Challenge-response with asymmetric encryption is pretty much perfect. I wish all auth worked like SSH.
Passkeys kind of take that concept, but make it suck. No backups. Terrible interoperability.
The other day I attempted to create one on my Mac with Firefox. The system passkey popup came up and made me scan a QR code with my iPhone that had to be connected to the internet. Bitwarden (my iOS passkey manager, that part works well) did open, but after selecting the profile to create the passkey in, it errored out. No passkey for me.
zie · 9m ago
I implemented passkeys @ $WORK, and we rolled it out to our tech department only first. Nobody could make it work reliably, and troubleshooting it was basically impossible. The best you could do was just wipe their passkeys and have them try again.
I've since disabled passkey support and we have no plans to attempt a new rollout anytime soon.
As far as I can tell the only people that have "successfully" rolled out passkeys are the companies with effectively zero user support and they just refuse to support passkeys at all, so if they don't work for a particular user: whatever.
TOTP is fully rolled out and well supported. Troubleshooting it is "hard", but at least it's possible.
TOTP troubleshooting basically boils down to 3 things:
* Server time
* User Phone/device time(most users opt to use their phone to generate TOTP, but we don't care)
* More than one TOTP saved for a given site(i.e. they didn't replace the old and created a new TOTP shared key) or not saved at all.
Our tech/user support helpdesk can handle this but it took a lot of training. We built special tools. We still get requests from them when they get overwhelmed with the complexity.
Passkey troubleshooting:
* Mobile network, including bluetooth
* Server network connectivity
* Computer/device network, including BT connectivity to mobile device.
Most tech support can't handle that much complexity at once. Shoot, most developers and tech "whiz" people can't either. The error messages one does get, if they are lucky, are very general and not helpful at all(last I checked).
Passkeys are not currently fit for production where you have to support the users. I hope they get there.
1Password is the only client/device implementation of Passkeys that pretty much just works. It saves the passkey in the 1p vault, and the 1p vault can be synced across devices.
ziml77 · 7m ago
I haven't had any problems with syncing and using passkeys with 1Password and Firefox on MacOS, iOS, or Windows. When the site wants to create or use a passkey I get a prompt from 1Password on the device that I'm using. No need to involve a second device (which for me I'm fine with security-wise. If I really wanted to be sure there was no way of malware extracting the keys I would be using my Yubikeys)
andrewmcwatters · 41m ago
Passwords and password managers seem good enough to me, and TOTP support is everywhere now.
Passkeys just feel like a standard written by large tech companies as a flywheel technology to keep me locked into whatever hardware and software ecosystem I'm already in since seemingly no one besides maybe Bitwarden supports exporting them. Which seems pointless, because I don't know of any platform that supports importing them.
I am also getting tired of corporate white knight nerds defending trillion dollar companies telling me that portability isn't a concern.
labadal · 1h ago
I love passkeys. I love them being on my phone, requiring biometric authentication before unlocking. I just hate the vendor lock in that comes with it.
Does anyone know the state of the standard wrt this? I know that they planned on doing something about it, just haven't kept up.
vngzs · 52m ago
I can register my Yubikeys on account.google.com (and around the web, e.g., fastmail.com) as passkeys. If you visit the account security page[0] and enable "skip password when possible", then you can log in to Google with only a Yubikey-backed passkey.
If you have old Google creds on your Yubikey, you may have to first remove those creds from your account (because there are older and newer protocol choices, and with the old protocols enabled Google will not support passwordless login).
Multiple yubikeys are required if you would like to have backups; there is no syncing between keys.
I just use a Trezor One (yes, a bitcoin hardware wallet).
I back up my 12 word seed phrase, and then I can restore any and all my TOTP/FIDO/passkeys with another one if needed.
taeric · 1h ago
I always ask how you expect to defeat the vendor lock in?
Effectively you have a secret that you are using to authenticate yourself. With pass keys managed by a vendor, you are trusting that vendor to manage your secret. If they are able to give your secret to someone else, then they can no longer confirm who all knows your secret.
I'm sure you can come up with a protocol where you can fan out access to the secret in a way that requires fanning back messages to you. But I don't see any clear way to do so that doesn't increase the communication burden on everyone.
