Pages:
Author

Topic: Thoughts on Passkey wallets? (Read 318 times)

sr. member
Activity: 700
Merit: 470
Hope Jeremiah 17vs7
September 11, 2024, 03:42:15 AM
#21
I did a research recently about passkeys and saw the potential edge it has against password authentication, wanted to speak about it but decided to used the Ninjastic space first, then discovered there have been quite a lot of discussion about this, been too busy to notice it earlier, but here is my take on this:

While some may speak of the third party like iCloud or Google drive when it comes to privacy, this is just an alternative if you want to get seamless connection across devices, passkey are generated locally on users device and also the biometric/pin doesn`t leaves that device base on FIDO alliance here: https://fidoalliance.org/how-fido-works/.
Nothing actually leaves except the public key of your device, since they're done locally. I think there will be a better improvement of seamless connection and recovery with time.


I have also noticed that some exchanges such as OKX and Binance are using this instead of requesting a combination of both 2FA code and email.
There are more exchanges and platforms using it, here is a list of them https://www.passkeys.io/who-supports-passkeys
‍Note: This list only shows websites and apps that have implemented passkeys as a full password alternative. That means that the passkey option has to be visible on the main login screen. Services that require the user to enter a username before being prompted for a passkey or that are using WebAuthn as a 2FA method are not listed.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
June 26, 2024, 10:41:20 AM
#20
Are you sure passkeys are really stored in the cloud? That is to say, if you lose your device and you haven't registered another passkey from another device for the service you want to access, there is still a way to access it ? You will be able to get back your passkey wallet on another device?

AFAIK, passkeys are stored in the cloud after the encryption there is no way that someone can decrypt it even if they have accessed the file by hacking the server or your cloud account still you need the biometrics such as PIN, password to decrypt once you logged into the new device. And that is the whole point of this being convenience which is less secure than the traditional way of strong seeds but you know people always prioritize convenience over security. Roll Eyes

There will always have to be a reasonable compromise between convenience & security & privacy.

Cash is not secure, if you drop it and it blows away it's gone. If someone steals it it's gone. BUT you have good privacy and it's convenient.
Credit cards are secure. If you loose it or someone steals it no big deal no loss for you. But there is no privacy and they are convenient.

It's all about what works for you in the balance of these things.

-Dave
legendary
Activity: 2212
Merit: 7064
June 26, 2024, 08:57:48 AM
#19
I don't like the idea of connecting my biometric information with bitcoin wallets and I dislike it even more when I see the list of junk wallets supporting Passkey like trust wallet and some centralized exchange wallets.
Putting anything on cloud aka other people computer drive, is another red flag for me, as well as not having seed words backup at all.
This is a pass for me.
hero member
Activity: 2366
Merit: 793
Bitcoin = Financial freedom
June 16, 2024, 03:50:57 AM
#18
Are you sure passkeys are really stored in the cloud? That is to say, if you lose your device and you haven't registered another passkey from another device for the service you want to access, there is still a way to access it ? You will be able to get back your passkey wallet on another device?

AFAIK, passkeys are stored in the cloud after the encryption there is no way that someone can decrypt it even if they have accessed the file by hacking the server or your cloud account still you need the biometrics such as PIN, password to decrypt once you logged into the new device. And that is the whole point of this being convenience which is less secure than the traditional way of strong seeds but you know people always prioritize convenience over security. Roll Eyes
legendary
Activity: 2604
Merit: 2353
June 15, 2024, 04:36:11 PM
#17
Are you sure passkeys are really stored in the cloud? That is to say, if you lose your device and you haven't registered another passkey from another device for the service you want to access, there is still a way to access it ? You will be able to get back your passkey wallet on another device? You must be 100% sure about that and sure that the service/wallet using this technology is able to do it without any issue especially. Because if they don't, it would be too late to discover it once you've lost your device/passkey for some reasons. So it's better to test it with an account/wallet without funds IMO
mk4
legendary
Activity: 2870
Merit: 3873
📟 t3rminal.xyz
June 14, 2024, 11:48:09 PM
#16
Very good wallet setup for a hot wallet, in my opinion, so there's one less annoying handwritten physical wallet backup that I need to worry about.

For my general long-term holdings though? No way I would trust this setup unless I use it as a part of a multi-sig setup(still with a hardware wallet).
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
June 12, 2024, 10:51:03 AM
#15
As with anything it depends on it's use.
For a hot wallet with minimal funds or as I like to say, never keep more crypto on your phone then your phone is worth. Then yes I think they are fine.
For a 'warm' wallet or cold wallet, then probably not. As the 2nd 1/2 of a multisig I might use it to make some things easier but for the most part too insecure for me.

-Dave
legendary
Activity: 994
Merit: 1089
June 12, 2024, 07:25:41 AM
#14
Yeah, it's an attack vector, but probably a trade-off of a different security-model that's good enough to be accepted for small amounts of Bitcoin/cryptocurrencies.
With the features mentioned in the op, i wouldn't use a passkey wallet, even if it is to store a small amount of money. I'd rather use a recommended online wallet, and store a small amount of my BTC in it, that's a safer choice in my opinion, even for a hot wallet.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
June 10, 2024, 05:16:15 AM
#13
probably a trade-off of a different security-model that's good enough to be accepted for small amounts of Bitcoin/cryptocurrencies.
In that case, I prefer a hot wallet on my phone.
legendary
Activity: 2898
Merit: 1823
June 10, 2024, 04:39:27 AM
#12
- You basically can create or restore your wallet using your PIN ~
- Passkeys are stored in your iCloud or Google drive


This sounds like a great way for attackers to gain access to your wallets, including inside jobs at the cloud provider.


