The author still has one last misconception about passkeys, namely that if you lose a passkey, you have "no recourse."
People wrongly think passkeys are like Bitcoin wallets, where losing them means there's absolutely nothing you can do, your account is simply lost forever.
Losing a passkey is exactly like losing your password, which is to say, that for 99% of services, you can reset your password/passkey really easily. There's a prominent "Reset Password" button right on the login form. It sends you an email or an SMS, you click it, and it lets you reset right then and there. You can reset your passkey in exactly the same way.
It is not that easy to reset if you lose your password to your Apple, Google, Facebook, etc. They all have a bunch of factors that they use to authenticate you if you reset your password, and they don't even document which ones they use.
So, if you care about those accounts, you've got to make sure you have backup access. They all let you generate and print "backup codes" (emergency passwords) and store them in a fireproof safe or a literal bank vault. Do that!
As everybody knows, you can't store all of your passwords in a password manager. You need something outside of the password manager to login to the manager itself. That's why 1Password/LastPass is called that; you still need one last password that you keep and manage yourself.
That's true of passkeys, too. You can login to Google with passkey, but if Google is your password manager that stores your passkey, you need something else outside of Google's password manager to login to Google. Whether it's a password, a backup code, a YubiKey, whatever, you need one more thing to login to Google, ideally more than one, so you can back it up and keep it safe.
Pre-passkeys, was this lockout issue a true issue with apple and google accounts? Or have passkeys added a general lockout issue that didn't exist before? Also passkeys in their current implementation are not possible to back up or export yourself, unlike passwords in the past.
Security engineers are prioritizing preventing key copying over lockout issues, unilaterally, on literally billions of people. It improves their metrics internally, at the cost of an externality on the entire world. This kind of stuff invites odious regulation as more and more stories of lockout with no recourse surface.
And unlike passwords, there is no good provider migration story. There is a roach motel issue. Yes it is being 'worked on', but passkeys and such have been out for many years, the willful denial whenever you ask people running these standards about these issues is incredibly irritating. The fact they tend to avoid questions about this like politicians decreases trust in the motives of such standards.
> unlike passwords, there is no good provider migration story
I'm curious what the "good provider migration story" you're referring to here for passwords is?
Password managers by-and-large haven't agreed on a standardised interchange format for import/export - a few of them have some compatibility helpers for importing from specific popular competitors but they're all in different formats, no consistent formats.
The above goes for passkeys as it does passwords - import/export will include your passkeys - so I don't see much difference in the provider migration story.
On the other hand, the FIDO Credential Exchange Format does solve the above problem (if/when providers choose to adopt it), so passkeys are at least further along the path of creating a "good provider migration story" than passwords ever were.
> Pre-passkeys, was this lockout issue a true issue with apple and google accounts?
Yes, absolutely. I have a second Google account I created and lost the password to. I can't reset it because it wants to know the exact month I opened it. I don't even know if it was 2012 or 2016, I'll never guess the month.
The primary credential a user relies on for logging in (whether it's a password or a passkey) is pretty unrelated to the the "lockout issue". The lockout issue is really the age old question of: what happens if I can't do a normal email-based account recovery flow (aka "I forgot/lost my password/passkey").
No, passkeys haven't added a new general lockout issue, because Apple, Google, etc. don't allow you to create an account where you can only login via passkey with no external authentication factor. They require you have something outside the Google account, whether that's a password, a hardware key, etc.
People keep falsely imagining that Google is setting people up with passkey-only accounts, with no way to backup their login credentials. Gosh, wouldn't that be terrible?
That would be like 1Password letting you create a passkey-only account with no password, storing the only passkey in 1Password. The whole idea makes no sense. 1Password doesn't do that, and neither does Apple, Google, Microsoft, etc. (We can all imagine them doing something that stupid, but, it turns out, they don't.)
Pre-passkeys, the most common lost-credential scenario was creating a fresh Gmail address on a new device (an Android phone) with a password and forgetting both your Google password and your password for your cellular-phone carrier (AT&T, T-Mobile, etc). Your Google password would be stored locally on your phone and in Google's cloud, but when you lose your phone and forget your passwords, no backups remain.
