FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)

225 points Terretta | 1 comments | 15 Oct 24 12:18 UTC | HN request time: 0.202s | source

Show context

solarkraft ◴[16 Oct 24 15:14 UTC] No.41860069[source]▶

I had hope for passkeys, with all the interop-promises.

It turned out that no (mainstream) passkey provider allows backups however, making them infinitely worse than just using passwords.

Maybe this will help, but fuck me, it’s all complicated, especially for a damn foundational security mechanism!

It could be so simple, just look at SSH keys, which I think largely use the same principle.

replies(5): >>41860481 #>>41863668 #>>41864115 #>>41864718 #>>41866900 #

andrewaylett ◴[16 Oct 24 21:41 UTC] No.41864115[source]▶

>>41860069 #

As a counter-point, my SSH keys are bound to my laptop's secure enclave and it's not possible for me to back them up.

I have recovery mechanisms for regaining access if I lose all my keys, but (while I'll admit that the tooling for managing public keys in the general case is lacking) you're not supposed to (need to) copy private keys between devices.

replies(1): >>41865179 #

1. ziml77 ◴[17 Oct 24 00:10 UTC] No.41865179[source]▶

>>41864115 #

That was basically what I was going to say too. The most secure keys are the ones that can't be transferred. If I want protection against the loss of a hardware security key like a Yubikey, I have to get a second one and register that one as a secondary key to log in.

Technically you can generate a GPG key and load that onto multiple Yubikeys, but that's not as secure as letting the Yubikey itself generate the key. Plus if you only use one GPG key and one of the Yubikeys is lost (but not destroyed) then you have to rewrite all the remaining Yubikeys with a new GPG key since you can't selectively revoke them.

↑