The limit to one of physical device is an advantage not they major problem. Exporting means copies can be made. Copies means someone else can own my key without my knowledge.
It's a huge trade-off and arguably one whose countermeasures are too burdensome for normal users. Folks will get locked out when they lose their device. So they'll end up back to secret questions (a slightly more human friendly password), backup codes (also easily lost passwords), or have to buy and grant access to another device for every service.
Also requires sites and services actually accept another -- or weaker -- device/secret as a backup.
IMO Passkeys are dead unless both services and device makers can automate adding another device easily, securely, and for all active services at once. Otherwise their benefits are too small and costs too large to justify broad and indefinite support.
This! While I agree that passkeys need to be as secure as possible to replace (not so secure) passwords, the part about loosing access to your account needs to be solved.
Account recovery is usually the weakest point of any system (e.g. social engineering calling support to reset account access)
I don't have the answer to this, but a single key locked into one device is definitely a strategy for disaster (or doesn't offer much additional security when still paired with passwords)
You can use Stripe Identity or similar to government credential proof someone for about $2 per proofing request. High level, you want to bind IRL identity to digital identity (passkeys) when you have high identity assurance.
Let’s assume crypto proofing is insufficient (because people lose their cryptographic primitives, secure authenticators, and recovery codes), and US digital identity is still playing catch-up to the developed world (I assume one day login.gov, the USPS, and other trust anchors will be able to attest to who you are). Therefore, having a commercial identity proofing provider providing account recovery seems like the optimal solution.
(management of customer digital identity is a component of my work at a fintech)
Instead of passwords many security keys have a pin or biometric that can replace the password. The main advantage is that access is that they are made difficult or impossible to brute force.
You do realize you can use the same devices for as many services as you want. You don't need to "buy and grant access to another device for every service".
Have a couple devices. Your phone, security key, etc and use at least 2 for every service you use.
I meant you have to have more than one device so there's a backup, or else rely on alternative means to recover. Not that every service needs its own device.
And if one needs a backup device then one must also register both with every new service.
I’ll save you 2 minutes: this whole article is a roundabout ad for the author’s password manager, the complaint being there is not a standardized import/export functionality in the industry (fair). But I’m pretty sure 1Password supports passkeys already (or maybe they’ve just written a lot about them?).
Author here. This is somewhat an ad, but also a bit of a manifesto for what I think is the main problem with the current passkey managers (only Apple and Google currently have released theirs).
1Password is also working on passkeys, which I think is great! Their support currently isn't out yet, but they also recognize that passkeys need to be exportable and transferable, which gives me a lot of hope for the future. I would also say that my preferred passkey manager is open source, which is part of why I built my own, but I do not mind at all people who want to use 1Password instead.
I've been working on passkeys for almost a year now, and I wanted to share my thoughts on how this part of the industry is going and what I think needs to happen next. Thanks for reading!
It’s a nice product so I hope I didn’t come across too passive aggressive; but buried ledes can be frustrating for readers. Thanks for producing freely licensed work like virtual-fido, which looks very useful indeed. I’d imagine you are heading towards a commercial hosted option, so best of luck in this business.
15 comments
[ 2.0 ms ] story [ 47.0 ms ] threadAlso requires sites and services actually accept another -- or weaker -- device/secret as a backup.
IMO Passkeys are dead unless both services and device makers can automate adding another device easily, securely, and for all active services at once. Otherwise their benefits are too small and costs too large to justify broad and indefinite support.
Account recovery is usually the weakest point of any system (e.g. social engineering calling support to reset account access)
I don't have the answer to this, but a single key locked into one device is definitely a strategy for disaster (or doesn't offer much additional security when still paired with passwords)
https://stripe.com/identity
https://pages.nist.gov/sp800-63a.html
Let’s assume crypto proofing is insufficient (because people lose their cryptographic primitives, secure authenticators, and recovery codes), and US digital identity is still playing catch-up to the developed world (I assume one day login.gov, the USPS, and other trust anchors will be able to attest to who you are). Therefore, having a commercial identity proofing provider providing account recovery seems like the optimal solution.
(management of customer digital identity is a component of my work at a fintech)
Have a couple devices. Your phone, security key, etc and use at least 2 for every service you use.
And if one needs a backup device then one must also register both with every new service.
1Password is also working on passkeys, which I think is great! Their support currently isn't out yet, but they also recognize that passkeys need to be exportable and transferable, which gives me a lot of hope for the future. I would also say that my preferred passkey manager is open source, which is part of why I built my own, but I do not mind at all people who want to use 1Password instead.
I've been working on passkeys for almost a year now, and I wanted to share my thoughts on how this part of the industry is going and what I think needs to happen next. Thanks for reading!
Doesn't autofill by a password manager already achieve this? It will not autofill on a fishing domain