At that point, you're pretty much screwed. Google can't email you a reset-password link, because Gmail is your email. Google can't send you a 2FA SMS until you get a new phone with the same number, but you can't convince AT&T to do that, because they want to send a reset-password link to your email, which you don't have, or SMS to your phone, which you don't have.
(The cellular carriers don't even allow you to show government ID at a physical store. They don't allow you to take over a phone number that way, because people could then threaten/bribe a T-Mobile store representative to falsely claim that you presented valid government ID, taking over other people's accounts. If you walk into a store, they'll just put you on the phone with customer service, where they'll insist that you provide your AT&T password, or reset your password via email or SMS. If you've lost your email and your phone and all your passwords, you're completely out of luck.)
If Google allowed you to create a passkey-only account, with no SMS 2FA and no way to backup your passkey, that would be even worse.
But, luckily for all of us, they don't even allow that, and they're certainly not pushing it unilaterally on billions of people.
Yes. People have complained about the difficulty of Google or Facebook account recovery and how they need to make it easier and more accurate for ages. You could search hn for "password reset" or "lost password" and you'll find tons.
This is not a feature of passkeys, this is a feature of each and every individual provider building their own unique reset flow.
Not every provider does this correctly. Just yesterday I saw someone complaining on mastodon about their passkeys being locked and requiring a phone call to get reset.
Passkeys are exactly as resettable as passwords, which depends on your provider actually implementing things correctly.
tbh I think it's safe to claim they're strictly inferior to passwords, though in almost all cases they're literally identical (as you point out).
e.g. that phone call case: some places will tell you a temporary password (over the phone) to enter next time, and then you come up with a new one when you log in. there is no equivalent flow for passkeys, because you can't enter them by hand. a site could of course build that for passkeys (like a temporary password with special UI for entering it), but literally every site with passwords can do that by default, it just needs a general admin UI which almost always exists.
(most I've encountered will email you a temp password, and in principle you could email a temp passkey too... but that doesn't work by phone / for manual entry, and is there a spec on that file format? I don't think so? in your password manager right now: is there a place to manually import a passkey for a website? half of mine don't have one for passkeys, but every single one I've ever seen has a way to manually enter a password)
Apple and Google often store your other 99% of passwords and passkeys, so losing this is actually more important than losing the 99%. I take your point but saying 99% have reset services when the critical 1% may never be recoverable without posting to HN is an important point.
For those you add recovery e-mails. You can easily have a Google, Microsoft and Yahoo e-mail so having access to at least one means you can recover the rest. Yes, this increases your attack surface, but the chances remain miniscule.
Also, just so I'm clear, there's no requirement to share passkeys. Or even have passkeys enabled on all devices, right?
If I log in to a site from my machine, and set up a passkey, but then log into that site from another machine, it'll just see no passkey present and ask for my password, yes?
A passkey is a local password on a device that could be shared through all the password manager gymnastics, but its not required as I understand it.
That’s true for all accounts that i’ve been using (Google, Apple, Microsoft).
Passkey generated on a device can only change login flow for this one specific device. If you don’t synchronize passkey to other devices or if you do not generate passkey on other device, then login flow is different for other device. You need to enter password.
Imo it would not make any sense if it was different.
I think there are passkeys that can be migrated/synced between devices, and device-bound passkeys that can't. I do save passkeys on my password manager and use them across devices, but I am pretty sure I have had passkeys that I could only use from a specific device. Not sure though, it feels a bit confusing.
Yes, that's right. It might also make sense to generate multiple passkeys for an account. For example, a separate one for logging in from Apple devices.
1. Passkey prompts asking if I want to use a phone or security key when I only have one (or neither!) registered. The UI for this gets in the way and should only ever present itself if I happen to have both kinds of devices registered.
2. Passkeys should have had the portability and flexibility that ssh keys have from the start. Making it so your grandparents can use public key cryptography and gain a significant advantage in securing their accounts in a user friendly manner should have been the priority. Seems like vendor lock-in was the goal from the start.
On Mac with the security key you can just press the button on the security key before choosing a path. It only looks like a required extra step but in practice it is optional.
>The UI for this gets in the way and should only ever present itself if I happen to have both kinds of devices registered.
