faced with returning the entire fucking car that used to deliver limited liability before.

Re:

[guruevi]

Amazon is pretty good with customer service. If they send you an entire car and you were hacked, they might even tell you to keep the car since they don't have a delivery driver to bring it back.

I have tons of shit monthly from Amazon that poorly or wrongly delivers stuff (wrong item delivered, wrong number, cosmetically damaged in shipping), they always tell me to keep it, even expensive stuff like weapons, LEGO and bulk food items.

Re:

[geekmux]

Amazon is pretty good with customer service...they always tell me to keep it, even expensive stuff like weapons...

Thank you for reaffirming my point about the liability being quite unlimited these days with certain domains and accounts.

Re:

[guruevi]

What do you mean? You can go to Walmart and buy knives just as well. In that effect, there is no difference between a grocery store and Amazon. Why should Amazon be liable for anything it sells?

Re:Passkeys don't remove the need for 2FA!

[DCstewieG]

https://fidoalliance.org/passk... [fidoalliance.org]

Passkeys are kept on a user’s devices (something the user “has”) and — if the RP requests User Verification — can only be exercised by the user with a biometric or PIN (something the user “is” or ”knows”). Thus, authentication with passkeys embodies the core principle of multi-factor security.

Re:

[Murdoch5]

That's only regarding Passwords + TOTP (Or another factor), Passkeys + TOTP is always going to be better than Passkeys alone. The more factors you can add, the better off you'll be, that is why using an SSH key + TOTP is considered better than an SSH key alone. In fact, most security people would tell you to protect the SSH key with a Passcode, and using a Password and TOTP on top of that, giving you SSH Key (Passphrase protected) + Password + TOTP.

Re:

[DCstewieG]

Sure, you can add more but the point stands that passkeys are themselves a 2FA. I think they strike the right balance of security vs. ease of use. Many more average people will use passkeys than a multifactor authentication app.

Re:

[fahrbot-bot]

The more factors you can add, the better off you'll be, ...

Obviously hoping this doesn't devolve into a SNL "Triple-Trac Razor" kind of thing ... :-)

Re:

[guruevi]

The idea is that passkeys are the alternative MFA.

MFA is more easily fooled. Most people have a phone which has pretty decent locking and security capabilities and an always-on TLS connection to some cloud, so as long as you keep your 'vault' there, and wipe the vault when you lose control over your phone, passkeys are immensely more secure. You should still maintain an (offline) backup of your private keys, but those should only be unlocked using very complex (or physical) means.

Re: Passkeys don't remove the need for 2FA!

[Stupendoussteve]

They are also phishing resistant, unlike TOTP.

Re:

[Murdoch5]

Okay, so assume your passkey is your phone, and it will handle your biometrics sign in + always on TLS connection. If you then pair that with a Yubi Key, and require X hour based TOTP to validate against a second factor, how is that not better / more secure? That way even if someone got my phone, and fooled it, they would still need my Yubi key, which I don't keep with my phone. Add on top of that some kind of RSA key, and now you're cooking with jet fuel, because I can passphrase the RSA key, so my SSH

Re:

[cayenne8]

Okay, so assume your passkey is your phone, and it will handle your biometrics sign in + always on TLS connection. If you then pair that with a Yubi Key, and require X hour based TOTP to validate against a second factor, how is that not better / more secure? That way even if someone got my phone, and fooled it, they would still need my Yubi key, which I don't keep with my phone. Add on top of that some kind of RSA key, and now you're cooking with jet fuel, because I can passphrase the RSA key, so my SSH / P

Re:

[Murdoch5]

Right, but the idea is to have MFA no matter what with a separation. The only password I memorize is the one to get into my password manager, because everything else is inside of that. My average password is some randomized collection of 64 characters that get randomized when I sign up for a service, and get changed every X months. I actually don't know what my Slashdot password is, because there's no need to remember it. The only thing I do know, it's not shared with any other service.

Re:

[cayenne8]

Right, but the idea is to have MFA no matter what with a separation. The only password I memorize is the one to get into my password manager, because everything else is inside of that. My average password is some randomized collection of 64 characters that get randomized when I sign up for a service, and get changed every X months. I actually don't know what my Slashdot password is, because there's no need to remember it. The only thing I do know, it's not shared with any other service.

