XF 2.3 Passwordless logins with passkeys

First thing's first, don't panic, don't rush to your customer area, there is no Beta 3 release today! We are likely to be moving the remaining HYS posts to Thursday/Friday, coinciding with those features rolling out to this very forum so we get some extended testing and feedback before they appear in a subsequent Beta.

Next order of business, before we get into what's coming in Beta 3, is a big thank you to Shawn, AKA @digitalpoint. We're big fans of Shawn's work and he's genuinely a stand up guy, always very willing to help out. Shawn was kindly willing to give us his Security & Passkeys add-on and this gave us the leg up we needed to introduce this feature at rather short notice. It has morphed slightly, and does not entirely replace the add-on so I suspect it will live on in some form and I'm sure Shawn will communicate that in due course.

So, with all that being said, let's take a look at passkeys support in XenForo 2.3!

What is a passkey?​

Passkeys are a secure replacement for passwords and/or second factor authentication. They take many forms ranging from physical devices (e.g. Yubikeys) to biometric authentication built in to your phone or computer. Some types of passkeys can even be synced across all of your devices, for example I can setup a passkey using my fingerprint on my MacBook Pro which is then synchronised with my iPhone and authenticated using FaceID. Or you may have a password manager such as Bitwarden or Proton Pass which synchronise your passkeys across different browsers and devices.

They are extremely secure, extremely easy to set up and extremely easy to use.

Adding a passkey in XF 2.3​

Passkeys can be managed for your account under Account > Password and security. To kick the process off you simply click "Add passkey" which, in supported browsers, will invoke some sort of interface, usually served by your browser, device, or password manager.

Let's look at the process in more detail via an iPhone:

It's that easy! From that point forward, not only will you be able to use your passkey for logging in, it also enables any of your current or future passkeys to be used as two-factor authentication.

Passwordless login​

It's just as easy using a passkey as it is to add one. Let's take a look at the login flow with the passkey I just created:

No need to enter your password. No need to even enter your username! Just tap "Log in using: Passkey" and follow your device's prompts and you'll be logged in!

We've just rolled this out here so have a play around and let us know your thoughts!

 

[Neilski]

I'm not one of those people who needs everything to be the most secure ever. Simply having passkeys, a password manager with long, secure random passwords, is already miles better than the vast majority of Earth. I tend to have 30 char passwords generated minimum, unless a site doesn't allow more than like 12, 20, etc.

I haven't checked the number-crunching stats for a while - is 30 characters more secure than say 12 in any meaningful way? (Assuming we're talking about decent salted hashes.)

 

[KensonPlays]

I haven't checked the number-crunching stats for a while - is 30 characters more secure than say 12 in any meaningful way? (Assuming we're talking about decent salted hashes.)

Depends. But Proton pass says this about 12 vs say, 20:

According to them, at least, there is a difference, although in the grand scheme of things, it doesn't matter much. I just like to make it harder to get in. Even my Proton account has a 20 character password, which I have written on an encrypted portable SSD.

 

[Konon]

I didn't expect that 2FA will be activated automatically after creating a passkey on my phone. So now I cannot login on my laptop. What I expected is a choice between a password and a passkey.

 

[TohaX]

Is it possible to use this plugin to link not an iPhone, but a PC?

 

[Neilski]

Depends. But Proton pass says this about 12 vs say, 20:

Nice to see their estimate for cracking time
For me, centuries and millennia are both equivalent to "nope", if the question is "is this password crackable in practical terms?". Social engineering, simple theft, etc. will be the lowest hanging fruit in both cases, because brute-force attack is just pointless.

If you can always use a password tool to type the password for you, then 12 characters and 100 characters are both the same. If you actually need to try and remember them, then even 12 characters of randomness is already pretty much not realistic for most people anyway, unless it's their one and only password for getting into their main password vault.
One time I think it really does make a difference is when you need to type it by hand, reading it off one screen and entering into another... When that happens, I'd far rather be typing 12 characters than 30

 

[DragonByte Tech]

For me, centuries and millennia are both equivalent to "nope", if the question is "is this password crackable in practical terms?".

