But it could be. Yes?
Not really. The attestation model defined for workforce (enterprise) credential managers/authenticators doesn't really work in practice for consumer credential managers.
Readit Newstimmyc123 commented on Yep, Passkeys Still Have Problems fy.blackhats.net.au/blog/... · Posted by u/todsacerdoti
timmyc123 commented on Yep, Passkeys Still Have Problems fy.blackhats.net.au/blog/... · Posted by u/todsacerdoti
Last I heard, they were pushing hard for resident keys only, maybe that's changed. I don't like that there's still the option to restrict it to that in the same way having the option to force remote attestation makes me uneasy.
A passkey is a discoverable credential (aka resident key) in spec terminology. But the type of credential has no relationship to attestation (which is not used in the consumer passkey ecosystem).
timmyc123 commented on Yep, Passkeys Still Have Problems fy.blackhats.net.au/blog/... · Posted by u/todsacerdoti
Exactly passkeys are confusing to the laymen (and not Laymen) because it’s is an orchestration across multiple services and devices.
If I’m using a passkey to login to my Gmail via chrome browser but used my phone what just happened - did it save in chrome? My Google account? My iPhone?
The dialog provided by the browser or OS usually tells you where the passkey is saved.
timmyc123 commented on Yep, Passkeys Still Have Problems fy.blackhats.net.au/blog/... · Posted by u/todsacerdoti
> You're quoting the first post of a long discussion
"You absolutely should be preventing users from being able to copy a private key!" is the 8th post in the discussion.
Do you stand by these words, or are you now repudiating them?
> You're choosing to use an app that doesn't meet your needs
I am using an app that meets my needs. I don't need passkeys. It's just other people telling me that I need passkeys.
Copy and paste in clear text? Yes, I don't think that's a good idea.
Download to disk in clear text? Yes, I don't think that's a good idea.
Years and years of security incidents with consumer data show that this is a really bad idea.
At minimum, a credential manager distributed for wide use should encrypt exported/copied keys with a user selected secret or user generated key.
timmyc123 commented on Yep, Passkeys Still Have Problems fy.blackhats.net.au/blog/... · Posted by u/todsacerdoti
Well it relates to this sentence:
> You can use any credential manager you choose.
Which I would be careful with. I can use any authenticator that the RP accepts. I could totally see a future where banks only allow certain authenticators (Apple/Google) and enforce this through AAGUID or even attStmt. Similar to the Google Play Protect situation.
At that point, those banks/services would enforce vendor lock-in on me. The reality would be: I can use iOS or Android, but not a FOSS implementation. This restriction is not possible with old-school passwords.
If a website were to attempt to do this, you (or your credential manager) could simply change the AAGUID to match another credential manager.
timmyc123 commented on Yep, Passkeys Still Have Problems fy.blackhats.net.au/blog/... · Posted by u/todsacerdoti
The threat you relayed was more serious than the threat you made. But it is a threat when a person with influence suggests they may support a punishment.
The biggest advocates of an open ecosystem say attestation should be removed and no one should adopt Passkeys before. Is this your position now?
The concerns were clear I thought. I would be happy to discuss this publicly.
Attestation is not used in the consumer passkey ecosystem.
timmyc123 commented on Yep, Passkeys Still Have Problems fy.blackhats.net.au/blog/... · Posted by u/todsacerdoti
Passkeys relying parties can block providers. Tim Cappalli threatened the KeypassXC developers so.[1] The restrictions demanded now do not restrict user freedom significantly arguably. But the incentives and capabilities are clear.
[1] https://github.com/keepassxreboot/keepassxc/issues/10407#iss...
Hi, Tim Cappalli here.
Not sure how stating that my (an individual) opinions on a topic are evolving is interpreted as "threatened the KeypassXC developers".
If you've been following along, you'll have seen that I am actually one of the biggest advocates of the open passkey ecosystem, and have been working really hard to make sure all credential managers have a level playing field.
Always happy to chat directly if you have concerns!
timmyc123 commented on Yep, Passkeys Still Have Problems fy.blackhats.net.au/blog/... · Posted by u/todsacerdoti
I'm limited in what applications I can install at work. I am not limited in what websites I can access on my lunch break (within reason).
This is one of the core use cases for why FIDO Cross-Device Authentication was created. To be able to use a passkey to sign in on a shared device, a device you don't control, or a device where you just need temporary access to something.
timmyc123 commented on Yep, Passkeys Still Have Problems fy.blackhats.net.au/blog/... · Posted by u/todsacerdoti
Because by default, they do, and you have to explicitly install software to let it be moved. And even if you do, it’s discouraged and the spec is allowed to deny you access.
> it’s discouraged
Why do you say that? There are billions of synced passkeys being used by users with some of the largest sites and services in the world.
To my credit I think yubikey uses the term that way and webauthn has a different definition but in the context of passkeys you’re right.
Stored in an authenticator/credential manager in general, not specific to a security key, secure enclave, or TPM.