←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 10 comments | 15 Oct 24 12:18 UTC | HN request time: 0.409s | source | bottom
1. taeric ◴[16 Oct 24 20:25 UTC] No.41863484[source]
I'm super curious how this will ultimately work. As noted in another thread, secure enclaves aren't secure if they can be copied. Such that, if this is moving the passkey by copying it, I'm not at all clear on how that stays secure?
replies(4): >>41863618 #>>41866813 #>>41867580 #>>41894895 #
2. Scion9066 ◴[16 Oct 24 20:39 UTC] No.41863618[source]
Generally this spec is talking about the kind of passkeys that are stored in password managers, not the kinds used by hardware security keys. Those in a password manager have always been technically copyable somehow, there just wasn't a standard format or protocol for doing so.
replies(1): >>41863662 #
3. taeric ◴[16 Oct 24 20:43 UTC] No.41863662[source]
I knew that "passkey" had grown to refer to a set of different things. I can't say this upsets me, as it does sound like progress over the old status quo. Still, is confusing for those of us that bought in at the beginning.
replies(2): >>41864470 #>>41864840 #
4. lxgr ◴[16 Oct 24 22:26 UTC] No.41864470{3}[source]
The terminology is definitely a mess, but I believe at least “passkey” has never referred to hardware authenticators. Those were usually called “security keys” or similar.
replies(1): >>41869566 #
5. mjs ◴[16 Oct 24 23:11 UTC] No.41864840{3}[source]
The Yubico FAQ explains some of the history fairly well: https://www.yubico.com/blog/a-yubico-faq-about-passkeys/

In particular, they distinguish between "copyable" and "hardware-bound" passkeys. They're both passkeys, and can be used wherever passkeys are supported, but only the "hardware-bound" passkeys support attestation.

6. klausa ◴[17 Oct 24 05:56 UTC] No.41866813[source]
Passkeys don't need to be hardware bound.

The (probably?) most widespread implementation of them (iOS + macOS et. al) isn't; they're synced between devices.

7. lxgr ◴[17 Oct 24 08:36 UTC] No.41867580[source]
Passkeys aren’t identical with secure enclaves.

They can be stored in them, but also in software; even when stored in hardware, they can be marked as extractable to some trusted party (a companion device with the same root of trust, a trusted cloud sync service, a supply chain attacker etc.)

replies(1): >>41869982 #
8. vanburen ◴[17 Oct 24 13:39 UTC] No.41869566{4}[source]
Agree. Passkey should be reserved for credentials that can be synced or exported to different providers, as this is what is most analogous to a password from a user perspective.

There should be a different standardized term used for hardware bound keys. So users wont get confused.

9. taeric ◴[17 Oct 24 14:25 UTC] No.41869982[source]
Fair, but if the secret is exportable, then it loses a ton of its power.

If you are worried about state level activity, have it stored in a single place that can be compelled by law to disclose it and that is off the table for you.

Which, sure, you can argue that there are still hardware tokens for people. But that is itself a signal, no?

10. gcr ◴[20 Oct 24 12:26 UTC] No.41894895[source]
Hardware-bound passkeys have always been copyable by the proprietary vendor.

Make a passkey on your Mac, it appears on your iPhone.

Make a passkey on your Android, it appears on your other Androids.

Anyone who can bind a new iPhone or Android to your Apple/Google account wins your passkeys. I think the only passkeys properly tied to hardware are dedicated FIDO devices.