Bear in mind, "centuries" even 10 years ago is "seconds" today. An MD5 hashed password was good enough 15-20 years ago, but today MD5 hashes are cracked so fast the password appears before you've even pressed enter on the command

That being said, it is true that your account might not be relevant or even exist in 10-20 years, so I'm not saying you should immediately start worrying.

 

[Neilski]

Bear in mind, "centuries" even 10 years ago is "seconds" today. An MD5 hashed password was good enough 15-20 years ago, but today MD5 hashes are cracked so fast the password appears before you've even pressed enter on the command

That being said, it is true that your account might not be relevant or even exist in 10-20 years, so I'm not saying you should immediately start worrying.

Gosh, you had me thinking I was waaaaay out of date about how fast MD5 cracking could be done, and maybe I am of course. However, I found this work from 2023* which suggests that even an 8-character password's MD5 hash would take 3 hours to crack on a quad-4090 system, providing it uses upper+lower+number+symbols. (If things are now even worse for MD5, I'm curious to learn more.)
I know what you're saying though - tech does move on, and now and then a weakness in an algorithm is discovered and knocks a bunch of zeroes off the computational cost of cracking it.

(*PS: the same table says that a 12-character password's MD5 hash would take 26 thousand years to crack - again, assuming upper+lower+number+symbols - which puts it at odds (pretty dramatically) with the Proton results posted above by @KensonPlays. Not sure what hash they assume of course, not the cracking hardware.)

 

[Sim]

Brute force attacks are generally only an issue if you're being targeted personally - waiting hours, days or even weeks to crack a password could be worth it.

It's much more likely that someone will be using automated tools to see which accounts are easily compromised - credential stuffing, dictionary attacks, etc

That's not a reason to not take care with passwords etc - but we do need to find a balance somewhere between paranoia* and carelessness.

* - just because you are paranoid doesn't mean they aren't out to get you!

 

[⭐ Alex ⭐]

That's not true 2FA, and no difference than if they're both in the same system/service.

It's still true 2FA. A username / password combo is something you can guess or remember. So for example, your friend might attempt to type that in or a bot might use a dictionary / brute force attack. Then to continue the friend or bot need the second factor of the authentication which is access to a device in your possession.

If someone compromises an entire device then you've got ALOT more problems than just your account being compromised.

 

[Sim]

It's still true 2FA. A username / password combo is something you can guess or remember. So for example, your friend might attempt to type that in or a bot might use a dictionary / brute force attack. Then to continue the friend or bot need the second factor of the authentication which is access to a device in your possession.

If someone compromises an entire device then you've got ALOT more problems than just your account being compromised.

If you can get hold of someone's physical security device (eg YubiKey) and there is no additional security on it, then you can use that key to log into any service where the passkeys are set up for it. That would be a huge issue.

This is why the YubiKeys have PIN security - you can't access any of my passkeys if you don't also know the second factor - my PIN.

Similarly with my phone - stealing my phone isn't enough, you also need my fingerprint or PIN to unlock it - again, two factors.

Stealing my laptop with 1Password installed: you'd need either my fingerprint or PIN to unlock it.

If you stole my laptop and removed the (unencrypted) drive and got hold of my 1Password vault, you'd also need my username and password AND my secret key to be able to access it.

In every case, there are at least two factors involved - you need access to the physical device, and you need a password/PIN or some kind of biometrics to access it.

It really is 2FA.

The problem with usernames and passwords is that you don't need any physical device to use them - which is why they are so vulnerable. Anyone who can guess/steal/engineer them, can access the system. More importantly, you can automate these attacks. As soon as there is a physical device required, automation no longer works.

 

[Kirby]

If you can get hold of someone's physical security device (eg YubiKey) and there is no additional security on it [...] That would be a huge issue.

[...]

This is why the YubiKeys have might have PIN security

A YubiKey (or any other FIDO2 security key) with factory default setting does not have a PIN set and the way XenForo currently creates PassKeys does not enforce setup of a PIN.