Yeah, it's an attack vector, but probably a trade-off of a different security-model that's good enough to be accepted for small amounts of Bitcoin/cryptocurrencies. Perhaps a good rule of thumb to have in crypto is, if the UX is made to be more convenient to the user, then expect a higher number of attack vectors?

¯\_(ツ)_/¯
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
June 10, 2024, 04:14:56 AM
#11
To be clear, the PIN is not intended to be the main authentication option for unlocking something protected by a passkey, but it is usually only used after you already log in with a username or password, mainly for inactivity purposes.

It's like, imagine your phone has a password (not PIN) you had to type to "log in" to the phone. Now imagine a logout button, and a PIN, but you only type it when you are logged in, and only after the phone becomes inactive and locks.
The big difference is of course physical access: my phone is right beside me, nobody can access it. Online wallets need a lot more security than physical devices.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
June 10, 2024, 04:01:37 AM
#10
- You basically can create or restore your wallet using your PIN ~
- Passkeys are stored in your iCloud or Google drive
This sounds like a great way for attackers to gain access to your wallets, including inside jobs at the cloud provider.

To be clear, the PIN is not intended to be the main authentication option for unlocking something protected by a passkey, but it is usually only used after you already log in with a username or password, mainly for inactivity purposes.

It's like, imagine your phone has a password (not PIN) you had to type to "log in" to the phone. Now imagine a logout button, and a PIN, but you only type it when you are logged in, and only after the phone becomes inactive and locks.

legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
June 10, 2024, 02:58:52 AM
#9
- You basically can create or restore your wallet using your PIN ~
- Passkeys are stored in your iCloud or Google drive
This sounds like a great way for attackers to gain access to your wallets, including inside jobs at the cloud provider.
legendary
Activity: 2898
Merit: 1823
June 09, 2024, 10:48:19 AM
#8

I'd like to hear your thoughts on this?


It's convenient especially if you are active/making multiple transactions a day from a particular wallet. But perhaps the storage using ICloud or any online service should be discouraged, no? I'm not actually sure how it works, but I don't feel safe storing any "key" in any cloud service. Store it locally in another device, and merely use small amounts of cryptocurrencies if you store them in that walle for a long time.
legendary
Activity: 994
Merit: 1089
June 09, 2024, 05:13:14 AM
#7
It is not recommended, and i don't think good wallets should make such a feature available, just as people should also be dissuaded from ever storing sensitive data related to their wallets in the cloud or anywhere online. Most people tend to go for the more convenient option, and passkeys would be convenient, but it is not secure. You should only be able to restore your wallet with your seed phrase, and your wallet file should be encrypted with your strong password.
sr. member
Activity: 1680
Merit: 379
Top Crypto Casino
June 09, 2024, 01:29:05 AM
#6
I am worried that with passkey wallets, I will end up losing or breaking the device where the passkey is stored. You could have it backed up in the cloud, but then you are relying on a third party. If someone has their iPhone stolen and the thief resets their iCloud password, they could end up without any way to restore their wallet. There are too many scenarios that I am imagining where I could possibly lose access to my funds, based on my understanding of passkeys.

If it is proven to be a secure method for backing up a wallet then I might give it a try, but for the time being I will keep using traditional seedphrases.
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
June 08, 2024, 02:52:28 PM
#5
The passkey can be confusing if some people are thinking that it is hardware but it is not. The passkey will let you have access to the wallet or the exchange using your face ID or the fingerprint that you set on your device which is totally a bad idea.

Passkeys are any biometrics, SMS, or email but there is an option to use a USB security key with FIDO2 protocol as your passkey or authenticator it is a hardware device like on OKX it is just optional if you have this USB security key you can use it as your hardware key. It's still not a good option if someone poses about this USB device because it is a direct authenticator once you log in to OKX but can be also used as a backup once you can't log in to your account with your password. That is why you need to securely hide this device in a protected place and no one should know that you have a USB security key.

Read about the Passkey on OKX USB security key is a hardware(as optional passkey)
- https://www.okx.com/help/how-do-i-create-passkeys-app
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
June 08, 2024, 01:36:27 PM
#4
I don't feel safe having a passkey it might be worth it if you have a hardware device like Fido but still not good for the long term because we do not know how long this device will work lasts.
The passkey can be confusing if some people are thinking that it is hardware but it is not. The passkey will let you have access to the wallet or the exchange using your face ID or the fingerprint that you set on your device which is totally a bad idea.
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
June 07, 2024, 03:42:20 PM
#3
Okx and Binance seem they added this passkey it said that it would be easier to access without a password if I use Passkey but I am ok with 2FA through SMS and email I feel it is way safer.
I don't feel safe having a passkey it might be worth it if you have a hardware device like Fido but still not good for the long term because we do not know how long this device will work lasts.

For me, I'm ok with only 2FA or the easier one is to access Binance or OKX on the web browser through your phone by scanning a QR code.
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
June 07, 2024, 11:00:07 AM
#2
Passkey makes it convenient but not as safe as seed phrase. Just as you have seen on Trustwallet to backup your seed phrase using iCloud or Google cloud which we have heard of people that lost their coins because of that. Now it is Swift beta on Trustwallet which makes use of passkey which is also about online backup using your face ID or your fingerprint on your device to spend your coins.

Face ID or fingerprint is not recommended for spending your coins. If you unlock your device with fingerprint and also unlocking your wallet on the device with fingerprint, that makes the wallet to be less secure. It can make physical attack to easily be successful in relation to wallet compromisation.

It has security risks. It should be avoided.

On exchanges, I do not think it has online backup. Your username, password and the 2FA OTP can be used to have access to your exchange account if you want to use another device. But it also has security risks. I prefer 2FA OTP, while the 2FA is on another device.
Pages:
Jump to: