“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.
They are really satisfying when they work. I have been impressed by how well they work cross platform in the new bitwarden. It even worked from Android one time with a key made on windows! However, I dread when my mom tells me she needs help with an account and I can’t do anything because the key is on her iOS Keychain I don’t have access to
I remember when Microsoft made a big deal about this on Windows and then their “implementation” was making the local signon a number PIN.
And not a proper separate auth operation lol. You either set up almost everything with the PIN or use a regular password, not both. Makes it useless on enterprise.
Realistically we should all be using a key/pass vault since that would make using passkeys much easier, but that’s too complicated for the internet in 2004 2024.
If it were me, I’d just issue everyone a yubikey.
I’m lost on this - is this better than GPG?
More usable for the average user and more supported by actual sites and services, so yes.
Does this require any 3rd party to work? I remember reading a blog, something about attesting the client, which was some big corpo like Google/Apple/Microsoft… that’s not for this, right?
While the defaults are typically to use what the browser or OS has for storage and sync of the passkeys, you can use other things.
Like KeePassXC:
https://keepassxc.org/blog/2024-03-10-2.7.7-released/
As for attestation to how the key is stored securely (like in a hardware key), Apple’s implementation doesn’t support it for iCloud ones, so any site that tries to require it wouldn’t work for millions of people. That pretty much kills it except for managed environments (such as when a company provides a hardware key and wants to make sure that’s the only thing that’s used).
Does it require an array of fucking containers and a flurry of webAPI calls? Then no.
I still have no idea how to use passkeys. It doesn’t seem obvious to the average user.
I tried adding a passkey to an account, and all it does is cause a Firefox notification that says “touch your security key to continue with [website URL]”. It is not clear what to do next.
After my password manager auto filled a password and logged me in the website said “Tired of remembering passwords? Want to add a passkey?” I didn’t know what it meant so I said no lol.
I think you actually have to buy a passkey device. Then configure it to work with a particular account.
You plug the passkey into your computer and then whenever it asks for a password you literally touch it and it does its thing. I think there are options like biometrics that you can add on top but you don’t have to have that.
Devices themselves can act as passkeys too - I.e. your phone, laptop etc…
…except the ones that can’t
I think it depends on whether you have a TPM chip in it
If that’s what’s needed, I can say with some certainty that adoption isn’t going to be picking up any time this decade.
