←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 1 comments | 15 Oct 24 12:18 UTC | HN request time: 0s | source
Show context
itohihiyt ◴[16 Oct 24 06:45 UTC] No.41856240[source]
I only need one provider. A portable open source encrypted database I'm in control of and can back up and secure as needed. It's what I have now, and have had for years, in my password manager. I won't be at the mercy of a company or a device to access my digital life.
replies(3): >>41856321 #>>41856331 #>>41862108 #
leokennis ◴[16 Oct 24 07:01 UTC] No.41856321[source]
That's cool, but the last thing I would want my mom to have to manage is a portable open source encrypted database shes's in control of and can back up and secure as needed.
replies(3): >>41856328 #>>41857755 #>>41863274 #
saurik ◴[16 Oct 24 07:02 UTC] No.41856328[source]
Great; but, as long as a system supports the open solution, anyone can provide for you the closed one, while the opposite isn't the case.
replies(1): >>41856410 #
izacus ◴[16 Oct 24 07:16 UTC] No.41856410[source]
And Passkeys is an open solution, what are you all going on about?
replies(2): >>41856536 #>>41856572 #
politelemon ◴[16 Oct 24 07:36 UTC] No.41856536[source]
Currently it is not. It was created provider centric so far, and in my reading of the spec, a thinly veiled lockin. The ability to move around should have been built in from the beginning but it was more beneficial for the providers to start without.
replies(2): >>41856627 #>>41857724 #
growse ◴[16 Oct 24 11:05 UTC] No.41857724[source]
Passkeys are just resident webauthn tokens with a fancy name.

Where's the lockin?

replies(1): >>41857869 #
reginald78 ◴[16 Oct 24 11:26 UTC] No.41857869[source]
The attestation anti-feature which is part of the spec. And the portability feature which is conspicuously not. The former makes the enforcement of the later possible.
replies(1): >>41859013 #
growse ◴[16 Oct 24 13:48 UTC] No.41859013[source]
The attestation is part of the webauthn spec, and it's up to the relying party to decide whether or not to use it. The whole reason it's there is to give some contexts the ability to narrow their users down to specific webauthn storage implementations (which is useful in some corporate / gov contexts).

Are there any examples of any widely-used sites that are enforcing attestation?

replies(1): >>41860063 #
whs ◴[16 Oct 24 15:14 UTC] No.41860063[source]
Two comes to mind:

- Cloudflare had a "captcha" POC called "Cryptographic Attestation of Personhood" where you need to use a FIDO-approved token. It's reusing U2F just for the attestation part only. I don't think it ever go to production as most people don't have a token (but perhaps in the future hardware-locked passkey may serve as one...)

- Okta do have an option to enforce attestation. By default it is off, but in my Okta production I can limit the list to FIDO-approved vendor only, or to even a subset of them. They also have a beta feature flag for blocking Passkeys but allowing physical keys (which they do not guarantee success)

replies(1): >>41862124 #
warkdarrior ◴[16 Oct 24 18:25 UTC] No.41862124[source]
OK, so you gave two examples of systems that do NOT enforce attestation (one that is not in production, one that has an option to enforce attestation but is not apparently in use).

Are there any widely-used sites that actually enforce attestation?

replies(3): >>41863405 #>>41863455 #>>41865361 #
9dev ◴[16 Oct 24 20:23 UTC] No.41863455[source]
It’s absurd, really. Attestation is clearly a feature intended for high security environments, where you want to ensure all employees use their corporate hardware authenticators and those only, yet people act like it’s big techs secret, evil mind control back door.
replies(3): >>41863684 #>>41863756 #>>41863784 #
jeltz ◴[16 Oct 24 20:56 UTC] No.41863784[source]
What is absurd about expecting companies to do what many internet banks in some countries already do?
replies(1): >>41868034 #
1. 9dev ◴[17 Oct 24 10:00 UTC] No.41868034[source]
As a sibling comment explains, attestation isn't processed by common web browsers unless explicitly configured. Your bank can require attestation from you and limit you to a number of supported authenticators... But I don't quite see what that would get them, other than loosing customers? And to what end, to foster ecosystem lockin on behalf of Apple or Google? It doesn't make any sense. Hence: absurd.