This misses a really important point that makes some of what it says super misleading. Passkeys support the concept of "attestation", which lets them prove to the website what kind of authenticator they are. Websites can use that to mandate that only, e.g., hardware-backed authenticators that are made by Apple or Google and can't be backed up can be used. Attestation is an entirely evil feature with no legitimate uses. If not for it, then passkeys would be as great as this article makes them sound.
Attestation is an optional feature (that the site needs to turn on) that basically restricts authentication to that site to a particular brand's authenticators.
It might be that every site restricts their allowed authenticators to one from Google or Apple, but there isn't much point in intentionally breaking your users' devices. I don't think attestation will be widely deployed outside of some niche corporate cases (e.g. you can only use a Yubikey to log in to the company VPN).
The narrative of passwords being deprecated makes me skeptical as well. Remote attestation to me is just a vehicle for corporations to demand certain hardware, overall making the net much less interoperable and free. I am thinking Netflix forbidding me to watch HD content here if I do not bring the correct browser.
Many services already do fingerprint my machine and I heavily dislike it since I often do use different machines and I am tired of these cookie banners bugging me. This is not part of my security model and it is forced upon me. I am aware of the potential benefits, but I am also aware of the often far more specific costs.
3 comments
[ 4.0 ms ] story [ 18.3 ms ] threadIt might be that every site restricts their allowed authenticators to one from Google or Apple, but there isn't much point in intentionally breaking your users' devices. I don't think attestation will be widely deployed outside of some niche corporate cases (e.g. you can only use a Yubikey to log in to the company VPN).
Many services already do fingerprint my machine and I heavily dislike it since I often do use different machines and I am tired of these cookie banners bugging me. This is not part of my security model and it is forced upon me. I am aware of the potential benefits, but I am also aware of the often far more specific costs.