←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 1 comments | 15 Oct 24 12:18 UTC | HN request time: 0.202s | source
Show context
troupo ◴[16 Oct 24 06:22 UTC] No.41856125[source]
I came across an opinion I largely agree with: https://mastodon.social/@lapcatsoftware/113308133338196824 and https://mastodon.social/@lapcatsoftware/113308273654667583

> These big tech companies will do anything possible to prevent users from ever actually being able to access their own passkeys.

> Export and import should have been extremely simple. Instead, they took years to come up with some convoluted system where the only possibility is to transfer from one vendor lock-in to another vendor lock-in.

> With passkeys, the big tech companies are executing a coup d'état of authentication, just like they did for HTML itself.

> In the end, they control every protocol, become the gatekeepers for the web.

replies(8): >>41856181 #>>41856189 #>>41856247 #>>41856254 #>>41856772 #>>41862312 #>>41862676 #>>41881156 #
NikolaNovak ◴[16 Oct 24 06:32 UTC] No.41856181[source]
So it's not just me!

I feel like I either misunderstand pass keys or live in some twilight zone where they're ok even though I cannot wrote them down or memorize them, I can only have invisible magic stuck on my phone.

If I show up naked, I can login to the system via password but I am conpletely useless with a pass key. And for somebody like myself who uses multiple devices daily (two phones, two tablets, several laptops and desktops), it seems a nightmare to set them all up or maintain:-(

It feels a system designed for those who live by their phone and trust some specific service provider with their life. I'm not in either of those categories :-(. I still don't understand what the "Keepass, "little black notebook", and "good memory" equivalents are.

replies(3): >>41856209 #>>41856253 #>>41856425 #
izacus ◴[16 Oct 24 07:19 UTC] No.41856425[source]
> I feel like I either misunderstand pass keys or live in some twilight zone where they're ok even though I cannot wrote them down or memorize them, I can only have invisible magic stuck on my phone.

There seems to be a lot of misunderstanding of passkeys indeed. They're in no way different than that random password stored in your password manager and can be (with this standard you're commenting on) moved around wherever you want them.

All passkey sites also support fallbacks to just password or other auth mode.

replies(4): >>41856498 #>>41857306 #>>41859826 #>>41867764 #
mzhaase ◴[16 Oct 24 09:54 UTC] No.41857306[source]
They are different from passwords in that they are never send over the web. They are a private key used to sign a challenge from the site.
replies(1): >>41862919 #
1. dustyventure ◴[16 Oct 24 19:32 UTC] No.41862919[source]
The private keys are not sent to the relying party yet TFA is about a spec to send them over the web.