FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)

225 points Terretta | 4 comments | 15 Oct 24 12:18 UTC | HN request time: 0.001s | source

Show context

solarkraft ◴[16 Oct 24 15:14 UTC] No.41860069[source]▶

I had hope for passkeys, with all the interop-promises.

It turned out that no (mainstream) passkey provider allows backups however, making them infinitely worse than just using passwords.

Maybe this will help, but fuck me, it’s all complicated, especially for a damn foundational security mechanism!

It could be so simple, just look at SSH keys, which I think largely use the same principle.

replies(5): >>41860481 #>>41863668 #>>41864115 #>>41864718 #>>41866900 #

skybrian ◴[16 Oct 24 15:48 UTC] No.41860481[source]▶

>>41860069 #

You can create backup keys by creating more passkeys.

replies(2): >>41862445 #>>41871701 #

lelandbatey ◴[16 Oct 24 18:50 UTC] No.41862445[source]▶

>>41860481 #

That's not a backup, that's just another secret. If I can't record the secret onto paper that I can put in a safe deposit box at a bank (or several), then it ain't backed up.

replies(2): >>41862467 #>>41862675 #

dixie_land ◴[16 Oct 24 18:52 UTC] No.41862467[source]▶

>>41862445 #

I understand the semantic difference but wouldn't you be able to say add a "backup" Yubikey and lock it in a safe?

replies(3): >>41862523 #>>41864017 #>>41867699 #

1. eikenberry ◴[16 Oct 24 21:27 UTC] No.41864017[source]▶

>>41862467 #

No. How do you use it if it's in a safe? The only way this works is if you use the yubikey to log into google or some other auth provider and then use that auth provider for everything. But you are even worse off then as that auth provider now is a single point of failure... get that account revoked for any reason and you've lost access everywhere.

replies(1): >>41865485 #

2. skybrian ◴[17 Oct 24 01:11 UTC] No.41865485[source]▶

>>41864017 (TP) #

Why do that, though?

Figure out which doors you need to unlock and make sure you have at least two independent ways to get through each door. Some doors support Yubikey, so that counts as one, for those doors.

replies(2): >>41866763 #>>41867701 #

3. lelandbatey ◴[17 Oct 24 05:47 UTC] No.41866763[source]▶

>>41865485 #

But why do THAT when what were asking for is control over our own data, our own secrets? Because it's imagined to be "less secure"?

Actually backing up keys, as in duplicating them and physically securing them, makes it simple, clear, and understandable to all involved what recovery looks like. TOTP is a great example in a similar space; my nontechnical spouse doesn't need to know "how TOTP works" to know that in case of my incapacitation she only has to read a packet of paper and follow instructions in order to perfectly recover all my accounts with zero chance of some 3rd party provider (e.g. Passkey stores like 1password/Google) having a political/technical glitch that'd get in the way of that.

Passkeys are like passwords with landlords added in. Just like with landlords for services provided, Passkeys seem very convenient for day-to-day but nightmarish in the margins and on the 5+ year scale.

4. lxgr ◴[17 Oct 24 08:59 UTC] No.41867701[source]▶

>>41865485 #

My doors don’t change every other week. My set of passkeys does.

↑