←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 1 comments | 15 Oct 24 12:18 UTC | HN request time: 0s | source
Show context
itohihiyt ◴[16 Oct 24 06:45 UTC] No.41856240[source]
I only need one provider. A portable open source encrypted database I'm in control of and can back up and secure as needed. It's what I have now, and have had for years, in my password manager. I won't be at the mercy of a company or a device to access my digital life.
replies(3): >>41856321 #>>41856331 #>>41862108 #
leokennis ◴[16 Oct 24 07:01 UTC] No.41856321[source]
That's cool, but the last thing I would want my mom to have to manage is a portable open source encrypted database shes's in control of and can back up and secure as needed.
replies(3): >>41856328 #>>41857755 #>>41863274 #
saurik ◴[16 Oct 24 07:02 UTC] No.41856328[source]
Great; but, as long as a system supports the open solution, anyone can provide for you the closed one, while the opposite isn't the case.
replies(1): >>41856410 #
izacus ◴[16 Oct 24 07:16 UTC] No.41856410[source]
And Passkeys is an open solution, what are you all going on about?
replies(2): >>41856536 #>>41856572 #
tadfisher ◴[16 Oct 24 07:42 UTC] No.41856572[source]
There are FIDO Alliance folks posting Github issues requesting to remove features such as plaintext exporting of credentials, with the explicit threat that the Alliance might block such "open" passkey providers in the future. A local database is not enough, it needs to be locked in a secure element or protected with some TPM-like scheme.

The spec allows for hardware attestation as well, to ensure passkeys are being provided from blessed computing environments. Hopefully implementers continue to ignore this anti-feature, because it's entirely stupid to lock out users who want to control their own security; at the same time, letting anyone with an Android phone restore passkeys from the cloud with one of their device PINs.

replies(1): >>41856759 #
arianvanp ◴[16 Oct 24 08:15 UTC] No.41856759[source]
The original thread:

https://github.com/keepassxreboot/keepassxc/issues/10407#iss...

replies(1): >>41858014 #
reginald78 ◴[16 Oct 24 11:49 UTC] No.41858014[source]
Pretty telling thread. Tim Cappalli, one of the spec writers drops by to criticize the export feature and suggests that the attestation feature should be used to punish them for not implementing the fully locked in version.

The credential exchange changes nothing IMO, the rod to punish anyone who doesn't want their credentials stored on a tech giants servers is still there.

replies(3): >>41861968 #>>41862374 #>>41863334 #
1. bloopernova ◴[16 Oct 24 20:11 UTC] No.41863334{3}[source]
I halfway expect a v2 specification where keys are only stored on a few "Certified Attestation-capable" providers (i.e. facebook, google, apple, amazon)

Then watch them get hacked through a systems management plugin like Clownstrike, or Solarwinds.