So if an attacker gains access to such a YubiKey he can log into the account without needing a second factor, just physical access to the YubiKey.

In every case, there are at least two factors involved - you need access to the physical device, and you need a password/PIN or some kind of biometrics to access it.

... or be able to exploit a vulerability that allows unauthenticated access to the vault (maybe through a side channel attack due to an implementation mistake or smth.)

Nothing is 100% secure.

 

[Sim]

A YubiKey (or any other FIDO2 security key) with factory default setting does not have a PIN set and the way XenForo currently creates PassKeys does not enforce setup of a PIN.

So if an attacker gains access to such a YubiKey he can log into the account without needing a second factor, just physical access to the YubiKey.

YubiKeys do have PIN security. Choosing not to use it is entirely your decision.

... or be able to exploit a vulerability that allows unauthenticated access to the vault (maybe through a side channel attack due to an implementation mistake or smth.)

Nothing is 100% secure.

The potential for vulnerabilities are the reason why we keep our systems and software updated - to minimise the attack surface area.

Basic best practices to reduce your risk:

• use a password manager to generate random passwords
• never re-use passwords across multiple sites or services
• use 2FA when it is available
• use antivirus and anti-malware software on your systems
• don't install untrusted software
• keep your software and systems updated
• etc

Either way, nobody said anything about things being 100% secure. If someone is determined enough to get access to this stuff - it can be done.

 

[Kirby]

YubiKeys do have PIN security. Choosing not to use it is entirely your decision.

Yeah, it is your decision .... if you know taht you can setup a PIN.

Does everybody know taht?

We should have secure processes by default - the current behaviour of XenForo generating a PassKey without user verification and allowing that to be used for login without further verification is not secure.

So IMHO XenForo should either enforce user verification or not allow a PassKey that was setup without user verification to be used for login without an additional factor.
(At least not without the user explicitly requesting that this should be possible - and the admin in turn being able to forbid that for privileged users like mods / admins).

 

[Sim]

Yeah, it is your decision .... if you know taht you can setup a PIN.

Does everybody know taht?

We should have secure processes by default - the current behaviour of XenForo generating a PassKey without user verification and allowing that to be used for login without further verification is not secure.

So IMHO XenForo should either enforce user verification or not allow a PassKey that was setup without user verification to be used for login without an additional factor.
(At least not without the user explicitly requesting that this should be possible - and the admin in turn being able to forbid that for privileged users like mods / admins).

Buying a YubiKey is a conscious act. You presumably know what you are doing - less technically savvy people wouldn't even buy one, let alone work out how to use it (the workflow for using YubiKeys is still pretty convoluted on Windows - unnecessarily so in my opinion).

The issues with XenForo's implementation are not really related to what we've been discussing here.

FWIW, I do agree - being in possession of a passkey should not be sufficient on its own, to gain access to a XenForo account - there should always be a second factor required.

 

[Kirby]

You presumably know what you are doing - less technically savvy people wouldn't even buy one,

You've got more trust in people than I have

After having read a few reviews on FIOD2 security keys on Amazon I can only come to the conclusion that there are way too many people who just don't know what they are doing, and yes - they are buying such hardware.

let alone work out how to use it (the workflow for using YubiKeys is still pretty convoluted on Windows - unnecessarily so in my opinion).

Just curious: What exactly is so convoluted?
I just did a little test with my girfriends Windows 10 laptop using a guest account (never used a YubiKey there before).

All I had to do to log into xenforo.com with the YubiKey 5 was:

1. Plug it into a USB port
2. Wait for driver installation to complete
3. Start Chrome
4. Go to xenforo.com/community
5. Click on Log in
6. Click on Passkey
7. Select External security key
8. Enter the PIN
9. Touch the YubiKey

.. and I was logged in.

Seems pretty straightforward to me?

 

[Sim]

Just curious: What exactly is so convoluted?