You don't think tha

Re:

[guruevi]

Not really, no. People tend to re-use passwords. So if Slashdot get hacked there is a relatively high chance you can login to a person's Facebook, banking etc relatively easy. With a bit of OSINT you can find out their phone provider, get a new SIM card and start receiving their traditional MFA.

Passkeys obviate that entire thing, you don't need a password manager, you don't need MFA, you don't need a lot of things, just a TOTP like a phone or YubiKey or any (secure) computer.

Re:

[rthille]

You memorized the password to each of the sites to which you authenticate? Color me very impressed.

Me, I use a 20ish character random string, separate for each site. No way in hell I could memorize them all.

Re:

[guruevi]

You can do that, and make your system as convoluted as you want, the sites that authenticate you don't really care what you implement to unlock your PassKey. PassKey = TOTP.

Re:

[cayenne8]

you should still use a TOTP based application

Please pardon, I'm a bit acronym challenged today...what is "TOTP" please?

Re:

[fahrbot-bot]

you should still use a TOTP based application

Please pardon, I'm a bit acronym challenged today...what is "TOTP" please?

That's a great question -- in a world where Google doesn't exist ...

Re:

[Resuna]

Time (based) One Time Password. Something like the old RSA dongles or Google Authenticator of 1Password that generates a PIN that gets changed every minute.

Re:

[flink]

you should still use a TOTP based application

Please pardon, I'm a bit acronym challenged today...what is "TOTP" please?

Time-Based One-Tine password. It's essentially a secret which you hash with the current epoch timestamp mod 60 to get a one time password when logging in. Much like those old SecurID hardware tokens.

I would be happy

[transporter_ii]

If Amazon would let me use a U2F key instead of the current authenticator apps they allow.

Re:

[itsme1234]

But they do, that is the point, this is what passkeys are (well, it's FIDO2 which is kind of an extension of U2F).

Sharing?

[ajegwu]

How do you share your passkey with your Mom? Asking for a friend.

Re:

[itsme1234]

Surprisingly they even thought of this, and it isn't even frown upon:

If people you share this account with want to sign in with a passkey, they need to set up their own passkey on this page.

If they donâ(TM)t want to set up their own passkey, they can choose to sign in with a passkey from another device. As long as your phone is near their devices, the two devices will be connected via Bluetooth and you will be prompted to approve the sign-in on your phone.

Note that they could still use the other 2FAs y

Humans are apparently incapable of learning

[tiqui]

None of this is any better than a simple password. In the end, you have Computer A getting a stream of bytes from Computer B, and needing to know if the stream is valid without knowing the path the byte stream took, without knowing WHERE Computer B is, WHO is operating Computer B, and most importantly: if Computer B is really Computer B at all...

Having a few bytes for a password, making a few demands on the number of bytes required and the variety can change security minimally at the margins, using a stream of bytes as an encryption key can improve the odds, sending a few bytes that pretend to be a fingerprint scan might fool people into thinking these bytes are better, or sending bytes that effectively translate to "Computer B certifies that it did a fingerprint scan of the user" is an even sillier concept... we're still back to the problem of a bytestream of unverified origin and validity in a world where scammers, fraudsters, and high tech criminals are creative and hyperactive.

The only thing I currently see in common use that breaks out of this mold a bit is 2FA. At least here, Computer A uses an alternate data path [critically, of ITS choosing, rather than one selected by Computer B] to try to verify the USER of Computer B. This basic security-of-digital-transactions problem will exist for as long as people put convenience ahead of security and resist ACTUAL security for the things that are vital to them, and these conversations will continue for as long as other people see a way to make money with various schemes to make the former people feel secure while doing the fundamentally insecure.

Passkeys and 2FA

[Resuna]

> since passkeys remove the need for 2FA as they are stored on your device

Technically passkeys are 2FA, because you need the device and you need your body. The server doesn't see both things, but if you steal the device without also kidnapping or compromising the user (such as by cutting off or taking a cast of their fingertip) you still can't log in, you need both factors.

Of course if the users biometrics are compromised they have little recourse to change them, but that's a general problem of biometric

Re:

[Uldis Segliņš]

Taking a cast of a fingertip does not require doing anything to the finger. You leave your fingerprints like postit notes everywhere. That is another dumb aspect convenience ignores and just continues bluffing the security.