←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 6 comments | 15 Oct 24 12:18 UTC | HN request time: 0s | source | bottom
Show context
jakub_g ◴[16 Oct 24 21:02 UTC] No.41863841[source]
Something that is not clear to me about passkeys and makes me uneasy to start using them:

Are passkeys replacing passwords, 2FA, or both?

What if I created a passkey on some device, lost that device, and my passkeys aren't cloud-backed-up? Would I be able to recover my account, or it's doomed? Or does it depend on how a given website implemented it?

replies(6): >>41863858 #>>41864360 #>>41865277 #>>41866433 #>>41866779 #>>41866793 #
lovethevoid ◴[16 Oct 24 22:12 UTC] No.41864360[source]
Two things:

You kind of have to go out of your way to not have your keys backed up. By default, the easiest route is using your android or iphone and both of them back the keys up using icloud Keychain or google password manager. 1Password, bitwarden, all support syncing. Chrome will allow saving it to icloud or your google account. Keepass can be manually synced. Windows is adding sync in the next update for windows hello. List goes on.

The other thing is that multiple keys can be created. Easiest way to see this in action is google's account security settings. Log in (if you have an account), hit create passkey, see your options and play around with them. You'll also see you can add a hardware security key too, which isn't nothing new but if you have one that's another key that doesn't rely on a mobile device!

If all else fails, the usual account recovery process applies. Much like it would if you forgot your password.

replies(3): >>41865248 #>>41866073 #>>41875709 #
Fire-Dragon-DoL ◴[17 Oct 24 00:27 UTC] No.41865248[source]
So we still need a passkey + second factor, isn't that the case?

And if my google account gets banned, I lose access to a trillion things instead of just one.

I was hoping passkeys would work on 1password,but chrome/brave don't support that yet.

It seems like a passkey is just a password though

replies(2): >>41865701 #>>41866973 #
1. chrchr ◴[17 Oct 24 06:33 UTC] No.41866973{3}[source]
A key difference between a passkey and a password is that a passkey is never transmitted off of your device. The existing tech that they most resemble is ssh keys.
replies(3): >>41867537 #>>41871031 #>>41885812 #
2. zigzag312 ◴[17 Oct 24 08:26 UTC] No.41867537[source]
How does Google Password Manager sync your passkeys then?

EDIT: Private key is not transmitted off of your device when authenticating, but it can be transmitted off of your device by your password manager.

"The difference between passkeys and passwords is that passkeys are cryptographic key pairs. The key pair is specific to a website. One half is shared with the website, and the other half is private and stored on your device or in your password manager." [0]

"Passkeys are securely backed up and synced between your Android devices" [0]

"Passkeys are stored in your Google Account..." [0]

"Your iCloud Keychain stores and syncs them [passkeys] between iOS, iPadOS, and macOS devices." [0]

[0] https://support.google.com/chrome/answer/13168025

replies(2): >>41869313 #>>41870704 #
3. e40 ◴[17 Oct 24 13:07 UTC] No.41869313[source]
And the interaction between the thing that generates the passkey and my password manager is very confusing. I got multiple popups and it wasn’t completely clear which was chrome ans 1password.
4. chrchr ◴[17 Oct 24 15:41 UTC] No.41870704[source]
> Private key is not transmitted off of your device when authenticating.

Thank you. I should have been more specific. Non-transerral during auth is important because it virtually eliminates fishing, and that also explains why the Powers That Be are touchy about exporting. Exfiltration enables scenarios where a nefarious party tricks a user into transferring their cryptographic keys.

5. kbolino ◴[17 Oct 24 16:15 UTC] No.41871031[source]
Strictly speaking, passwords do not have to be shared during auth, either. There are password-agreement schemes (e.g. SRP [1] as used in TLS-SRP) which allow one or both parties to prove they know the password without sharing it. However, these schemes never gained broad adoption.

[1]: https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco...

6. Fire-Dragon-DoL ◴[19 Oct 24 05:20 UTC] No.41885812[source]
I see that makes more sense. It is an upgrade to passwords, but in an ideal world we solve the other half (two factor) too.