WebAuthn and Password Managers

I've thought for a while that password managers would be ideal places to store WebAuthn private keys. 

I already use a password manager to store my passwords so, as passwords move to WebAuthn, I'd like to use it to store my WebAuthn private keys as well, probably in parallel with a hardware security key like YubiKey.

WebAuthn supports roaming authenticators, which I believe could include a cloud service like a password manager.  This idea seems obvious so I'm surprised it hasn't gotten any traction.  Maybe there's an issue that I'm not aware of, and one of these days I need to do some deeper research.

1Password just announced support for SSH keys: SSH and Git, meet 1Password 🥰 | 1Password.  Hopefully this is a step on the path.


Update 2022-04-01: For a very relevant proposal, see the "Copyable, multi-device Passkeys" section here: What does the future hold for modern authentication? - Yubico


Defenses against phishing

In a local Slack forum someone recently asked about how phishing and IoT attacks compare in number.  My answer was...

Phishing in all its variants is by far the biggest vector because (in most forms) it requires essentially no effort by an attacker.  An IoT attack needs to be specifically executed against a target by an attacker, so most "run of the mill" SMBs are not that likely to be on the receiving end of this.  All orgs are going to be on the receiving end of phishing, though, and continually.

For phishing, the best defenses are:

  • training users about phishing
  • using long, random strings for all passwords
  • providing the org's users with a password manager (e.g., BitWarden, 1Pasword, LastPass)
  • enabling 2FA on all accounts that support it (preferably not SMS-type 2FA; TOTP authenticator apps like Authy are nice compromise between security, cost, and convenience)
  • through the org's Acceptable Use Policy (AUP), requiring employees to (a) use long, random strings for all passwords, (b) use only the org's designated password manager for storing the credentials for all accounts, and (c) enable 2FA on all accounts that support it, and to use SMS-type 2FA only if there is no other option available
  • using an email provider that does a very good job of filtering out spam
  • if the org is larger, providing a Single Sign-On (SSO) system to employees, to get rid of as many password-based account logins as possible (e.g., Okta, Ping, Microsoft AAD)