←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 1 comments | 15 Oct 24 12:18 UTC | HN request time: 0.275s | source
Show context
itohihiyt ◴[16 Oct 24 06:45 UTC] No.41856240[source]
I only need one provider. A portable open source encrypted database I'm in control of and can back up and secure as needed. It's what I have now, and have had for years, in my password manager. I won't be at the mercy of a company or a device to access my digital life.
replies(3): >>41856321 #>>41856331 #>>41862108 #
leokennis ◴[16 Oct 24 07:01 UTC] No.41856321[source]
That's cool, but the last thing I would want my mom to have to manage is a portable open source encrypted database shes's in control of and can back up and secure as needed.
replies(3): >>41856328 #>>41857755 #>>41863274 #
saurik ◴[16 Oct 24 07:02 UTC] No.41856328[source]
Great; but, as long as a system supports the open solution, anyone can provide for you the closed one, while the opposite isn't the case.
replies(1): >>41856410 #
izacus ◴[16 Oct 24 07:16 UTC] No.41856410[source]
And Passkeys is an open solution, what are you all going on about?
replies(2): >>41856536 #>>41856572 #
politelemon ◴[16 Oct 24 07:36 UTC] No.41856536[source]
Currently it is not. It was created provider centric so far, and in my reading of the spec, a thinly veiled lockin. The ability to move around should have been built in from the beginning but it was more beneficial for the providers to start without.
replies(2): >>41856627 #>>41857724 #
1. wolletd ◴[16 Oct 24 07:51 UTC] No.41856627[source]
Historically, the spec was written for hardware security tokens. Keys on those tokens can't be moved around by design.

The whole "platform authenticator" thing enabling passkeys came later. Extending the spec that way was easy: a platform authenticator works just like a hardware authenticator, it just uses a different channel for communication.

The spec the providers built upon just wasn't designed for software authenticators that allow moving around credentials. The original spec assumed credentials are stored in a non-extractable manner in HSMs.

Edit: thinking about it, platform authenticators may have been in there pretty early, but under the assumption of also using an HSM and not allowing extraction of credentials. Providers compromised security for usability, removed the HSM and made passkeys synchronizable – the spec had to adapt.