I disagree. It is very annoying when some service fails to show an option on the grounds that I can't use it. It makes it difficult to resolve problems. If the option is just missing, I have no way to tell whether the company doesn't provide the option, whether the company made some sort of mistake (they can't provide an email option because they lost my email), whether I made a mistake, or whether the company just has a bad UI that tries to hide the option. And don't forget the situation where I tried to google online for some help in using the UI, I found a 6 month old Reddit post showing the option, and I can't figure out if the company changed the UI in the past six months.
They should show it greyed out with a note "no key of this type registered".
That’s fair. I just meant that during logon, it is annoying to have to click through an additional prompt that doesn’t apply. But I can see where if there was an issue showing what all the options could be and if they are enabled or unavailable or you want to set it up, would be more beneficial than not.
> Seems like vendor lock-in was the goal from the start.
Exactly. The passkey vendors state that the goal was to make phishing not just difficult but impossible. This means plaintext access to your credentials is forbidden forever, regardless of your level of expertise, and regardless of the complexity of the process to export/import them. The purpose of the so-called "secure credential exchange" is once again to prevent you from directly accessing your credentials. You can go from one passkey vendor to another, but you're always locked in to one passkey vendor or another.
Any credential system that makes it impossible to write something down on a piece of paper, take it to a new computer, and login to a website is just a gateway to vendor lock-in. You can manually manage your own ssh keys but for some reason not your passkeys.
As an Apple Mac user, what annoys me the most is that the use of passkeys in Safari requires iCloud Keychain, which of course requires iCloud and an Apple Account. [EDIT: Obviously I'm talking about built-in support. I'm well aware of third-party software, so everyone can stop replying to this now, please!] You can't do local-only passkeys, not even if you take responsibility for backing up your own Mac.
The passkey vendors took some good theoretical ideas, such as site-specific credentials and public-key cryptography, and totally mangled the implementation, making it hostile to everyone except themselves.
This is not true - browsers including Safari support passkeys managed by third-party password managers.
I'm using 1Password with browser extensions for Safari and Chrome on macOS and iOS and it works seamlessly with my passkeys, which are not stored in iCloud Keychain.
> you're always locked in to one passkey vendor or another.
This is obviously kicking the can down the road, but I "solve" this problem by storing passkeys in a third-party credential manager that supports them. That way I can use them on any device that I've installed the client app or browser extension on. I have this working on Fedora, macOS, Windows, and iOS.
> The passkey vendors state that the goal was to make phishing not just difficult but impossible. This means plaintext access to your credentials is forbidden forever, regardless of your level of expertise, and regardless of the complexity of the process to export/import them.
Care to cite this statement?
> As an Apple Mac user, what annoys me the most is that the use of passkeys in Safari requires iCloud Keychain, which of course requires iCloud and an Apple Account. You can't do local-only passkeys, not even if you take responsibility for backing up your own Mac.
You can use any credential manager you choose. You don't have to use Apple Passwords / iCloud Keychain.
> The purpose of the so-called "secure credential exchange" is once again to prevent you from directly accessing your credentials.
I’ll accept that the attestation parts of the protocol may have had some ulterior motives (though I’m skeptical), but not having to reveal your credential to the verifying party is the entire benefit of passkeys and hugely important to stop phishing. I think it’s disingenuous to argue that this is somehow unnecessary.
It's an open protocol, you don't need to use any of the vendors. My Yubikey is a "passkey", so is my Flipper Zero. Keepass provides passkey support.
For the general public, they already rely on either Google or Apple for pretty much all of their digital life. Nothing wrong with extending this to passkeys, it's convenient and makes sense for them.
Passkeys seem to be the best solution for users whose technical chops cannot be trusted, and who are also gullible enough to be a scam / social engineering target. Which, to my mind, describes a large enough chunk of audience of most popular services.
A tech-savvy relative of such a user should help them generate rescue codes, write them on a piece of paper, and store them along with all other important documents. Ideally the paper should also read: "Call me before using any of these codes! <phone number>."
Vendor lock-in a serious concern. Just reading through this KeePass issue again and seeing how much pressure the industry is trying to exert to prevent the users from being able to export their own private keys should be concerning. I come back to this discussion every time I see someone arguing in favor of passkey adoption.
