Amazon Quietly Rolls Out Support for Passkeys, With a Catch (techcrunch.com) 52
Amazon has quietly rolled out support for passkeys as it becomes the latest tech giant to join the passwordless future. But you still might have to hold onto your Amazon password for a little while longer. From a report: The option to set up a passkey is now available on the e-commerce giant's website, allowing users to log in using biometric authentication on their device, such as their fingerprint or face scan. Doing so makes it far more difficult for bad actors to remotely access users' accounts, given that the attacker also needs physical access to the user's device.
But Amazon's implementation of passkeys isn't without issues, as noted by Vincent Delitz, co-founder of German tech startup Corbado, who first documented the arrival of passkey support on Amazon. Delitz noted that there is currently no support for passkeys in Amazon's native apps, such as Amazon's shopping app or Prime Video, which TechCrunch has also checked, meaning you still have to use a password to sign-in (for now). What's more, if you've set up a passkey but previously set up two-factor authentication (2FA), Amazon will still prompt you to enter a one-time verification code when logging in, a move Delitz said was "redundant," since passkeys remove the need for 2FA as they are stored on your device.
But Amazon's implementation of passkeys isn't without issues, as noted by Vincent Delitz, co-founder of German tech startup Corbado, who first documented the arrival of passkey support on Amazon. Delitz noted that there is currently no support for passkeys in Amazon's native apps, such as Amazon's shopping app or Prime Video, which TechCrunch has also checked, meaning you still have to use a password to sign-in (for now). What's more, if you've set up a passkey but previously set up two-factor authentication (2FA), Amazon will still prompt you to enter a one-time verification code when logging in, a move Delitz said was "redundant," since passkeys remove the need for 2FA as they are stored on your device.
Hard pass (Score:5, Insightful)
using biometric authentication on their device, such as their fingerprint or face scan
No thanks.
Biometrics are a Bad Idea[tm]: when your credentials are compromised, you can't change them.
Re: (Score:1)
using biometric authentication on their device, such as their fingerprint or face scan
No thanks.
Biometrics are a Bad Idea[tm]: when your credentials are compromised, you can't change them.
Got 9 other fingers. I'm saving my middle finger for a fitting finale before my devices start wondering about that 'thumb' attached to my foot I'm using to authenticate.
Foot auth is wrong? Racist.
Re: Hard pass (Score:4, Informative)
Re: (Score:3)
I don't care.
I don't use biometrics on any of my devices (mostly all Apple at this time)....and as long as these sites
Re: (Score:3)
In addition, I don't want my ability to log into a site (totally) dependent on having my cell phone with me or working. I can see some benefits to having things tied to a device I'm almost certainly going to have full-time, secure access to but the devil is in the words "almost certainly". Things go wrong and those may be independent of my need to login somewhere. This is (one of the reasons) why I switched from Google Authenticator to Authy, which syncs with multiple devices and has a Windows/Linux cli
Re: (Score:3)
I had to look up passkeys. It seems that it is a key pair, and you hand out your public key. The identity check is then performed on your phone.
This still makes it a bad idea, even if you choose a biometric check and the biometrics do not leave your phone. Phones are the least secure devices around, and are easily stolen. This video (in German) [media.ccc.de] also show how easy it is to fool the biometric systems
Re: Hard pass (Score:3)
Phone is one option but not the only one, hardware tokens like Yubikeys can also hold passkeys.
I wish articles like this would stop the focus on biometrics. It is one option to unlock the key storage but not the only one.
Re: (Score:3)
It isn't the articles in themselves, this is the way it's pushed deliberately by Google&co, they want to promote the FAMILIARITY of logging in with biometrics to your phone, because (they think, possibly correctly) people would be lost if you tell them public keys or compare with ssh keys and so on. But logging on with your fingerprint instead of your password is something anyone "understands" (even if it isn't actually just this).
Re: (Score:3)
The biometrics are optional, that's just the implementation in order to push adoption over passwords.
How many people have password123 or something similar. Passkeys are basically SSH keys, how you unlock them is up to you.
Re: (Score:2)
Sure, but a password is still "something you know" rather than something you have (like a security key or biometric) and the former is harder for others, including LEOs, to obtain. Even a dumb password is harder to utilize than a fingerprint or Yubikey ...
Bottom line, as long as sites continue to offer a variety of authentication methods, everyone should be fine.
Re: (Score:2)
Hence why my PassKey TOTP (phone) unlocks with all of something I know, something I have and something I am, which unlocks it for a period of time.
