(fidoalliance.org)

225 points Terretta | 2 comments | 15 Oct 24 12:18 UTC | HN request time: 0s | source

Show context

taeric ◴[16 Oct 24 20:25 UTC] No.41863484[source]▶

I'm super curious how this will ultimately work. As noted in another thread, secure enclaves aren't secure if they can be copied. Such that, if this is moving the passkey by copying it, I'm not at all clear on how that stays secure?

replies(4): >>41863618 #>>41866813 #>>41867580 #>>41894895 #

1. lxgr ◴[17 Oct 24 08:36 UTC] No.41867580[source]▶

>>41863484 #

Passkeys aren’t identical with secure enclaves.

They can be stored in them, but also in software; even when stored in hardware, they can be marked as extractable to some trusted party (a companion device with the same root of trust, a trusted cloud sync service, a supply chain attacker etc.)

replies(1): >>41869982 #

2. taeric ◴[17 Oct 24 14:25 UTC] No.41869982[source]▶

>>41867580 (TP) #

Fair, but if the secret is exportable, then it loses a ton of its power.

If you are worried about state level activity, have it stored in a single place that can be compelled by law to disclose it and that is off the table for you.

Which, sure, you can argue that there are still hardware tokens for people. But that is itself a signal, no?

↑

FIDO Alliance publishes new spec to let users move passkeys across providers