Cool story, but the eff is the best suited publication to deal with the intrinsic legal issues, and im disappointed they let that field lay fallow.
Namely, a passkey is something you have- does that mean it can be seized with a warrant the same way your biometrics can be, or the same way papers in a locked safe can be?
I think the answer is yes, Lavabit was famously compelled to produce cryptographic key material.
Isn't it also something you know? They mention that using passkeys usually requires unlocking a password manager, so presumably they're encrypted at rest
Also note that password managers generally won’t let you export a copy of your passkeys for offline backup.
Until this is fixed, no thank you.
Give me a secure way to make backups on my own infrastructure without the need to forgo my data sovereignty and disaster recovery dependencies to the likes of Google, Apple, etc.
Unfortunately that also opens up the tech support scam vector of “Hi, this is your bank, we need you to copy-paste this value for us so we can enhance the security on your account”.
I’m not saying that’s the only (or even main) reason Google and Apple don’t let users make their backups, but explicit non-exportability can be considered a feature in some contexts.
The fact Google and Apple do that (for security reasons) also have the negative impact to de-responsabilize users. Which is also one of the causes of why scams work.
If users were more alert of the technologies they're using, there would be less social hacking.
One thing that is crucial is that websites MUST support multiple Passkeys per account, otherwise you end up with a single point of failure if something happens to your password manager.
It's good that you can't export a Passkey, which reduce the attack vector against phishing and extraction. It's kinda like how an SSH or a GPG private key should never leave the computer it was generated from, and each machine should have their own unique private key.
I ran into the issue earlier when implementing WebAuthn. Realizing that user authentication was tied to a single device/ecosystem, I wanted to allow the user to register a second key -- but because their authentication was tied only to their existing physical authenticator, I had no way to authenticate the second machine without magic email link, or setting a password and logging into the second device, which seems to completely defeat the purpose.
Password manager support is optional (though at that point you're using a passkey as a re-authentication method, which is nice but doesn't take advantage of the full potential).
That leaves website support. Hopefully more and more web sites will enable it. https://passkeys.directory/ is a list that do.
Password manager and OS support should be an “or”, not an “and”.
And if I’m not mistaken, password manager browser extensions should be able to inject their WebAuthN implementation into browsers as well; at least that’s what 1Password seem to be doing on Firefox and Chrome.
Good explanation, bookmarked. I will likely start using them as keepassxc's implementation matures. But not until then. No way am I touching anything control by the likes of apple/Google/Microsoft. And I'm not tying everything to a single device either, or having multiple devices as backups.
12 comments
[ 3.4 ms ] story [ 26.7 ms ] threadNamely, a passkey is something you have- does that mean it can be seized with a warrant the same way your biometrics can be, or the same way papers in a locked safe can be?
I think the answer is yes, Lavabit was famously compelled to produce cryptographic key material.
Until this is fixed, no thank you.
Give me a secure way to make backups on my own infrastructure without the need to forgo my data sovereignty and disaster recovery dependencies to the likes of Google, Apple, etc.
I’m not saying that’s the only (or even main) reason Google and Apple don’t let users make their backups, but explicit non-exportability can be considered a feature in some contexts.
It's good that you can't export a Passkey, which reduce the attack vector against phishing and extraction. It's kinda like how an SSH or a GPG private key should never leave the computer it was generated from, and each machine should have their own unique private key.
So 3 points of failure. What can go wrong ?
Password manager support is optional (though at that point you're using a passkey as a re-authentication method, which is nice but doesn't take advantage of the full potential).
That leaves website support. Hopefully more and more web sites will enable it. https://passkeys.directory/ is a list that do.
And if I’m not mistaken, password manager browser extensions should be able to inject their WebAuthN implementation into browsers as well; at least that’s what 1Password seem to be doing on Firefox and Chrome.