If you use PassKeys on an iDevice it can detect through various means that you are not unique or in an odd location or not physically near the device you are authenticating at, so it can lock itself pre-emptively (and this is all on the chip without use of the cloud or sending your data anywhere).
Re: (Score:2)
Re: (Score:2)
Biometrics are a Bad Idea[tm]: when your credentials are compromised, you can't change them.
Speak for yourself. I am on my 4th full-face transplant [mayoclinic.org].
Re: (Score:2)
How do i submitt biometerics for my laptop? Corporate laptop? Company desktop?
I can think of one device i own which i can use passkeys on. Only one. Out of a dozen i use. Tablets computers etc.
Until they install a nfc reader in every keyboard, so i can swipe my phone over any keyboard to provide authentication then it really isnt useful
Re: (Score:2)
The main way this is envisioned to be used is to have the passkey in the phone (additionally backed up with Google or Apple, possibly locked with your account/device password or something, but anyway a way to recover on a new phone) and then all other devices would ask for it over bluetooth. There is a fairly tight way to pair the browser with the mobile so you can't (even for users who would c
Re: (Score:1)
The idea with biometrics is that the sensor can tell the difference between your real fingerprint/face, and a copy.
While no sensor is completely impossible to fool, the chances of someone going to the effort needed to do it is low enough that it's better than an easily observed 4 digit PIN.
Re: (Score:2)
the chances of someone going to the effort needed to do it is low enough
Low enough is not good enough when you can't change the compromised creds.
Re: (Score:2)
It clearly is good enough though. Most people don't change their signature regularly, for example, and those are much easier to copy.
Re: (Score:3)
So your yardstick to assess whether biometrics are a good enough solution is that people are happy enough with something that's completely terrible, counterfeited for centurie, and which led countless thousands to suffer identity theft with consequences they couldn't shake out for years?
Biometrics may be 99.99% secure (they are not, but let's assume). When you fall into that 0.01%, it's gonna be even harder to prove someone stole your identity than it is now when someone imitates your signature - because ev
Maybe that's the reason for the "quietly?" (Score:2)
Passkeys don't remove the need for 2FA! (Score:3)
Re: Passkeys don't remove the need for 2FA! (Score:1)
Thatâ(TM)s an argument against biometrics as a factor, passkeys already are MFA though.
Re: (Score:2)
That's an argument against biometrics as a factor, passkeys already are MFA though.
No, they are not. Or at least they are not MFA on the server side.
You may protect your passkey with MFA (multi-factor-auth, like password and biometric), but that's just to unlock the passkey. It is then used as a single form of authentication to the server/service.
I don't blame anyone for misunderstanding. Every article cages passkeys in a slightly different and still inaccurate light, just as the slashdot quote did.
Re: Passkeys don't remove the need for 2FA! (Score:2)
Itâ(TM)s interesting since the creators tend to think thatâ(TM)s enough. The server is able to verify (and require) through user verification that a challenge was presented and answered correctly by the user. I assume that doesnâ(TM)t protect from the theoretical device that always returns yes, I do not know how they deal with the potential for nefarious authentication devices other than advising people not to use them. I am not a fan of the synced keys that are common with cell phones since
Re: (Score:1)
I kind of miss the days when someone hacking my Amazon account merely meant a 'bad' book might show up at my doorstep. Unreal how you can be abused from that domain these days. Instead of returning a book, you might be faced with returning the entire fucking car that used to deliver limited liability before.
Re: (Score:2)
Amazon is pretty good with customer service. If they send you an entire car and you were hacked, they might even tell you to keep the car since they don't have a delivery driver to bring it back.
I have tons of shit monthly from Amazon that poorly or wrongly delivers stuff (wrong item delivered, wrong number, cosmetically damaged in shipping), they always tell me to keep it, even expensive stuff like weapons, LEGO and bulk food items.
Re: (Score:2)
Amazon is pretty good with customer service...they always tell me to keep it, even expensive stuff like weapons...
Thank you for reaffirming my point about the liability being quite unlimited these days with certain domains and accounts.
Re: (Score:2)
What do you mean? You can go to Walmart and buy knives just as well. In that effect, there is no difference between a grocery store and Amazon. Why should Amazon be liable for anything it sells?
Re:Passkeys don't remove the need for 2FA! (Score:5, Insightful)
https://fidoalliance.org/passk... [fidoalliance.org]
Passkeys are kept on a user’s devices (something the user “has”) and — if the RP requests User Verification — can only be exercised by the user with a biometric or PIN (something the user “is” or ”knows”). Thus, authentication with passkeys embodies the core principle of multi-factor security.