I'm also sure smarter people than me can surprise me with something, here. But secrets that can be shared historically tend to not be secrets for long.
blibble · 1h ago
> I'm sure you can come up with a protocol where you can fan out access to the secret in a way that requires fanning back messages to you. But I don't see any clear way to do so that doesn't increase the communication burden on everyone.
the spec actually supports this, it's called caBLE
taeric · 42m ago
Right, that flow seems somewhat straight forward and is roughly what I had in mind with my sentence. It doesn't really break you out of vendor involvement, though? You both still have to be fully in on the whole flow. Right?
Asked differently, how does this get a vendor out of the picture?
namro · 32m ago
On Android, Keepass2Android developer is working on supporting passkeys in the near future (https://github.com/PhilippC/keepass2android/issues/2099) but I'll be honest, I haven't dedicated enough time learning about passkeys to be sure the app will be able to support all implementations of passkeys and avoid vendor locking completely.
supportengineer · 1h ago
For me, the only thing that makes passkeys viable is backing them up in the cloud and automatically syncing them across devices. Otherwise, I do not trust them.
TechDebtDevin · 1h ago
What do you use?
dboreham · 52m ago
Not the parent, but the obvious answer is: a hard token (e.g. Yubikey). After all passkeys are just a software emulation of the smart card / FIDO2 mechanism that's been around for many years.
johnisgood · 1h ago
I'm not sure if this is satire. You trust the "cloud" and whatever does the syncing to the cloud? I definitely don't trust anything that "syncs to the cloud".
paulryanrogers · 59m ago
> I definitely don't trust anything that "syncs to the cloud".
What if you lose your device? Do you install alternate passkeys in a second device? Do you have to do that for every site and service?
hiatus · 1h ago
Can you expand on the vendor lock aspect? I have stored passkeys in my password manager, so they feel pretty portable to me. Is it that each service requires a unique passkey? That seems comparable to how each service would require its own TOTP seed.
Steltek · 18m ago
From the article:
> But how can websites know whether its users are using secure authenticators? Authenticators can cryptographically prove certain facts about their origins, like who manufactured it, by generating an attestation statement when the user creates a passkey; this statement is backed by a certificate chain signed by the manufacturer.
How many scummy companies trot out "Let me protect you from yourself" to justify taking away their users' freedoms?
supportengineer · 1h ago
Your password manager came from a vendor. As a thought exercise, switch vendors.
EnPissant · 1h ago
Bitwarden exports include passkeys.
dboreham · 55m ago
Have you actually tried exporting a passkey and importing it into another manager, then successfully authenticate with it?
yladiz · 1h ago
Unfortunately I don’t think there’s much to help with vendor lock in directly (like, you may or may not be able to export the private key(s) depending on the tool, and in some cases it’s definitely not possible like with a hardware key), but any website that supports passkeys supports WebAuthn in general so you shouldn’t have difficulty migrating to another tool if desired, although you would need to register again.
reginald78 · 49m ago
Passkeys support an attestation anti-feature, enshrined in the spec. This feature can be abused (and will be IMO, why put it in the spec otherwise?) to limit which providers can access a service. Lock-in is built into the design.
One of the developers already threatened to use it against keepass when they built an export feature he didn't agree with.
parliament32 · 33m ago
Attestation is probably the best feature of passkeys.
From a corporate compliance perspective, I need to ensure that employee keys are stored in a FIPS-compliant TPM and unexportable. Key loss is not an issue because we have, ya know, an IT department. The only way I can ensure this happens is by whitelisting AAGUIDs and enforcing attestation.
With these factors I can also get out of the MFA hellhole (because I can prove that whitelisted vendor X already performs MFA on-device without me having to manage it: for example, WHFB requires something you have (keys in your TPM) and either something you are (face scan / fingerprint) or something you know (PIN), without me having to store/verify any of those factors or otherwise manage them). Same goes for passkeys stored in MS Authenticator on iOS/Android.
yladiz · 10m ago
But most passkey providers don’t return attestation data. How do you get the data?
jp191919 · 1h ago
I use KeepassXC on my PC. Not sure of an app for mobile though.
Passkeys kind of take that concept, but make it suck. No backups. Terrible interoperability.
