Thoughts on Passkey wallets? | Bitcointalksearch.org

Amphenomenon

sr. member

Activity: 700

Merit: 470

Hope Jeremiah 17vs7

I did a research recently about passkeys and saw the potential edge it has against password authentication, wanted to speak about it but decided to used the Ninjastic space first, then discovered there have been quite a lot of discussion about this, been too busy to notice it earlier, but here is my take on this:

While some may speak of the third party like iCloud or Google drive when it comes to privacy, this is just an alternative if you want to get seamless connection across devices, passkey are generated locally on users device and also the biometric/pin doesn`t leaves that device base on FIDO alliance here: https://fidoalliance.org/how-fido-works/.
Nothing actually leaves except the public key of your device, since they're done locally. I think there will be a better improvement of seamless connection and recovery with time.

Quote from: OmegaStarScream on June 07, 2024, 10:24:53 AM

I have also noticed that some exchanges such as OKX and Binance are using this instead of requesting a combination of both 2FA code and email.

There are more exchanges and platforms using it, here is a list of them https://www.passkeys.io/who-supports-passkeys

Quote from: https://www.passkeys.io/who-supports-passkeys

‍Note: This list only shows websites and apps that have implemented passkeys as a full password alternative. That means that the passkey option has to be visible on the main login screen. Services that require the user to enter a username before being prompted for a passkey or that are using WebAuthn as a 2FA method are not listed.

DaveF

legendary

Activity: 3500

Merit: 6320

Crypto Swap Exchange

Quote from: Findingnemo on June 16, 2024, 03:50:57 AM

Quote from: Saint-loup on June 15, 2024, 04:36:11 PM

Are you sure passkeys are really stored in the cloud? That is to say, if you lose your device and you haven't registered another passkey from another device for the service you want to access, there is still a way to access it ? You will be able to get back your passkey wallet on another device?

AFAIK, passkeys are stored in the cloud after the encryption there is no way that someone can decrypt it even if they have accessed the file by hacking the server or your cloud account still you need the biometrics such as PIN, password to decrypt once you logged into the new device. And that is the whole point of this being convenience which is less secure than the traditional way of strong seeds but you know people always prioritize convenience over security. Roll Eyes

There will always have to be a reasonable compromise between convenience & security & privacy.

Cash is not secure, if you drop it and it blows away it's gone. If someone steals it it's gone. BUT you have good privacy and it's convenient.
Credit cards are secure. If you loose it or someone steals it no big deal no loss for you. But there is no privacy and they are convenient.

It's all about what works for you in the balance of these things.

-Dave

dkbit98

legendary

Activity: 2212

Merit: 7064

I don't like the idea of connecting my biometric information with bitcoin wallets and I dislike it even more when I see the list of junk wallets supporting Passkey like trust wallet and some centralized exchange wallets.
Putting anything on cloud aka other people computer drive, is another red flag for me, as well as not having seed words backup at all.
This is a pass for me.

Findingnemo

hero member

Activity: 2366

Merit: 793

Bitcoin = Financial freedom

Quote from: Saint-loup on June 15, 2024, 04:36:11 PM

Are you sure passkeys are really stored in the cloud? That is to say, if you lose your device and you haven't registered another passkey from another device for the service you want to access, there is still a way to access it ? You will be able to get back your passkey wallet on another device?

AFAIK, passkeys are stored in the cloud after the encryption there is no way that someone can decrypt it even if they have accessed the file by hacking the server or your cloud account still you need the biometrics such as PIN, password to decrypt once you logged into the new device. And that is the whole point of this being convenience which is less secure than the traditional way of strong seeds but you know people always prioritize convenience over security. Roll Eyes

Saint-loup

legendary

Activity: 2604

Merit: 2353

Are you sure passkeys are really stored in the cloud? That is to say, if you lose your device and you haven't registered another passkey from another device for the service you want to access, there is still a way to access it ? You will be able to get back your passkey wallet on another device? You must be 100% sure about that and sure that the service/wallet using this technology is able to do it without any issue especially. Because if they don't, it would be too late to discover it once you've lost your device/passkey for some reasons. So it's better to test it with an account/wallet without funds IMO

mk4

legendary

Activity: 2870

Merit: 3873

Paldo.io 🤖

Very good wallet setup for a hot wallet, in my opinion, so there's one less annoying handwritten physical wallet backup that I need to worry about.

