(fidoalliance.org)

225 points Terretta | 1 comments | 15 Oct 24 12:18 UTC | HN request time: 0.268s | source

Show context

taeric ◴[16 Oct 24 20:25 UTC] No.41863484[source]▶

I'm super curious how this will ultimately work. As noted in another thread, secure enclaves aren't secure if they can be copied. Such that, if this is moving the passkey by copying it, I'm not at all clear on how that stays secure?

replies(4): >>41863618 #>>41866813 #>>41867580 #>>41894895 #

gcr ◴[20 Oct 24 12:26 UTC] No.41894895[source]▶

>>41863484 #

Hardware-bound passkeys have always been copyable by the proprietary vendor.

Make a passkey on your Mac, it appears on your iPhone.

Make a passkey on your Android, it appears on your other Androids.

Anyone who can bind a new iPhone or Android to your Apple/Google account wins your passkeys. I think the only passkeys properly tied to hardware are dedicated FIDO devices.

replies(1): >>41926666 #

1. yencabulator ◴[23 Oct 24 16:31 UTC] No.41926666[source]▶

>>41894895 #

By definition, if it can be copied out it wasn't hardware-bound.

Yubikeys are tamper-proof and cannot be copied. Everything else is just a place to store a statement that your cloud vendor of choice blesses this gadget to authenticate your account.

↑

FIDO Alliance publishes new spec to let users move passkeys across providers