Re: (Score:2)
Re: (Score:2)
Sure, you can add more but the point stands that passkeys are themselves a 2FA. I think they strike the right balance of security vs. ease of use. Many more average people will use passkeys than a multifactor authentication app.
Re: (Score:2)
The more factors you can add, the better off you'll be, ...
Obviously hoping this doesn't devolve into a SNL "Triple-Trac Razor" kind of thing ... :-)
Re: (Score:2)
The idea is that passkeys are the alternative MFA.
MFA is more easily fooled. Most people have a phone which has pretty decent locking and security capabilities and an always-on TLS connection to some cloud, so as long as you keep your 'vault' there, and wipe the vault when you lose control over your phone, passkeys are immensely more secure. You should still maintain an (offline) backup of your private keys, but those should only be unlocked using very complex (or physical) means.
Re: Passkeys don't remove the need for 2FA! (Score:2)
They are also phishing resistant, unlike TOTP.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You don't think tha
Re: (Score:2)
Not really, no. People tend to re-use passwords. So if Slashdot get hacked there is a relatively high chance you can login to a person's Facebook, banking etc relatively easy. With a bit of OSINT you can find out their phone provider, get a new SIM card and start receiving their traditional MFA.
Passkeys obviate that entire thing, you don't need a password manager, you don't need MFA, you don't need a lot of things, just a TOTP like a phone or YubiKey or any (secure) computer.
Re: (Score:2)
You memorized the password to each of the sites to which you authenticate? Color me very impressed.
Me, I use a 20ish character random string, separate for each site. No way in hell I could memorize them all.
Re: (Score:2)
You can do that, and make your system as convoluted as you want, the sites that authenticate you don't really care what you implement to unlock your PassKey. PassKey = TOTP.
Re: (Score:2)
Please pardon, I'm a bit acronym challenged today...what is "TOTP" please?
Re: (Score:2)
Please pardon, I'm a bit acronym challenged today...what is "TOTP" please?
That's a great question -- in a world where Google doesn't exist ...
Re: (Score:1)
Time (based) One Time Password. Something like the old RSA dongles or Google Authenticator of 1Password that generates a PIN that gets changed every minute.
Re: (Score:2)
Please pardon, I'm a bit acronym challenged today...what is "TOTP" please?
Time-Based One-Tine password. It's essentially a secret which you hash with the current epoch timestamp mod 60 to get a one time password when logging in. Much like those old SecurID hardware tokens.
I would be happy (Score:2)
If Amazon would let me use a U2F key instead of the current authenticator apps they allow.
Re: (Score:2)
But they do, that is the point, this is what passkeys are (well, it's FIDO2 which is kind of an extension of U2F).
Sharing? (Score:1)
Re: (Score:2)
Surprisingly they even thought of this, and it isn't even frown upon:
Note that they could still use the other 2FAs y
Humans are apparently incapable of learning (Score:3)
None of this is any better than a simple password. In the end, you have Computer A getting a stream of bytes from Computer B, and needing to know if the stream is valid without knowing the path the byte stream took, without knowing WHERE Computer B is, WHO is operating Computer B, and most importantly: if Computer B is really Computer B at all...
Having a few bytes for a password, making a few demands on the number of bytes required and the variety can change security minimally at the margins, using a stream of bytes as an encryption key can improve the odds, sending a few bytes that pretend to be a fingerprint scan might fool people into thinking these bytes are better, or sending bytes that effectively translate to "Computer B certifies that it did a fingerprint scan of the user" is an even sillier concept... we're still back to the problem of a bytestream of unverified origin and validity in a world where scammers, fraudsters, and high tech criminals are creative and hyperactive.
The only thing I currently see in common use that breaks out of this mold a bit is 2FA. At least here, Computer A uses an alternate data path [critically, of ITS choosing, rather than one selected by Computer B] to try to verify the USER of Computer B. This basic security-of-digital-transactions problem will exist for as long as people put convenience ahead of security and resist ACTUAL security for the things that are vital to them, and these conversations will continue for as long as other people see a way to make money with various schemes to make the former people feel secure while doing the fundamentally insecure.
Passkeys and 2FA (Score:1)
> since passkeys remove the need for 2FA as they are stored on your device
Technically passkeys are 2FA, because you need the device and you need your body. The server doesn't see both things, but if you steal the device without also kidnapping or compromising the user (such as by cutting off or taking a cast of their fingertip) you still can't log in, you need both factors.
Of course if the users biometrics are compromised they have little recourse to change them, but that's a general problem of biometric
Re: (Score:2)