←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 6 comments | 15 Oct 24 12:18 UTC | HN request time: 0.197s | source | bottom
Show context
MarkMarine ◴[16 Oct 24 20:01 UTC] No.41863214[source]
In one of the things that I do in my job, I run the auth system for a fintech, and passkeys are an incredible step forward for the typical user. Being able to migrate your passkeys between providers is a great step forward, I'm glad this is being implemented.

Lots of complaints about passkeys and "big tech paternalism" in the comments here, and frankly I don't think ya'll deal with the middle of the bell curve user base that much.

I've got users who, by literally no fault of their own, are being social engineered into reading back their SMS OTP codes to fake tech support. State of the art in industry is basically trying to understand every action that is happening on a device (via mobile phone network providers, location, their actions across multiple other sites, etc. etc. through vendors providing this type of intelligence... by vacuuming up all your data) to understand if fraud is happening by seeing if you can even trust the device that is getting the SMS. Every time we make a step forward in privacy, this gets harder and harder (fingerprinting devices is basically pointless now, so how do I tell if this should be a trusted device or not) so there is a driving force against improving user privacy coming from these vendors.

Passkeys are the first positive step in auth I've seen in a decade that the average user will pickup and use, it helps them login and helps them not try to set a weak password they shared with multiple sites, and they can't read it back to a scammer who is fake tech support.

Would I like passkeys to be more like ssh keys? um, maybe but I don't care about it one bit in practice. I use passkeys for everything I can and I've never once seen friction. The average user does not want to deal with backing up their passkeys or even thinking about them, heck most of them don't. If anyone in the comments doesn't like the implementation of webauthn, suggest changes to the spec and do the work to get it implemented instead of complaining about it in the comments.

replies(4): >>41863610 #>>41863658 #>>41864267 #>>41867534 #
crote ◴[16 Oct 24 21:59 UTC] No.41864267[source]
> If anyone in the comments doesn't like the implementation of webauthn, suggest changes to the spec

Rip out resident keys altogether. They aren't needed. You can get 99.9% of the benefits of Passkeys by using non-resident keys - literally the only drawback is that you'd need to enter a username.

Resident keys essentially kill physical tokens. Without resident keys a $10 token can support thousands of websites. With resident keys? A couple dozen, if you're lucky.

replies(4): >>41865067 #>>41865665 #>>41866800 #>>41866892 #
1. MarkMarine ◴[17 Oct 24 01:45 UTC] No.41865665[source]
Again, ya’ll are living in a different world. Passkeys doesn’t have to support your use case, you’ve already got FIDO 2 keys for this. Physical keys have been readily available for over a decade from yubikey and the market penetration for consumers is basically zero.
replies(2): >>41867611 #>>41867821 #
2. vaylian ◴[17 Oct 24 08:42 UTC] No.41867611[source]
I understand your enthusiasm for passkeys and I think there are real benefits, especially for non-technical users. But likewise, there is also enthusiasm for the objectively more secure hardware tokens. Residential keys are a problem for hardware tokens.

So yes, we are living in different worlds. But what we all want is to migrate to more secure authentication methods. And pushing non-residential keys to the wayside just for the convenience of not needing to remember user names feels like a bad trade-off.

replies(1): >>41873802 #
3. lxgr ◴[17 Oct 24 09:23 UTC] No.41867821[source]
So, ruin a thing that works for a few people (and arguably was the primary target of the spec before big tech essentially took it over) for no reason other than marginal relying party convenience?

The only thing needed to preserve their utility would be a minimal rewording (e.g. change “preferred” to “possible” or add a “preferred-if-unlimited-storage” for ResidentKeyRequirement), and a requirement of relying parties to add a username field as a fallback.

4. MarkMarine ◴[17 Oct 24 21:07 UTC] No.41873802[source]
It's not just needing to remember user names, is everyone in this thread just willfully ignoring what I've been saying about needing multiple (privacy incompatible) channels of data to be able to trust these login methods that aren't passkeys?
replies(1): >>41878089 #
5. vaylian ◴[18 Oct 24 10:39 UTC] No.41878089{3}[source]
> everyone in this thread just willfully ignoring what I've been saying about needing multiple (privacy incompatible) channels of data to be able to trust these login methods that aren't passkeys?

I have reread your top post a few times and I think I'm starting to understand your point. To highlight the core part:

> State of the art in industry is basically trying to understand every action that is happening on a device

I wasn't aware that this is happening. And I can understand why fintech companies engage in this invasive practice. However, I never used SMS as a second factor, because I know that it is unsafe. I use hardware tokens, because I care about security. I know that many people do not care about security and it is your job to catch them before they do something stupid. I understand why you like passkeys so much.

But the original point remains: Resident keys are not necessary. Big tech is propagating resident keys. But they could easily use non-resident keys and offer remembering the usernames for the different sites like password managers do it today. It would be an easy win for everyone.

replies(1): >>41880203 #
6. MarkMarine ◴[18 Oct 24 15:17 UTC] No.41880203{4}[source]
I understand your point, and I’ve thought a lot about that after discussing it here. I actually prefer the resident keys from my side because I can really trust the device is the device, so I don’t need all that data stream about it. That said, I’m going to make sure I support hardware tokens in my system.

My goals are just protecting my user base from fraud and giving them an easy way to login securely. You would probably be shocked at the volume of support calls we get about logging in. It’s 30-40% of the call volume. Easy for a scammer to slip into that stream as well.