The other day I attempted to create one on my Mac with Firefox. The system passkey popup came up and made me scan a QR code with my iPhone that had to be connected to the internet. Bitwarden (my iOS passkey manager, that part works well) did open, but after selecting the profile to create the passkey in, it errored out. No passkey for me.
I've since disabled passkey support and we have no plans to attempt a new rollout anytime soon.
As far as I can tell the only people that have "successfully" rolled out passkeys are the companies with effectively zero user support and they just refuse to support passkeys at all, so if they don't work for a particular user: whatever.
TOTP is fully rolled out and well supported. Troubleshooting it is "hard", but at least it's possible.
TOTP troubleshooting basically boils down to 3 things:
* Server time
* User Phone/device time(most users opt to use their phone to generate TOTP, but we don't care)
* More than one TOTP saved for a given site(i.e. they didn't replace the old and created a new TOTP shared key) or not saved at all.
Our tech/user support helpdesk can handle this but it took a lot of training. We built special tools. We still get requests from them when they get overwhelmed with the complexity.
Passkey troubleshooting:
* Mobile network, including bluetooth
* Server network connectivity
* Computer/device network, including BT connectivity to mobile device.
Most tech support can't handle that much complexity at once. Shoot, most developers and tech "whiz" people can't either. The error messages one does get, if they are lucky, are very general and not helpful at all(last I checked).
Passkeys are not currently fit for production where you have to support the users. I hope they get there.
1Password is the only client/device implementation of Passkeys that pretty much just works. It saves the passkey in the 1p vault, and the 1p vault can be synced across devices.
Passkeys just feel like a standard written by large tech companies as a flywheel technology to keep me locked into whatever hardware and software ecosystem I'm already in since seemingly no one besides maybe Bitwarden supports exporting them. Which seems pointless, because I don't know of any platform that supports importing them.
I am also getting tired of corporate white knight nerds defending trillion dollar companies telling me that portability isn't a concern.
Does anyone know the state of the standard wrt this? I know that they planned on doing something about it, just haven't kept up.
If you have old Google creds on your Yubikey, you may have to first remove those creds from your account (because there are older and newer protocol choices, and with the old protocols enabled Google will not support passwordless login).
Multiple yubikeys are required if you would like to have backups; there is no syncing between keys.
For support matrices, see [1].
[0]: https://myaccount.google.com/security
[1]: https://passkeys.dev/device-support/
I back up my 12 word seed phrase, and then I can restore any and all my TOTP/FIDO/passkeys with another one if needed.
Effectively you have a secret that you are using to authenticate yourself. With pass keys managed by a vendor, you are trusting that vendor to manage your secret. If they are able to give your secret to someone else, then they can no longer confirm who all knows your secret.
I'm sure you can come up with a protocol where you can fan out access to the secret in a way that requires fanning back messages to you. But I don't see any clear way to do so that doesn't increase the communication burden on everyone.
I'm also sure smarter people than me can surprise me with something, here. But secrets that can be shared historically tend to not be secrets for long.
the spec actually supports this, it's called caBLE
Asked differently, how does this get a vendor out of the picture?
What if you lose your device? Do you install alternate passkeys in a second device? Do you have to do that for every site and service?
> But how can websites know whether its users are using secure authenticators? Authenticators can cryptographically prove certain facts about their origins, like who manufactured it, by generating an attestation statement when the user creates a passkey; this statement is backed by a certificate chain signed by the manufacturer.
How many scummy companies trot out "Let me protect you from yourself" to justify taking away their users' freedoms?
One of the developers already threatened to use it against keepass when they built an export feature he didn't agree with.
From a corporate compliance perspective, I need to ensure that employee keys are stored in a FIPS-compliant TPM and unexportable. Key loss is not an issue because we have, ya know, an IT department. The only way I can ensure this happens is by whitelisting AAGUIDs and enforcing attestation.
With these factors I can also get out of the MFA hellhole (because I can prove that whitelisted vendor X already performs MFA on-device without me having to manage it: for example, WHFB requires something you have (keys in your TPM) and either something you are (face scan / fingerprint) or something you know (PIN), without me having to store/verify any of those factors or otherwise manage them). Same goes for passkeys stored in MS Authenticator on iOS/Android.