For my general long-term holdings though? No way I would trust this setup unless I use it as a part of a multi-sig setup(still with a hardware wallet).

DaveF

legendary

Activity: 3500

Merit: 6320

Crypto Swap Exchange

As with anything it depends on it's use.
For a hot wallet with minimal funds or as I like to say, never keep more crypto on your phone then your phone is worth. Then yes I think they are fine.
For a 'warm' wallet or cold wallet, then probably not. As the 2nd 1/2 of a multisig I might use it to make some things easier but for the most part too insecure for me.

-Dave

Z-tight

hero member

Activity: 994

Merit: 1089

Quote from: Wind_FURY on June 10, 2024, 04:39:27 AM

Yeah, it's an attack vector, but probably a trade-off of a different security-model that's good enough to be accepted for small amounts of Bitcoin/cryptocurrencies.

With the features mentioned in the op, i wouldn't use a passkey wallet, even if it is to store a small amount of money. I'd rather use a recommended online wallet, and store a small amount of my BTC in it, that's a safer choice in my opinion, even for a hot wallet.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: Wind_FURY on June 10, 2024, 04:39:27 AM

probably a trade-off of a different security-model that's good enough to be accepted for small amounts of Bitcoin/cryptocurrencies.

In that case, I prefer a hot wallet on my phone.

Wind_FURY

legendary

Activity: 2898

Merit: 1823

Quote from: LoyceV on June 10, 2024, 02:58:52 AM

Quote from: OmegaStarScream on June 07, 2024, 10:24:53 AM

- You basically can create or restore your wallet using your PIN ~
- Passkeys are stored in your iCloud or Google drive

This sounds like a great way for attackers to gain access to your wallets, including inside jobs at the cloud provider.

Yeah, it's an attack vector, but probably a trade-off of a different security-model that's good enough to be accepted for small amounts of Bitcoin/cryptocurrencies. Perhaps a good rule of thumb to have in crypto is, if the UX is made to be more convenient to the user, then expect a higher number of attack vectors?

¯\_(ツ)_/¯

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: NotATether on June 10, 2024, 04:01:37 AM

To be clear, the PIN is not intended to be the main authentication option for unlocking something protected by a passkey, but it is usually only used after you already log in with a username or password, mainly for inactivity purposes.

It's like, imagine your phone has a password (not PIN) you had to type to "log in" to the phone. Now imagine a logout button, and a PIN, but you only type it when you are logged in, and only after the phone becomes inactive and locks.

The big difference is of course physical access: my phone is right beside me, nobody can access it. Online wallets need a lot more security than physical devices.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: LoyceV on June 10, 2024, 02:58:52 AM

Quote from: OmegaStarScream on June 07, 2024, 10:24:53 AM

- You basically can create or restore your wallet using your PIN ~
- Passkeys are stored in your iCloud or Google drive

This sounds like a great way for attackers to gain access to your wallets, including inside jobs at the cloud provider.

To be clear, the PIN is not intended to be the main authentication option for unlocking something protected by a passkey, but it is usually only used after you already log in with a username or password, mainly for inactivity purposes.

It's like, imagine your phone has a password (not PIN) you had to type to "log in" to the phone. Now imagine a logout button, and a PIN, but you only type it when you are logged in, and only after the phone becomes inactive and locks.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: OmegaStarScream on June 07, 2024, 10:24:53 AM

- You basically can create or restore your wallet using your PIN ~
- Passkeys are stored in your iCloud or Google drive

This sounds like a great way for attackers to gain access to your wallets, including inside jobs at the cloud provider.

Wind_FURY

legendary

Activity: 2898

Merit: 1823

Quote from: OmegaStarScream on June 07, 2024, 10:24:53 AM

I'd like to hear your thoughts on this?

It's convenient especially if you are active/making multiple transactions a day from a particular wallet. But perhaps the storage using ICloud or any online service should be discouraged, no? I'm not actually sure how it works, but I don't feel safe storing any "key" in any cloud service. Store it locally in another device, and merely use small amounts of cryptocurrencies if you store them in that walle for a long time.