>The unfortunate piece is that your product choices can have both positive and negative impacts on the ecosystem as a whole. I've already heard rumblings that KeepassXC is likely to be featured in a few industry presentations that highlight security challenges with passkey providers
Hi! I'm the commenter on that post that keeps being brought up!
I don't think requiring an encrypted backup (with a key or secret that YOU control) by default is "preventing users from being able to export their own private keys".
Hi! I have no issue with having the backup being encrypted by default, except the discussion returns again and again to disallowing any cleartext export, even when specifically requested by the end user.
And on a separate note, I fundamentally disagree for political reasons with the idea that the websites should be able to block specific passkey providers.
You say "requiring by default". That makes no sense in this context (or most) - you can either require something (which is not "by default") or you do not (at which point you can encourage something as strongly as you like, but it's still not required).
The github issue is quite clear about "requiring", not "by default", which is a restriction on what someone does with their own data. Particularly since AFAICT there is still no spec for data exchange over flat files. CXP is a probably-reasonable more-safe option to encourage, but it really shouldn't be the only option.
(arguably CXF only defines non-encrypted files, since it doesn't even recommend encryption options or provide a way to communicate what was used, except to say that it "MUST" encrypt or coordinate over CXP)
1) force the type of passkey stores used (e.g. hardware vs software) when I am providing the passkey store
2) force me to MFA (e.g. forcing touch ID, entering pin or unlock password, etc) when attempting to use a passkey
I'll continue to stick to plain old boring password + TOTP. I fully understand the security trade-offs like phishing resistance but password + TOTP is secure enough for me.
(1) is already true today. There is no way for services to enforce whether a passkey is stored in software or hardware.
(2) I understand you don't like the user experience. But to make a technical clarification: requiring a user action to prove there's a human involved in the login action (e.g. by clicking a button in UI or requiring Touch ID) does not necessarily mean there's another factor involved at all (MFA). What you are describing is more of a "liveness check" than a separate factor/separate credential.
(1) is already true today. There is no way for services to enforce whether a passkey is stored in software or hardware.
Challenge: Go and try to register a non-blessed passkey type with PayPal and come back and share your experience.
(2) I understand you don't like the user experience
Pretty much my complaint. Passkeys allow for service providers to do dumb things that result in terrible UX. With Password + TOTP, I don't get asked to touch a sensor, enter a PIN, enter an unlock password, etc.
Many/all? also need to have some form of manual input as a backup, so you're not forced to sync all your passwords to e.g. a library's computer just to log in, if your house burns down or something.
The "Vendors Can Lock You Out" part is what makes passkeys entirely a non-starter for me. Especially the additional risk when someone passes away and the heirs are trying to get access to the deceased's accounts. Vendors are well known for saying "we had an agreement with Samantha, and with her death, that agreement has terminated, and no one can be given access that was not pre-designated."
Some password managers provide an offline root of trust which family members can use in this scenario. For example, 1Password tells users to print off an "Emergency Kit" which is a physical piece of paper with secret recovery codes printed on it, which they store in one or more safe places. [1]
If someone passes away, their family members can use the Emergency Kit to gain access to and use all their credentials - including their passkeys.
(The Emergency Kit also allows you to recover your data in the event that you forget your master passphrase or lose all your devices.)
There's nothing different about using a password vs. a passkey that makes it easier or harder for vendors to lock you out. I am not sure where this misconception comes from.
Whatever process a vendor requires someone to go through in order to gain access to someone's account when they pass away remains the same whether the user previously used a password or a passkey to login.
Are you aware of any vendor that actually does have differing policies based on the account's login credential type? I'm not aware of any.
The only one who can lock me out of my relationship with e.g. HN is HN.
With passkeys:
Now I can be locked out by HN or by the passkey provider.
Sure I could use a local passkey provider, but the protocol provides a way for the site to enforce a whitelist of passkey providers, so it's not clear that would be an option. Particularly for businesses like banks which tend to adopt an approach of "if a security restriction is possible, it should be applied". Or even just the typical tech PM perspective of "we want to include logos for the log in with X, and I think more than 5 logos is ugly so let's just whitelist Lastpass, 1password, Google, Microsoft and apple and be done with it"
If I want to move a password, I either already have it memorized or I find it in my manager and write it down.
