Add PassKey login

heksesang

Now that 2FA is available, this is the logical next step to take.

Passkeys would make it a lot easier to log into new devices. Say I want to use Kagi on a public library computer, or when I am at a friend's place and using their computer to look something up, using password + 2FA is a lot more cumbersome than just scanning a QR code and logging in from my phone.

Stef

heksesang Yes, please!

Browsing6853

btw, there is a lot of upvotes to this, which I suppose is mostly about convenience than security itself because most of the people here will use passkeys as an additional auth method, instead of deactivating the password method.

I think a bigger security feature is to have sessions management: https://kagifeedback.org/d/539-account-session-management/5
Why? Imagine you have the passkey feature enabled along the password. Somehow, someone discovered your password, they will just login with that password, bypassing the passkey method, and you will never even know if someone is using your account. There isn't successful login alert emails yet.

heksesang Passkeys would make it a lot easier to log into new devices. Say I want to use Kagi on a public library computer, or when I am at a friend's place and using their computer to look something up, using password + 2FA is a lot more cumbersome than just scanning a QR code and logging in from my phone.

Imagine people with Kagi everywhere and not even knowing where the account is active (not judging the act itself, I do the same)

ivan_g

It would be nice to use a USB security key to log in...

SoloKey
YubiKey
Google Titan

It could be used either as a second factor in MFA or replace the password completely (especially useful on shared computers).

ak42

And Nitrokeys !

or more generaly FIDO2/U2F compatible USB security keys

WoundedMoose

I do like my YubiKey, and I wish these things were supported more broadly.

voltaire

I also would like to see FIDO2 security keys implementation.

Vlad

Any more details about this? Is this browser level feature or a website level feature? Any services that do this well that can serve as an example?

Value7609

Vlad

It's WebAuthn, the same as "passkeys" which are just a software implemention of the already existing USB Security Keys.

https://webauthn.io/

I'd say 90% of the services I use supports this.

Some example documentation entries from some large websites where it is easy to find.

GitHub:
https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-key

Google:
https://support.google.com/accounts/answer/6103523?hl=en&co=GENIE.Platform%3DAndroid

Apple:
https://support.apple.com/en-us/102637

Twitter: (search for security key)
https://help.twitter.com/en/managing-your-account/two-factor-authentication

GitLab:
https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#set-up-a-webauthn-device

Bitwarden:
https://bitwarden.com/resources/using-bitwarden-with-yubico/

Mailcow:
https://docs.mailcow.email/manual-guides/mailcow-UI/u_e-mailcow_ui-tfa/#example-setup

Vlad

Value7609 So is this the same as https://kagifeedback.org/d/15-add-passkey-login ?

Value7609

Vlad yes

duck

Passkeys were suggested two years ago. Nowadays, the technology is more mature. Passkey portability is being worked on.

Passkeys should be an extra option for logging in.

When properly implemented, like on Fastmail and Google, the 'Log in with Passkey' prompt automatically appears when you visit the login page, but only if you have a passkey set up. This is very powerful, as this would make logging in insanely fast, for the people that have passkey set up.

Another advantage: it's phishing-proof. The passkey simply won't work on other websites.

I attached an image of how Fastmail has implemented it. The login page detects that I have a Passkey set up, and I only have to authenticate by laying my finger on the fingerprint scanner, and in a fraction of a second I'm logged in. Note that I don't have to enter my e-mail address, even.

miicat_47

I would like to have this too!

I have some additional things how I would like it to work:

TOTP not being a requirement for this to work
Or if above can't be done, don't ask for TOTP as passkey is already way more secure than TOTP
Support FIDO2 keys (Yubikey, etc.) as well, if possible (the most secure login method currently)

Dustin

+1 for passkey support!

Pictor

Absolute +1. I use passkeys as a leading indicator of a services commitment to secure user access, and the more often I use a service, the more critical it is for them to incorporate it into their account security.

Jesal

+1, I would also highly appreciate the option to use passkeys. A majority of the services that I use regularly support passkeys now so it would be nice if Kagi did as well.

pixel

Hey all, I merged the created post with the existing one just to keep everything in the same place since we are tracking this specific feedback post internally.

I can say that this was not forgotten about, and we do plan to implement passkey support still.
It's just a big effort to implement with our limited team size & lack of libraries for our current backend language (Crystal).

I can't give any timelines or guarantees on when it will be coming, but I can say that we hear you 🙂

ivan_g

It would be nice to use USB security keys without using "passkeys" or anything else owned by Google, Microsoft, or Amazon. One of the reasons I switched to Kagi was to avoid dealing with corporate surveillance when I search for something on the Internet, and I think many people switched for the same reason. Unfortunately, the feedback thread about USB keys I started in April was merged with another thread about some "cloud" based authentication from Google, designed to track people across different sites...

Pictor

ivan_g passkeys aren't "owned" by Google or anything else. They are a technology which various companies (yes, including Google) have helped codify, and something they support. They can't track your passkey use for some other site.

Dustin

ivan_g https://fidoalliance.org/passkeys/

« Previous Page Next Page »