←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 5 comments | 15 Oct 24 12:18 UTC | HN request time: 0.005s | source
Show context
taeric ◴[16 Oct 24 20:25 UTC] No.41863484[source]
I'm super curious how this will ultimately work. As noted in another thread, secure enclaves aren't secure if they can be copied. Such that, if this is moving the passkey by copying it, I'm not at all clear on how that stays secure?
replies(4): >>41863618 #>>41866813 #>>41867580 #>>41894895 #
1. Scion9066 ◴[16 Oct 24 20:39 UTC] No.41863618[source]
Generally this spec is talking about the kind of passkeys that are stored in password managers, not the kinds used by hardware security keys. Those in a password manager have always been technically copyable somehow, there just wasn't a standard format or protocol for doing so.
replies(1): >>41863662 #
2. taeric ◴[16 Oct 24 20:43 UTC] No.41863662[source]
I knew that "passkey" had grown to refer to a set of different things. I can't say this upsets me, as it does sound like progress over the old status quo. Still, is confusing for those of us that bought in at the beginning.
replies(2): >>41864470 #>>41864840 #
3. lxgr ◴[16 Oct 24 22:26 UTC] No.41864470[source]
The terminology is definitely a mess, but I believe at least “passkey” has never referred to hardware authenticators. Those were usually called “security keys” or similar.
replies(1): >>41869566 #
4. mjs ◴[16 Oct 24 23:11 UTC] No.41864840[source]
The Yubico FAQ explains some of the history fairly well: https://www.yubico.com/blog/a-yubico-faq-about-passkeys/

In particular, they distinguish between "copyable" and "hardware-bound" passkeys. They're both passkeys, and can be used wherever passkeys are supported, but only the "hardware-bound" passkeys support attestation.

5. vanburen ◴[17 Oct 24 13:39 UTC] No.41869566{3}[source]
Agree. Passkey should be reserved for credentials that can be synced or exported to different providers, as this is what is most analogous to a password from a user perspective.

There should be a different standardized term used for hardware bound keys. So users wont get confused.