If I want to move a passkey out of my Apple keychain, last I heard the answer is to just make a new passkey. The important part of the secret is 100% under their control. It makes me very squeamish
> "we had an agreement with Samantha, and with her death, that agreement has terminated, and no one can be given access that was not pre-designated."
It would be nice if you could use some legal apparatus to ratchet these agreements into a trust. Corps would hate it though, so it will probably be illegal to do.
It’s “illegal” in the sense that you could write whatever you want in your will but it wouldn’t be binding. You cannot force a party into a legal obligation they do not agree to.
The government can, though. I’m not sure if there’s any existing laws pertaining to transfer of or access to general accounts after death (as opposed to bank accounts which I’m pretty sure there are laws about).
My will says that my executor can access my accounts which alleviates Apple from legal risk if they do grant access but I’m pretty sure they are not obligated to do so.
I hate passkeys because when I've encountered them it's always an interstitial between what I just signed in to and where I'm trying to go, it's always a "register a passkey now" with an obfuscated dark pattern bypass, and it's always on a corporate account that I don't need a fucking passkey for.
I don't want a passkey on my logins but there is no way to disable this prompt on the 3 websites that constantly annoy me for them.
Drives me batty. The company I work for is already paying you for the service I'm using. We use SSO for EVERYTHING, I've already 2FA Authenticated the login, and even if I set up a passkey I will still have to 2FA the login.
I don't use these sites in any personal capacity, and I would never use a site that harasses me in any way if I was not absolutely required to in order to earn a paycheck.
You're not going to get any money out of me, why are you torturing me?
Passkey just suck, end of story. The UX for them is so bad. I have no idea how many active pass keys I have. I just have to trust the provider knows what they're doing. Sometimes my authenticator app seems to forget my pass keys which is even more annoying.
Password + TOTP have served me well so far. To port from device to device I just need to log into my Bitwarden account. It is unclear to me what device loss would do to a passkey and the passkey never communicates that information to me. If I set up a passkey on my iPhone, the site prompts me on my Linux desktop. I understand it's fine for people who use single platforms for everything. But as far as I can tell there is no advantage over Password + TOTP. I really hope Passkeys don't become mandatory. I only use them for sites I don't care about or when I've accidentally said yes to setting one up.
If you had multiple devices set up on the site (each site must have done this individually), you just use a different device.
If you had synced your passkeys somewhere (note that the spec allows sites to block this, though I'm not aware of any actually doing so), you sync them to the new thing and log in normally.
If you did none of those, it's gone forever. Do the account recovery process, if one exists.
So it degrades to equal or worse than passwords in all cases (which cannot block backups or syncing, and you can enter them individually by hand so you're not exposing all your passwords to the device, and you can communicate them over the phone or in writing), for device loss purposes.
Restoring access in this scenario is imo one of their worst qualities.
TOTP is really annoying IMO but at least you control it so you can make it one-factor again if it's foisted on you. I made a Chrome extension to do that:
Readit News
People wrongly think passkeys are like Bitcoin wallets, where losing them means there's absolutely nothing you can do, your account is simply lost forever.
Losing a passkey is exactly like losing your password, which is to say, that for 99% of services, you can reset your password/passkey really easily. There's a prominent "Reset Password" button right on the login form. It sends you an email or an SMS, you click it, and it lets you reset right then and there. You can reset your passkey in exactly the same way.
It is not that easy to reset if you lose your password to your Apple, Google, Facebook, etc. They all have a bunch of factors that they use to authenticate you if you reset your password, and they don't even document which ones they use.
So, if you care about those accounts, you've got to make sure you have backup access. They all let you generate and print "backup codes" (emergency passwords) and store them in a fireproof safe or a literal bank vault. Do that!
As everybody knows, you can't store all of your passwords in a password manager. You need something outside of the password manager to login to the manager itself. That's why 1Password/LastPass is called that; you still need one last password that you keep and manage yourself.
That's true of passkeys, too. You can login to Google with passkey, but if Google is your password manager that stores your passkey, you need something else outside of Google's password manager to login to Google. Whether it's a password, a backup code, a YubiKey, whatever, you need one more thing to login to Google, ideally more than one, so you can back it up and keep it safe.
