An article I read recently suggested that storing passkeys with Google, Apple, and M$ didn’t have interoperability. Like you need a Mac/iPhone or PC/Android to make it work. Is this true? Can I store a passkey in a platform agnostic way?
Can I store a passkey in a platform agnostic way?
If by “platform” you mean OS, then yes - and the best way to do that is to use a dedicated password manager instead of something that’s tightly integrated with an OS.
That said, iCloud keychain is available on Windows, but not Android. Likewise with Google Password Manager - it supports Macs, but not yet support iPhones or iPads.
However you can also use a password manager like one of these and use it across every platform:
- Bitwarden
- 1Password
- ProtonPass - Passkeys Help Article
- Roboform - Passkeys help article
- Dashlane
- NordPass
Based on my experience (with Bitwarden) or research, all support passkeys in browser extensions for Firefox and Chromium browsers and/or desktop apps on Linux, Mac, and Windows, as well as in apps for iOS and Android.
Keepass also might be an option, as KeePassXC supports passkeys and is available on Mac, Windows, and Linux, but I didn’t see any mobile clients that advertise support for passkeys.
Even with the more open password managers, there isn’t a built-in way to transfer passkeys from one password manager to another. However, the FIDO Alliance is working on a spec for securely transferring passkeys so hopefully that’ll change soon and you’ll be able to transfer passkeys from one ecosystem to another.
Also, you can generally still log in on a device that your passkey service doesn’t support by scanning a QR code displayed on the target device on your phone, so long as both devices have Bluetooth (used for confirming physical proximity). I’ve only done that once and it wasn’t super streamlined, but it also wasn’t terrible. You can also save passkeys to your phone or security key (like a Yubikey) though be aware that a YubiKey 5 can only store 100 passkeys. And you can have multiple passkeys to a given service, so if you use a Mac but use an Android phone, you can save a passkey to iCloud Keychain on your Mac and to Google Password Manager on your phone.
EDIT: Looked up and added the correct limit for YubiKey passkeys
Aside from platform agnostic password managers having support for it as a commenter below pointed out you can also save it on a physical “hardware security key” (e.g. yubikey). Technically this should be the best option as there is no way for anyone to steal your passkeys unless they physically take apart your hardware key (and there’s even keys that have additional protections that make it impossible to take apart without destroying it).
However every single platform really pushes people towards using their own solution. So only their solution is neatly integrated in their platform and also preselected when you save a passkey. But all in all those are rather small hurdles for the security a hardware key gives.
It’s a bit of math, split into two pieces.
You hand out one piece, that’s the public key. It’s tiny and simple.
You keep the other piece, that’s the private key. It’s long and complex.
The public key can scramble data that only the large piece can unscramble.
The private key can create a piece of data that only the public key can verify.
In practice, these keys can be kept in a database or a file, and they can be held in a hardware security key (yubi/fido). They can be stored on your phone, in Bitwarden, and just about anywhere that keeps passwords, they’re really just a few thousand bytes of data.
In many cases, You can store them in your phone’s private password storage, then when you log into a website, it will trigger a popup on your phone to authorize your login, so you don’t even have to keep them on the computer you’re using to access the secured site. Most of the implementations require you to have a biometric component. You need to face scan, fingerprint scan, or, worst case, use a password to unlock/verify the passkey on the device.
The upside here is that the keys are unique to every site. The public key is completely safe to hand out to everyone, it can’t be reverse engineered. This means that websites can’t leak your login credentials in any meaningful way. edit: Also since you’re using math to change a piece of data, it’s impervious to a replay attack and the communication even unencrypted would be reasonably safe even if someone was actively reading it.
As far as storing for loss, I’d consider regenerating them. I prefer using a password manager that stores them, that way my phone/computers all have access to the same keys.
Is it any different than public/private ssh keys that I already use? Or just a rebranding?
Unintentional trick question :) SSH can use a ton of different crypto, so can passkeys (The actual Fido Spec if you want to read about it is webAuthn).
While they both support RSA, The WebAuthn default appears to be RFC-8152 https://www.rfc-editor.org/rfc/rfc8152 in an attempt to try to keep the sizes down.
To try and bake down the complex answers, if you are basically familiar with PGP or SSH keys the concept of a Passkey is sort of in the same ballpark. But instead of using the same SSH keypair more than once, Passkeys create a new keypair for every use (website) and possibly every device (e.g. 2 phones using 1 website may create 2 sets of keypars, one on each device) - and additionally embeds the username (making it “one-click login”):
- creating a passkey is the client and server establishing a ring of trust (“challenge”) and then generating a public and private pair of keys (think
ssh-keygen ...
) - embedded in the keypair is the user ID/username and credential ID, which sort of maps to the three fields of a SSH keypair (encryption type, key, userid optional in SSH keys) but not really, think concept not details
- when using a passkey, the server sends the client a “challenge”, the client prompts the user to unlock the private key (device PIN, biometric, Bitwarden master password, etc.)
- the “challenge” (think crypto math puzzle) is signed with the private key and returned to the server along with the username and credential ID
- the server, who has stored the public key, looks it up using the username + credential ID, then verifies the signature somewhat like SSH or PGP does
- like SSH or PGP, this means the private key never leaves the device/etc. being used by the client and is used to only sign the crypto math puzzle challenge
The client private key is stored hopefully in a secure part of the phone/laptop (“enclave” or TPM hardware module) which locks it to that device; using a portable password manager instead such as Bitwarden is attractive since the private keys are stored in BW’s data (so can be synced across devices, backed up, etc.)
They use the phrase “replay” a lot to mean that sending the same password to a website is vulnerable to it being intercepted and used n+1 times (hacker); in the keypair model this doesn’t happen because each “challenge” is a unique crypto math puzzle generated dynamically every use, like TOTP/2FA but “better” because there’s no simple hash seed (TOTP/2FA use a constant seed saved by the client but it’s not as robust crypto).
As far as I understand it, passkey is a password replacement and a protocol built on top of FIDO.
The intention is to replace passwords by cryptographic keys (asymmetric encryption). These keys come in pairs always:
- a private key: secret and only ever known to you
- a public key: given to the service you want to authenticate to. This key can also be seen as a lock that can only be open by the matching private key.
The keys are nothing more than text and they can very well be stored in files on a USB drive, copied, transferre, deleted, etc.
But passkey also defines the process to exchange and store the keys in a secure manner. Therefore in practice you will always use a password manager and maybe also some specific hardware, to automatically hand the key exchange and secure storage of all the different keys your have for all of the different services you registered to.
If you’re talking about what Google or Microsoft offer as a login tool, it’s basically a file hidden on your physical PC so when you attempt to login to a service that wants it, the service gets a password from you and the passkey from your actual device to authenticate you.
For example, I have passkey enabled on my windows PC that my Google account has a passkey in. Anytime I access the built in password manager in chrome, Windows now gives me a pop up for a PIN number, and then windows will authenticate on my behalf with the hidden passkey.
If I need to access my password manager from my phone or another computer, I have to use my Google password instead since my passkey isn’t on those physical devices.
I believe Microsoft stores your passkey files on your motherboards TPM module, but I could be wrong.