←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 4 comments | 15 Oct 24 12:18 UTC | HN request time: 0.209s | source
Show context
troupo ◴[16 Oct 24 06:22 UTC] No.41856125[source]
I came across an opinion I largely agree with: https://mastodon.social/@lapcatsoftware/113308133338196824 and https://mastodon.social/@lapcatsoftware/113308273654667583

> These big tech companies will do anything possible to prevent users from ever actually being able to access their own passkeys.

> Export and import should have been extremely simple. Instead, they took years to come up with some convoluted system where the only possibility is to transfer from one vendor lock-in to another vendor lock-in.

> With passkeys, the big tech companies are executing a coup d'état of authentication, just like they did for HTML itself.

> In the end, they control every protocol, become the gatekeepers for the web.

replies(8): >>41856181 #>>41856189 #>>41856247 #>>41856254 #>>41856772 #>>41862312 #>>41862676 #>>41881156 #
NikolaNovak ◴[16 Oct 24 06:32 UTC] No.41856181[source]
So it's not just me!

I feel like I either misunderstand pass keys or live in some twilight zone where they're ok even though I cannot wrote them down or memorize them, I can only have invisible magic stuck on my phone.

If I show up naked, I can login to the system via password but I am conpletely useless with a pass key. And for somebody like myself who uses multiple devices daily (two phones, two tablets, several laptops and desktops), it seems a nightmare to set them all up or maintain:-(

It feels a system designed for those who live by their phone and trust some specific service provider with their life. I'm not in either of those categories :-(. I still don't understand what the "Keepass, "little black notebook", and "good memory" equivalents are.

replies(3): >>41856209 #>>41856253 #>>41856425 #
1. wolletd ◴[16 Oct 24 06:47 UTC] No.41856253[source]
KeepassXC actually supports passkeys and can be a passkey provider in a desktop browser.

And Android 14 seems to allow changing the passkey provider in the android system as well. With that, the only thing left would be a KeepassXC-compatible app that can serve as provider on android, using the same database as the desktop.

With that setup, I'd be willing to use passkeys exclusively (my phone is still Android 13 and I don't know about app support). I already can't login anywhere (important) without access to my password manager.

replies(2): >>41858212 #>>41862267 #
2. Dagonfly ◴[16 Oct 24 12:17 UTC] No.41858212[source]
Can confirm: Using Android 14 and Bitwarden, I can sign in to github.com using my passkey. It pops up a system dialog where I can select Bitwarden and then my Github username.

Last time I checked, the Bitwarden Vault export included the whole FIDO credential including the private key.

replies(1): >>41861451 #
3. wolletd ◴[16 Oct 24 17:16 UTC] No.41861451[source]
Bitwarden (and Lastpass, iirc) support passkeys a little longer than KeePassXC. I'm glad to hear they achieved full integration.

As a keepass database is used by various open source clients from different vendors, it just takes a little longer to get all this done. But I'm sure we'll get there eventually.

4. barkerja ◴[16 Oct 24 18:37 UTC] No.41862267[source]
> Android 14 seems to allow changing the passkey provider in the android system as well

It's worth noting this is also supported in iOS and macOS.

Settings > General > AutoFill & Passwords