Security engineers are prioritizing preventing key copying over lockout issues, unilaterally, on literally billions of people. It improves their metrics internally, at the cost of an externality on the entire world. This kind of stuff invites odious regulation as more and more stories of lockout with no recourse surface.
And unlike passwords, there is no good provider migration story. There is a roach motel issue. Yes it is being 'worked on', but passkeys and such have been out for many years, the willful denial whenever you ask people running these standards about these issues is incredibly irritating. The fact they tend to avoid questions about this like politicians decreases trust in the motives of such standards.
I'm curious what the "good provider migration story" you're referring to here for passwords is?
Password managers by-and-large haven't agreed on a standardised interchange format for import/export - a few of them have some compatibility helpers for importing from specific popular competitors but they're all in different formats, no consistent formats.
The above goes for passkeys as it does passwords - import/export will include your passkeys - so I don't see much difference in the provider migration story.
On the other hand, the FIDO Credential Exchange Format does solve the above problem (if/when providers choose to adopt it), so passkeys are at least further along the path of creating a "good provider migration story" than passwords ever were.
Passwords right now are outright better.
And by the way, door keys could be copied.
Yes, absolutely. I have a second Google account I created and lost the password to. I can't reset it because it wants to know the exact month I opened it. I don't even know if it was 2012 or 2016, I'll never guess the month.
The answer to that is stuff like this:
https://blog.google/technology/safety-security/recovery-cont...
https://support.apple.com/en-us/102641
People keep falsely imagining that Google is setting people up with passkey-only accounts, with no way to backup their login credentials. Gosh, wouldn't that be terrible?
That would be like 1Password letting you create a passkey-only account with no password, storing the only passkey in 1Password. The whole idea makes no sense. 1Password doesn't do that, and neither does Apple, Google, Microsoft, etc. (We can all imagine them doing something that stupid, but, it turns out, they don't.)
Pre-passkeys, the most common lost-credential scenario was creating a fresh Gmail address on a new device (an Android phone) with a password and forgetting both your Google password and your password for your cellular-phone carrier (AT&T, T-Mobile, etc). Your Google password would be stored locally on your phone and in Google's cloud, but when you lose your phone and forget your passwords, no backups remain.
At that point, you're pretty much screwed. Google can't email you a reset-password link, because Gmail is your email. Google can't send you a 2FA SMS until you get a new phone with the same number, but you can't convince AT&T to do that, because they want to send a reset-password link to your email, which you don't have, or SMS to your phone, which you don't have.
(The cellular carriers don't even allow you to show government ID at a physical store. They don't allow you to take over a phone number that way, because people could then threaten/bribe a T-Mobile store representative to falsely claim that you presented valid government ID, taking over other people's accounts. If you walk into a store, they'll just put you on the phone with customer service, where they'll insist that you provide your AT&T password, or reset your password via email or SMS. If you've lost your email and your phone and all your passwords, you're completely out of luck.)
If Google allowed you to create a passkey-only account, with no SMS 2FA and no way to backup your passkey, that would be even worse.
But, luckily for all of us, they don't even allow that, and they're certainly not pushing it unilaterally on billions of people.
Not every provider does this correctly. Just yesterday I saw someone complaining on mastodon about their passkeys being locked and requiring a phone call to get reset.
Passkeys are exactly as resettable as passwords, which depends on your provider actually implementing things correctly.
e.g. that phone call case: some places will tell you a temporary password (over the phone) to enter next time, and then you come up with a new one when you log in. there is no equivalent flow for passkeys, because you can't enter them by hand. a site could of course build that for passkeys (like a temporary password with special UI for entering it), but literally every site with passwords can do that by default, it just needs a general admin UI which almost always exists.
(most I've encountered will email you a temp password, and in principle you could email a temp passkey too... but that doesn't work by phone / for manual entry, and is there a spec on that file format? I don't think so? in your password manager right now: is there a place to manually import a passkey for a website? half of mine don't have one for passkeys, but every single one I've ever seen has a way to manually enter a password)
If I log in to a site from my machine, and set up a passkey, but then log into that site from another machine, it'll just see no passkey present and ask for my password, yes?
A passkey is a local password on a device that could be shared through all the password manager gymnastics, but its not required as I understand it.
