←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 2 comments | 15 Oct 24 12:18 UTC | HN request time: 0.001s | source
Show context
troupo ◴[16 Oct 24 06:22 UTC] No.41856125[source]
I came across an opinion I largely agree with: https://mastodon.social/@lapcatsoftware/113308133338196824 and https://mastodon.social/@lapcatsoftware/113308273654667583

> These big tech companies will do anything possible to prevent users from ever actually being able to access their own passkeys.

> Export and import should have been extremely simple. Instead, they took years to come up with some convoluted system where the only possibility is to transfer from one vendor lock-in to another vendor lock-in.

> With passkeys, the big tech companies are executing a coup d'état of authentication, just like they did for HTML itself.

> In the end, they control every protocol, become the gatekeepers for the web.

replies(8): >>41856181 #>>41856189 #>>41856247 #>>41856254 #>>41856772 #>>41862312 #>>41862676 #>>41881156 #
ratorx ◴[16 Oct 24 06:47 UTC] No.41856247[source]
AFAIK, you can register your passkeys using your own provider (eg. Bitwarden). I’ve not personally used it too much, but the option is there.

The remaining issue is moving the credentials between providers, which is an annoying limitation. But you can always add a different passkey to the site using the provider you want, so although annoying it is not the end of the world…

The original limitation is similar to the usability of actual physical security keys, which (depending on the setup mode) are deliberately designed such that the private key material is not recoverable. Software based keys don’t HAVE to share the same limitation, but it seems more like a missing feature than attributing malice to the creators of the spec.

replies(1): >>41856463 #
lapcat ◴[16 Oct 24 07:24 UTC] No.41856463[source]
> AFAIK, you can register your passkeys using your own provider (eg. Bitwarden).

Why should we even need a third-party provider? Imagine needing a third-party "provider" for your own ssh keys.

replies(2): >>41856490 #>>41856578 #
joshuamorton ◴[16 Oct 24 07:29 UTC] No.41856490[source]
Do you use the same SSH keys on multiple devices? I certainly don't. If you need or wanted to (you don't) you'd need some way to sync them across multiple devices securely.

When I use passkeys on a single device, the "provider" is the OS, same as with my SSH keys.

replies(4): >>41856511 #>>41861598 #>>41862954 #>>41863272 #
craftkiller ◴[16 Oct 24 19:35 UTC] No.41862954[source]
> Do you use the same SSH keys on multiple devices?

Yes.

> you'd need some way to sync them across multiple devices securely.

I take out my physical keychain and plug in my yubikey. Then, after typing in the password to my yubikey, I can use ssh and pgp until I unplug my yubikey. It is a hell of a lot more secure than storing your ssh keys on disk regardless of whether or not you use a unique key per device. I could lock someone in a room with my computer, my yubikey, and my password, and they still wouldn't be able to copy my ssh key.

replies(1): >>41863134 #
ycombinatrix ◴[16 Oct 24 19:53 UTC] No.41863134[source]
pedantic nit: the yubikey is a device so you are arguably using one unique key per device
replies(1): >>41863267 #
1. craftkiller ◴[16 Oct 24 20:06 UTC] No.41863267[source]
Haha technically true, but I don't think that was the kind of device they were referring to. Even so, it is possible to use the same key on multiple yubikeys. You generate a PGP key on a secure computer and then load that key onto multiple yubikeys. Then you use gpg as your ssh agent. But this is less secure than using keys generated on-device by the yubikey because your private key exists (hopefully temporarily) as a file on the computer where you generated it.
replies(1): >>41864633 #
2. joshuamorton ◴[16 Oct 24 22:46 UTC] No.41864633[source]
No this is absolutely what I meant: A passkey and a PGP key function very similarly in this capacity, a passkey for a site can be generated on a yubikey and used across devices in just the same way.