Z-tight

hero member

Activity: 994

Merit: 1089

It is not recommended, and i don't think good wallets should make such a feature available, just as people should also be dissuaded from ever storing sensitive data related to their wallets in the cloud or anywhere online. Most people tend to go for the more convenient option, and passkeys would be convenient, but it is not secure. You should only be able to restore your wallet with your seed phrase, and your wallet file should be encrypted with your strong password.

FinneysTrueVision

sr. member

Activity: 1680

Merit: 379

Top Crypto Casino

I am worried that with passkey wallets, I will end up losing or breaking the device where the passkey is stored. You could have it backed up in the cloud, but then you are relying on a third party. If someone has their iPhone stolen and the thief resets their iCloud password, they could end up without any way to restore their wallet. There are too many scenarios that I am imagining where I could possibly lose access to my funds, based on my understanding of passkeys.

If it is proven to be a secure method for backing up a wallet then I might give it a try, but for the time being I will keep using traditional seedphrases.

BitMaxz

legendary

Activity: 3374

Merit: 3095

Playbet.io - Crypto Casino and Sportsbook

Quote from: Charles-Tim on June 08, 2024, 01:36:27 PM

The passkey can be confusing if some people are thinking that it is hardware but it is not. The passkey will let you have access to the wallet or the exchange using your face ID or the fingerprint that you set on your device which is totally a bad idea.

Passkeys are any biometrics, SMS, or email but there is an option to use a USB security key with FIDO2 protocol as your passkey or authenticator it is a hardware device like on OKX it is just optional if you have this USB security key you can use it as your hardware key. It's still not a good option if someone poses about this USB device because it is a direct authenticator once you log in to OKX but can be also used as a backup once you can't log in to your account with your password. That is why you need to securely hide this device in a protected place and no one should know that you have a USB security key.

Read about the Passkey on OKX USB security key is a hardware(as optional passkey)
- https://www.okx.com/help/how-do-i-create-passkeys-app

Charles-Tim

legendary

Activity: 1512

Merit: 4795

Leading Crypto Sports Betting & Casino Platform

Quote from: BitMaxz on June 07, 2024, 03:42:20 PM

I don't feel safe having a passkey it might be worth it if you have a hardware device like Fido but still not good for the long term because we do not know how long this device will work lasts.

The passkey can be confusing if some people are thinking that it is hardware but it is not. The passkey will let you have access to the wallet or the exchange using your face ID or the fingerprint that you set on your device which is totally a bad idea.

BitMaxz

legendary

Activity: 3374

Merit: 3095

Playbet.io - Crypto Casino and Sportsbook

Okx and Binance seem they added this passkey it said that it would be easier to access without a password if I use Passkey but I am ok with 2FA through SMS and email I feel it is way safer.
I don't feel safe having a passkey it might be worth it if you have a hardware device like Fido but still not good for the long term because we do not know how long this device will work lasts.

For me, I'm ok with only 2FA or the easier one is to access Binance or OKX on the web browser through your phone by scanning a QR code.

Charles-Tim

legendary

Activity: 1512

Merit: 4795

Leading Crypto Sports Betting & Casino Platform

Passkey makes it convenient but not as safe as seed phrase. Just as you have seen on Trustwallet to backup your seed phrase using iCloud or Google cloud which we have heard of people that lost their coins because of that. Now it is Swift beta on Trustwallet which makes use of passkey which is also about online backup using your face ID or your fingerprint on your device to spend your coins.

Face ID or fingerprint is not recommended for spending your coins. If you unlock your device with fingerprint and also unlocking your wallet on the device with fingerprint, that makes the wallet to be less secure. It can make physical attack to easily be successful in relation to wallet compromisation.

It has security risks. It should be avoided.

On exchanges, I do not think it has online backup. Your username, password and the 2FA OTP can be used to have access to your exchange account if you want to use another device. But it also has security risks. I prefer 2FA OTP, while the 2FA is on another device.

Topic: Thoughts on Passkey wallets? (Read 312 times)