Passkey generated on a device can only change login flow for this one specific device. If you don’t synchronize passkey to other devices or if you do not generate passkey on other device, then login flow is different for other device. You need to enter password.
Imo it would not make any sense if it was different.
1. Passkey prompts asking if I want to use a phone or security key when I only have one (or neither!) registered. The UI for this gets in the way and should only ever present itself if I happen to have both kinds of devices registered.
2. Passkeys should have had the portability and flexibility that ssh keys have from the start. Making it so your grandparents can use public key cryptography and gain a significant advantage in securing their accounts in a user friendly manner should have been the priority. Seems like vendor lock-in was the goal from the start.
I disagree. It is very annoying when some service fails to show an option on the grounds that I can't use it. It makes it difficult to resolve problems. If the option is just missing, I have no way to tell whether the company doesn't provide the option, whether the company made some sort of mistake (they can't provide an email option because they lost my email), whether I made a mistake, or whether the company just has a bad UI that tries to hide the option. And don't forget the situation where I tried to google online for some help in using the UI, I found a 6 month old Reddit post showing the option, and I can't figure out if the company changed the UI in the past six months.
They should show it greyed out with a note "no key of this type registered".
Exactly. The passkey vendors state that the goal was to make phishing not just difficult but impossible. This means plaintext access to your credentials is forbidden forever, regardless of your level of expertise, and regardless of the complexity of the process to export/import them. The purpose of the so-called "secure credential exchange" is once again to prevent you from directly accessing your credentials. You can go from one passkey vendor to another, but you're always locked in to one passkey vendor or another.
Any credential system that makes it impossible to write something down on a piece of paper, take it to a new computer, and login to a website is just a gateway to vendor lock-in. You can manually manage your own ssh keys but for some reason not your passkeys.
As an Apple Mac user, what annoys me the most is that the use of passkeys in Safari requires iCloud Keychain, which of course requires iCloud and an Apple Account. [EDIT: Obviously I'm talking about built-in support. I'm well aware of third-party software, so everyone can stop replying to this now, please!] You can't do local-only passkeys, not even if you take responsibility for backing up your own Mac.
The passkey vendors took some good theoretical ideas, such as site-specific credentials and public-key cryptography, and totally mangled the implementation, making it hostile to everyone except themselves.
This is not true - browsers including Safari support passkeys managed by third-party password managers.
I'm using 1Password with browser extensions for Safari and Chrome on macOS and iOS and it works seamlessly with my passkeys, which are not stored in iCloud Keychain.
> you're always locked in to one passkey vendor or another.
This will change: https://1password.com/blog/fido-alliance-import-export-passk...
But again, kicking the can down the road.
Care to cite this statement?
> As an Apple Mac user, what annoys me the most is that the use of passkeys in Safari requires iCloud Keychain, which of course requires iCloud and an Apple Account. You can't do local-only passkeys, not even if you take responsibility for backing up your own Mac.
You can use any credential manager you choose. You don't have to use Apple Passwords / iCloud Keychain.
Completely untrue, Safari on both Mac and iOS supports third-party password managers for both traditional passwords and passkeys.
I’ll accept that the attestation parts of the protocol may have had some ulterior motives (though I’m skeptical), but not having to reveal your credential to the verifying party is the entire benefit of passkeys and hugely important to stop phishing. I think it’s disingenuous to argue that this is somehow unnecessary.
For the general public, they already rely on either Google or Apple for pretty much all of their digital life. Nothing wrong with extending this to passkeys, it's convenient and makes sense for them.
A tech-savvy relative of such a user should help them generate rescue codes, write them on a piece of paper, and store them along with all other important documents. Ideally the paper should also read: "Call me before using any of these codes! <phone number>."
a key based approach is great. Knowing (the passphrase) and Having (the key) is a good way to authenticate.
>The unfortunate piece is that your product choices can have both positive and negative impacts on the ecosystem as a whole. I've already heard rumblings that KeepassXC is likely to be featured in a few industry presentations that highlight security challenges with passkey providers
https://github.com/keepassxreboot/keepassxc/issues/10407
I don't think requiring an encrypted backup (with a key or secret that YOU control) by default is "preventing users from being able to export their own private keys".
And on a separate note, I fundamentally disagree for political reasons with the idea that the websites should be able to block specific passkey providers.