I'll use logging in to Cloudflare and using my YubiKey with as 2FA as an example:

After I log in, I get prompted to do my 2FA:

Now, because I'm using 1Password, it takes over the workflow and offers me the easiest and quickest option - use my passkey stored in 1Password, which I've already authenticated with and so it's literally one click. However, I want to use my YubiKey, so I need to click on the little key icon to revert back to the Windows workflow:

Now Windows steps up and offers to let me log in using my Windows Hello passkey - which is also easy, on my laptop, I simply scan my fingerprint, but on my desktop I'd use my PIN ... however, I'm still wanting to use my YubiKey, so I'll select "Use another device" instead:

Now the next step is where I think it becomes a bit silly - another Windows dialog asking me which other device. I'm still wanting to use my YubiKey, so I'll select "Security key":

At this point, I get prompted for my YubiKey PIN:

... and then finally get asked to touch my security key:

... so that's a total of 5 steps to authenticate with my YubiKey - as opposed to 1 step for 1Password, or 2 steps for Windows Hello.

Now of course, if I did not have 1Password or Windows Hello set up, I'm sure the workflow would be much simpler - but the multiple layers with multiple types of passkeys needs a bit of work in Windows 11 IMO.

 

[Kirby]

Now of course, if I did not have 1Password or Windows Hello set up, I'm sure the workflow would be much simpler

Yeah, I think it's the combination of 1Password, Chrome and Windows Hello that complicates things.

Logging into Cloudflare using KeePassXC, Firefox and YubiKey as 2FA on Windows 10:

=> No complicated selection though multiple dialogs, just a message from KeePassXC that it has no usable crendentials (and thus a fallback to standard browser handling is performed) and the Windows dialog asking for the PIN and a keypress after that:

but the multiple layers with multiple types of passkeys needs a bit of work in Windows 11 IMO.

Not only in Windows 11 .... FIDO2 interoperability generally seems to be a mess:

• Firefox can't use my Android phone
• Chrome on my android phone can't (yet) use my YubiKey via NFC or USB (due to Play Services not supporting CTAP2)
• KeePass compatible Android apps do not (yet) support Passkeys
• KeePassXC can't (yet) use muliple FIDO2 credentials to control access to the database (or HMAC-SECRET at all)
• Security Keys like YubiKey have waay too few slots for resident keys
• ...

But there is hope things will get better as time moves on

 

[Mouth]

It's still true 2FA. A username / password combo is something you can guess or remember. So for example, your friend might attempt to type that in or a bot might use a dictionary / brute force attack. Then to continue the friend or bot need the second factor of the authentication which is access to a device in your possession.

Really, it's not, in the scenario I gave. I think you need to understand 2FA better.

 

[Wildcat Media]

If I don't understand it then my senior membership don't stand a chance.

Yeah, we'll be passing on this also. It's hard enough getting staff to use 2FA. And with forum membership skewing older, all this stuff will go right over their heads and be way too complicated. They can barely handle passwords.

I like technology, so being able to try out all the Passkeys options is a learning experience. But for practical purposes, I doubt I'll be offering this on the forums, or will write my own add-on with a new permissions set so the options only appear for staff members. (And even then, uptake will only be a couple of us, so why bother?)

I'm not one of those people who needs everything to be the most secure ever.

I do for all important accounts. Anything personal, financial, even access to servers I manage or services I use (like Cloudflare)--they're locked down tight.

But for a forum? Unless someone is a staff member, it's just a forum. If an account is hacked, big deal...we shut it down and clean it up. (Or if it's a bad account from day one, we just ban it and move on.) Unless I'm part of a forum's staff, I don't use 2FA on any other forum I visit. (Especially those with default XF setups where it's expiring every 30 days, and I have three or four devices I have to mess with every 30 days. Yeah, no.)

 

[Slavik]

So after some work with Proton direct, the majority if not all issues with their app should be sorted.

If anyone is still having issues with Passkeys and Proton on mobile with XF, let me know and I should be able to run through some steps to sort it, or locate a different issue.

For now it will just cover signing in here at XenForo.com