Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security Windows

Windows 11's New Passkey Design Includes Cloud Syncing, 1Password Integration (theverge.com) 19

Posted by BeauHD from the new-and-improved dept.
Microsoft is enhancing passkey support in Windows 11 with a redesigned Windows Hello experience that allows users to sync passkeys to their Microsoft account or third-party providers like 1Password and Bitwarden. The Verge reports: A new API for third-party password and passkey managers means developers can plug directly into the Windows 11 experience, so you can use the same passkey from your mobile device to authenticate on your PC. Right now it's possible in some apps to do this through QR codes and other ways to authenticate from a mobile device, but Microsoft's full support means the passkeys experience on Windows is about to get a lot better.

Microsoft is also redesigning the Windows Hello prompt, including the ability to setup syncing of passkeys to your Microsoft account or saving them elsewhere. Once you've completed a one-time setup process you can use facial recognition, fingerprint, or PIN to authenticate with a passkey across multiple Windows 11 devices. Windows Insiders will get access to these new passkey features "in the coming months."
This discussion has been archived. No new comments can be posted.

Windows 11's New Passkey Design Includes Cloud Syncing, 1Password Integration More

Windows 11's New Passkey Design Includes Cloud Syncing, 1Password Integration

Comments Filter:

  • Personal identification (Score:5, Informative)

    by rtkluttz ( 244325 ) on Thursday October 10, 2024 @05:27PM (#64855321) Homepage

    Too many 2 factor schemes today or not in place for you to identify as Person A to Service A or Device A, but as a surreptitious way for companies to be able to uniquely identify you as a real human. That is not OK. Implement 2 factor in a way that allows me to authenticate without forcing me to cough up a real world identity to do it. Username and password do not expose me (as long as the username is not tied to personal info). Username and password + ubikey do not expose me. But username and password + almost any version of email and phone do. Especially when most of the email identification systems require something that goes along with it to personally identify you.

  • Look a new endpoint to guard with your life.

  • ..it's still confusing
    As far as I can determine, VERY few sites support passkeys, and the ones that do are ones I don't care about
    I want a physical dongle that I can plug into my desktop computer and securely access all of the sites I commonly use
    I don't want anything that requires a smartphone, camera, fingerprint reader or other special hardware
    I also don't want to depend on a provider like google or microsoft. I want 100% local control

    • This is why I like a YubiKey. You can set a PIN on it, so that query is needed to allow for authentication, as well as a physical button press. This gives something possessed and something known for access.

      Of course, there is nothing wrong with Google Authenticator's TOTP, because it uses shared secrets, and if the two devices share a good clock sync, it works well enough. However, YubiKeys or FIDO keys are phishing resistant, which is the next step up.

      I'm probably going to expect all new computers will

      • Re: (Score:2)

        by unrtst ( 777550 )

        It would be nice if there were a way to make a FIDO token that used a SD card slot, as SD cards can enumerate as far fewer things than a USB drive.

        NFC. IMO, that's the ticket, and yubikeys (at least some of them) already support it. No need for various physical ports that won't exists one or or another system, and glued up ports won't hurt it.

  • Finally it has replaced the password by becoming the password. Once you can sync/backup/export your 2nd factor it has all the drawbacks of a password (except that you don't have to remember it but that's done with any password manager)

    • Re: (Score:2)

      by unrtst ( 777550 )

      Worse still, AFAICT they're not using the passkey as a second factor. Passkey MFA often relies on your device doing the MFA part locally to unlock the passkey (Ex. face unlock, windows hello pin, etc..).

      • I consider passkeys One-and-a-Half Factor Authentication. Somebody getting ahold of my phone and tracing the passcode pattern left on my screen from the last time I logged in doesn't constitute great security. And yes, I could use biometrics for "better" security, but I don't want anything to ever authenticate with those since I can't get a new fingerprint, eyes, or face if someone at any point in the future manages to find a way to spoof my biological features.

        For me, the most secure two factors of au

        • Re: (Score:2)

          by unrtst ( 777550 )

          100% agree. And I do want to be able to quickly unlock my phone without having to enter a strong password, so I don't want my phone unlock method to also unlock all my passkeys (Eg. using windows hello to unlock passkeys, or faceid, or swipe pattern, or fingerprint, or pin).

  • These are basically like ssh keys (the protocol is a little more involved but the idea is the same) and the advantages in authenticating with them is the same as in ssh keys versus passwords. No worries about bad servers, reusing passwords, brute force passwords, leaking passwords, nothing.

    The big players support this, from Microsoft/github, Google, Amazon, Ebay and Paypal (to some extent) and similar. Many of the others don't, and not only banking sites and other dinosaurus but even stuff like Reddit and P

    • And despite your example of SSH, I still require a password in addition to the pre-exchanged key for all SSH connections on my home machines. I do this because if someone manages to get access to one machine, they can't just SSH into every other machine on my network. I imagine this goes far beyond what most people prefer, but everyone has their own preferences.

      • There's a reason most people don't do that: the extra security offered is absolutely minimal, it's just delaying the attack until you go on the compromised machine and enter the password - while the extra effort of constantly entering a password between your own machines, already set up with ssh keys is huge. Though it's probably the effort that makes you feel better, which of course it's perfectly fine too.

  • What was it ? Embrace, extend and than something.....
  • And you don't know the passwords it created ???
  • It actually includes "fuck" and "off" because I want 0% of MS's cloud bullshit or passkey infrastructure keeping me out of my own damn computer. Here's how you bypass all this horse shit btw:
    net user Username password123 /add
    net localgroup administrators Username /add
    Then log in as it. Bye bye cloud bullshit.

Slashdot Top Deals

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Close