The github issue is quite clear about "requiring", not "by default", which is a restriction on what someone does with their own data. Particularly since AFAICT there is still no spec for data exchange over flat files. CXP is a probably-reasonable more-safe option to encourage, but it really shouldn't be the only option.
(arguably CXF only defines non-encrypted files, since it doesn't even recommend encryption options or provide a way to communicate what was used, except to say that it "MUST" encrypt or coordinate over CXP)
Deleted Comment
Until service providers are no longer allowed to:
I'll continue to stick to plain old boring password + TOTP. I fully understand the security trade-offs like phishing resistance but password + TOTP is secure enough for me.(2) I understand you don't like the user experience. But to make a technical clarification: requiring a user action to prove there's a human involved in the login action (e.g. by clicking a button in UI or requiring Touch ID) does not necessarily mean there's another factor involved at all (MFA). What you are describing is more of a "liveness check" than a separate factor/separate credential.
Deleted Comment
Which probably looks a lot like a password.
If he can't get his account back in any reasonable amount of time what chance do I have?
(I see I missed a big HN discussion on this: https://news.ycombinator.com/item?id=46252114 - 1038 comments)
If someone passes away, their family members can use the Emergency Kit to gain access to and use all their credentials - including their passkeys.
(The Emergency Kit also allows you to recover your data in the event that you forget your master passphrase or lose all your devices.)
[1] https://support.1password.com/emergency-kit/
Whatever process a vendor requires someone to go through in order to gain access to someone's account when they pass away remains the same whether the user previously used a password or a passkey to login.
Are you aware of any vendor that actually does have differing policies based on the account's login credential type? I'm not aware of any.
The only one who can lock me out of my relationship with e.g. HN is HN.
With passkeys:
Now I can be locked out by HN or by the passkey provider.
Sure I could use a local passkey provider, but the protocol provides a way for the site to enforce a whitelist of passkey providers, so it's not clear that would be an option. Particularly for businesses like banks which tend to adopt an approach of "if a security restriction is possible, it should be applied". Or even just the typical tech PM perspective of "we want to include logos for the log in with X, and I think more than 5 logos is ugly so let's just whitelist Lastpass, 1password, Google, Microsoft and apple and be done with it"
If I want to move a passkey out of my Apple keychain, last I heard the answer is to just make a new passkey. The important part of the secret is 100% under their control. It makes me very squeamish
It would be nice if you could use some legal apparatus to ratchet these agreements into a trust. Corps would hate it though, so it will probably be illegal to do.
The government can, though. I’m not sure if there’s any existing laws pertaining to transfer of or access to general accounts after death (as opposed to bank accounts which I’m pretty sure there are laws about).
My will says that my executor can access my accounts which alleviates Apple from legal risk if they do grant access but I’m pretty sure they are not obligated to do so.
I wrote about it here: https://digitalseams.com/blog/what-happens-to-your-online-ac...
I don't want a passkey on my logins but there is no way to disable this prompt on the 3 websites that constantly annoy me for them.
Drives me batty. The company I work for is already paying you for the service I'm using. We use SSO for EVERYTHING, I've already 2FA Authenticated the login, and even if I set up a passkey I will still have to 2FA the login.
I don't use these sites in any personal capacity, and I would never use a site that harasses me in any way if I was not absolutely required to in order to earn a paycheck.
You're not going to get any money out of me, why are you torturing me?
Stop the insanity.
If you had multiple devices set up on the site (each site must have done this individually), you just use a different device.
If you had synced your passkeys somewhere (note that the spec allows sites to block this, though I'm not aware of any actually doing so), you sync them to the new thing and log in normally.
If you did none of those, it's gone forever. Do the account recovery process, if one exists.
So it degrades to equal or worse than passwords in all cases (which cannot block backups or syncing, and you can enter them individually by hand so you're not exposing all your passwords to the device, and you can communicate them over the phone or in writing), for device loss purposes.
Restoring access in this scenario is imo one of their worst qualities.
Succumbing to lock-in can smooth some (but not all) rough edges and creates it's own restrictions and risks.
TOTP for the win --- it's the simpler practical alternative.
https://chromewebstore.google.com/detail/lazyotp/eoihmklnjkn...