Most active commenters
  • skybrian(3)

←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 11 comments | 15 Oct 24 12:18 UTC | HN request time: 0.204s | source | bottom
Show context
troupo ◴[16 Oct 24 06:22 UTC] No.41856125[source]
I came across an opinion I largely agree with: https://mastodon.social/@lapcatsoftware/113308133338196824 and https://mastodon.social/@lapcatsoftware/113308273654667583

> These big tech companies will do anything possible to prevent users from ever actually being able to access their own passkeys.

> Export and import should have been extremely simple. Instead, they took years to come up with some convoluted system where the only possibility is to transfer from one vendor lock-in to another vendor lock-in.

> With passkeys, the big tech companies are executing a coup d'état of authentication, just like they did for HTML itself.

> In the end, they control every protocol, become the gatekeepers for the web.

replies(8): >>41856181 #>>41856189 #>>41856247 #>>41856254 #>>41856772 #>>41862312 #>>41862676 #>>41881156 #
1. skybrian ◴[16 Oct 24 08:18 UTC] No.41856772[source]
Unlike your photo collection, passkeys aren’t precious. They’re just meaningless data. You can and should generate additional ones for each password manager you use, so you have multiple independent ways of getting into an account. As long as you can do that, everything is replaceable and there’s no lock-in.

Similarly, I wouldn’t copy a private key for ssh to a new laptop. I generate a new one and copy the public key instead. It makes it easier to revoke access to the old computer.

I do think this new spec will sometimes be useful for populating a new password manager, though.

replies(3): >>41857222 #>>41860188 #>>41863175 #
2. jauntywundrkind ◴[16 Oct 24 09:41 UTC] No.41857222[source]
The proposal that any time o create an account o need multiple physical tokens or multiple password managers running is unbelievably stupid & fantastical. This whole project is doomed doomed doomed of this is the model.

I've never seen a single sight suggest this either. Many have set up passkeys, but not one has prompted me to create a second. I have downloaded a lot of backup keys though.

Sorry to be on blast here but every time passkeys come up the "use multiple keys" gets said & it's a joke. There needs to be a flow where I can create a passkey & have it replicate to a bunch of devices automatically; the current proposal that users need to gather all their security tokens & add each one is an absolute promise this technology is going to flop.

replies(2): >>41857772 #>>41860370 #
3. growse ◴[16 Oct 24 11:12 UTC] No.41857772[source]
> Sorry to be on blast here but every time passkeys come up the "use multiple keys" gets said & it's a joke. There needs to be a flow where I can create a passkey & have it replicate to a bunch of devices automatically

Choose a passkey provider that supports this then. I use bitwarden. Other people use iOS keychain. Both work great.

4. solarkraft ◴[16 Oct 24 15:24 UTC] No.41860188[source]
I know you’re applying the same model as for SSH keys (and functionally they are very similar) … but I also think 1 SSH key/device is impractical if you have many services to log into and many devices to log in from - which is just the reality nowadays.

Imagine having to use a specific password for each service/device combination. Instead we don’t tie passwords to devices, but to users, to avoid this complexity.

replies(3): >>41860274 #>>41863190 #>>41863395 #
5. skybrian ◴[16 Oct 24 15:32 UTC] No.41860274[source]
It’s certainly not my reality. I have a desktop computer and a laptop that I use ssh from. How many computers do you have?
replies(1): >>41865079 #
6. skybrian ◴[16 Oct 24 15:40 UTC] No.41860370[source]
I bring it up because people claim there is lock-in and it’s not true.

Apple and Google both replicate between devices, so there is some replication, within ecosystems. I only need to create a passkey twice per account so I can use both. It’s not a big deal, though replicating between them would be better.

And so I am clearly not locked in. (Not because of passkeys, anyway.) If people think they’re locked in then it’s a “can’t be bothered” sort of lock-in.

Clearly not fantastical since I’m doing it.

7. rcxdude ◴[16 Oct 24 19:57 UTC] No.41863175[source]
For this to be practical, there needs to be a way to enroll non-present devices. Which is technically feasible, but there's no real support for it yet in the standard or in the available implementations. (e.g. with SSH you can have a list of the public keys of all your devices). That would make e.g. passkeys on a HSM more feasible, since you could enroll your backup in a safe whenever you create an account with your daily driver one.

(The added bonus security feature being you could revoke your daily driver if you lose it, while retaining access to your backup. But again there's no actual support for this kind of thing)

8. rcxdude ◴[16 Oct 24 19:59 UTC] No.41863190[source]
It's not particularly impractical for SSH: have a text document with the public keys of all your devices, and copy it into the authorized keys for any system you want to log into. Passkeys don't have an analog for this, though.
replies(1): >>41863379 #
9. fragmede ◴[16 Oct 24 20:15 UTC] No.41863379{3}[source]
fwiw https://github.com/<username>.keys is a pretty good one for that
10. 9dev ◴[16 Oct 24 20:17 UTC] No.41863395[source]
> Imagine having to use a specific password for each service/device combination. Instead we don’t tie passwords to devices, but to users, to avoid this complexity.

But that is the entire premise of Passkeys—they remove the complexity, because having individual passwords per device is clearly superior to user-bound passwords, if you don’t need to worry about it and it just works. Hence why, to stay with SSH, you shouldn’t use SSH keypairs, but certificates signed by a CA.

11. NikolaNovak ◴[16 Oct 24 23:52 UTC] No.41865079{3}[source]
Fwiw, I have two phones (work and personal), two tablets (ipad and Android), 4 laptops (primary employer, client, personal, music productions), one main desktop for gaming, 4 intel nuc for various TV's and whatnot around the house and two Intel nuc for experimenting. Plus my wifes stuff.

Everything but employer stuff was cheap on Facebook marketplace. I am a bit on the tail end of my friends and coworkers but not by much. It's always been supremely convenient to be able to choose the form and location of my computing device. The cheap devices are largely disposable - I have several layers of backups. It is this perspective that makes passkeys seem strange, a Cartesian joint of many-to-many between my devices and providers that quickly gets... insane.

(This is in context of Passkeys. If your question is ssh, substantially less:)