←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 10 comments | 15 Oct 24 12:18 UTC | HN request time: 0.451s | source | bottom
Show context
rkagerer ◴[16 Oct 24 06:25 UTC] No.41856151[source]
Does this include a way for a technically-savvy user to 'repatriate' their passkeys into their own infrastructure? (i.e. If I want to be my own provider)
replies(5): >>41856235 #>>41856260 #>>41856382 #>>41856674 #>>41864441 #
1. HeatrayEnjoyer ◴[16 Oct 24 07:12 UTC] No.41856382[source]
There shouldn't be. Secure enclaves aren't secure if they can be copied
replies(7): >>41856651 #>>41863070 #>>41863950 #>>41864073 #>>41867442 #>>41867586 #>>41871611 #
2. lucianbr ◴[16 Oct 24 07:54 UTC] No.41856651[source]
How does this suddenly become a problem when as the user I want access to my keys, but it isn't a problem when corporations copy my keys between them, which is what this post is about?
replies(1): >>41863813 #
3. jasonjayr ◴[16 Oct 24 19:45 UTC] No.41863070[source]
Secured against who?
4. ◴[16 Oct 24 21:00 UTC] No.41863813[source]
5. eikenberry ◴[16 Oct 24 21:19 UTC] No.41863950[source]
So you are against this new spec becoming a standard then?
6. benlivengood ◴[16 Oct 24 21:35 UTC] No.41864073[source]
The exchange spec suggests that the sending secure enclave sends encrypted credentials to the receiving secure enclave; they're never unwrapped in public between 'trusting' enclaves; which enclaves will trust each other enough to perform the credential transfer is another question.
7. noirscape ◴[17 Oct 24 08:10 UTC] No.41867442[source]
In that case, the keys would be a non-starter. The overwhelming majority of tech requests relate to people forgetting their passwords and getting in trouble because the browser's password manager forgot the password itself.

The reality is that the biggest pushers of Passkeys are the providers with the least amount of infrastructure stability. If you want people to get to use Passkeys, providing an exit tool from Google and Apple is a must, because both providers are godawful at not accidentally mushing up your data. That's not so important if all you're using their infrastructure for is a periodic backup/use it to transfer photos to your PC, but it's a problem for anything that has to be stored long-term.

replies(1): >>41878714 #
8. lxgr ◴[17 Oct 24 08:37 UTC] No.41867586[source]
Passkeys and secure enclaves are only loosely related. You can implement one using the other, but it’s by no means a requirement.

And even when they are, nothing says that secure enclaves can’t have importable or exportable keys. Many schemes do both on a regular basis.

9. ◴[17 Oct 24 17:21 UTC] No.41871611[source]
10. HeatrayEnjoyer ◴[18 Oct 24 12:19 UTC] No.41878714[source]
Any exit tool just becomes the latest focus of phishers and credential stealing malware.