←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 1 comments | 15 Oct 24 12:18 UTC | HN request time: 0.242s | source
Show context
solarkraft ◴[16 Oct 24 15:14 UTC] No.41860069[source]
I had hope for passkeys, with all the interop-promises.

It turned out that no (mainstream) passkey provider allows backups however, making them infinitely worse than just using passwords.

Maybe this will help, but fuck me, it’s all complicated, especially for a damn foundational security mechanism!

It could be so simple, just look at SSH keys, which I think largely use the same principle.

replies(5): >>41860481 #>>41863668 #>>41864115 #>>41864718 #>>41866900 #
skybrian ◴[16 Oct 24 15:48 UTC] No.41860481[source]
You can create backup keys by creating more passkeys.
replies(2): >>41862445 #>>41871701 #
lelandbatey ◴[16 Oct 24 18:50 UTC] No.41862445[source]
That's not a backup, that's just another secret. If I can't record the secret onto paper that I can put in a safe deposit box at a bank (or several), then it ain't backed up.
replies(2): >>41862467 #>>41862675 #
1. skybrian ◴[16 Oct 24 19:10 UTC] No.41862675[source]
It’s an equivalent key. It unlocks the same door. It doesn’t matter if it’s the same bits, because the only thing we care about is whether it unlocks the door.

Two different combinations for the same lock serve as backups for each other for practical purposes.

They could even be entirely different methods of access, like a Yubikey or backup codes. What matters is that you have independent ways to get in.