←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 1 comments | 15 Oct 24 12:18 UTC | HN request time: 0s | source
Show context
troupo ◴[16 Oct 24 06:22 UTC] No.41856125[source]
I came across an opinion I largely agree with: https://mastodon.social/@lapcatsoftware/113308133338196824 and https://mastodon.social/@lapcatsoftware/113308273654667583

> These big tech companies will do anything possible to prevent users from ever actually being able to access their own passkeys.

> Export and import should have been extremely simple. Instead, they took years to come up with some convoluted system where the only possibility is to transfer from one vendor lock-in to another vendor lock-in.

> With passkeys, the big tech companies are executing a coup d'état of authentication, just like they did for HTML itself.

> In the end, they control every protocol, become the gatekeepers for the web.

replies(8): >>41856181 #>>41856189 #>>41856247 #>>41856254 #>>41856772 #>>41862312 #>>41862676 #>>41881156 #
skybrian ◴[16 Oct 24 08:18 UTC] No.41856772[source]
Unlike your photo collection, passkeys aren’t precious. They’re just meaningless data. You can and should generate additional ones for each password manager you use, so you have multiple independent ways of getting into an account. As long as you can do that, everything is replaceable and there’s no lock-in.

Similarly, I wouldn’t copy a private key for ssh to a new laptop. I generate a new one and copy the public key instead. It makes it easier to revoke access to the old computer.

I do think this new spec will sometimes be useful for populating a new password manager, though.

replies(3): >>41857222 #>>41860188 #>>41863175 #
solarkraft ◴[16 Oct 24 15:24 UTC] No.41860188[source]
I know you’re applying the same model as for SSH keys (and functionally they are very similar) … but I also think 1 SSH key/device is impractical if you have many services to log into and many devices to log in from - which is just the reality nowadays.

Imagine having to use a specific password for each service/device combination. Instead we don’t tie passwords to devices, but to users, to avoid this complexity.

replies(3): >>41860274 #>>41863190 #>>41863395 #
1. 9dev ◴[16 Oct 24 20:17 UTC] No.41863395[source]
> Imagine having to use a specific password for each service/device combination. Instead we don’t tie passwords to devices, but to users, to avoid this complexity.

But that is the entire premise of Passkeys—they remove the complexity, because having individual passwords per device is clearly superior to user-bound passwords, if you don’t need to worry about it and it just works. Hence why, to stay with SSH, you shouldn’t use SSH keypairs, but certificates signed by a CA.