Passkeys are primarily about vendor lock-in

20 points by srevenant ↗ HN
Hear me out, THEN tell me how wrong I am :D

With Microsoft's latest admission that they're FORCING everybody to use passkeys, it really gives one a moment of pause to reflect.

In the mad rush to "improve security" many people seem to be missing the entire point in this debate.

Passwords are "something you know" Passkeys are "something you have"

These two things are individual factors, and are not exclusive. Infact, "MFA" is to use two factors, not just one; and that is where the security comes from.

Switching to Passkey is nominal, at best, without having a second factor to keep it MFA.

If you care about security, don't delude yourself in thinking passkey alone is some sort of holy grail, it's not.

However, the push to replace passwords with passkeys is a fundamental shift in security paramount to changing gravity. And I, at least, think it's a serious mistake.

The reason is that passkeys require something you have. Either hardware or virtually with software, but if you, for some reason, don't have that thing, then guess what? For most lay users, it's a serious point of pain and friction. Those who care about security are willing to accept that, but EVERYBODY? Is it really necessary for every single person to stop using passwords? Seems like a myopic assertion that doesn't consider the users themselves.

The real problem here is evidenced by WHO is pushing for this. It is the platform vendors. Microsoft. Apple.

And why is that?

If Microsoft actually cared about their user's security, they'd have resolved many other problems before this.

Personally, I think is about one thing and one thing only: Control of the users, and vendor lock-in to their walled garden.

13 comments

[ 3.1 ms ] story [ 24.6 ms ] thread
(comment deleted)
If you lose your passkey, why can you not reset your account like you would if you lost your password? These conspiracy theories are wild. Passwords suck. People reuse them. They use simple passwords. They are highly vulnerable auth factors. Passkeys are certificate auth for normies.

https://www.yubico.com/resources/glossary/what-is-certificat...

https://passage.1password.com/post/passkeys-compliance-stand...

https://www.biometricupdate.com/202408/passkeys-highlighted-...

People use simple locks on their doors. Have for hundreds of years. Brute force is easy. Or hell, a five dollar kit on amazon will open the lock without damaging anything. Nobody’s rushing to fix that. What’s the difference? Usually if you enter somewhere you shouldn’t physically be, someone (or some device) will see you. We don’t have that guarantee with digital systems because owners of said systems don’t want the responsibility. So they shift the blame to people: people who use simple or repeat passwords. It’s not a conspiracy theory. It’s basic economics: avoid (the costs of) responsibility. Blame the customer.
Passwords are a technology. The technology is fundamentally flawed and inherently vulnerable. Those with resources have developed a fix for the vulnerable technology, in accordance with their responsibilities. Developing the standard and deploying passkey support is not free.

If customers want to free ride where they are not exposed to the cost of using weak passwords, or using passwords in general, I would encourage them to find an org willing to eat those identity defense costs. Why should orgs pay the cost for users who want to remain on passwords? Customers are not entitled to weak or vulnerable technology implementations simply because they desire them and there is a material cost versus a more secure technology implementation.

I don’t think we’re arguing about the same thing anymore, if we ever were
Many new home builds come with digital locks now.
What vendor lock in? I have passkeys set in 1password, Bitwarden, Chrome, macOS, and Android. It's fantastic using them to login to various sites and never having to deal with passwords.

They're not 2fa, they're a replacement for manually entering passwords. Basically a more secure autofill. Way easier to use than trying to adhere to every site's different pw requirements.

This surely would have been better as a comment on a passkey story?

Re: MFA

Password risk: low quality, reuse, malware, leak, phishing, social eng

Password+MFA risk: malware, leak, phishing, time-limited social eng

Passkey risk: malware

The benefit of MFA with a shared secret (aka password) is to defend against a party that has learned or guessed the secret (low quality password, password reuse, user hack/malware, system hack/leak, phishing). By requiring something you have (access to email, SMS, an authenticator app), and can prove you have access to in a small window - you can significantly reduce the risk of a successful login from someone other than the user. Reduce - if it's user hack/malware, or social engineering the other factor may also be obtainable.

Passkeys use public key crypto, rather than shared secrets. Your password never leaves your device(s), so system hack/leak can only lead to a public key becoming.. public. Passkeys are also machine generated, which eliminates the low quality password and password reuse problems. The negotiation is automated, rather than requiring typing from the user - so the ability to socially engineer is greatly reduced. Finally because the negotiation includes a challenge/response, you still make a time-limited proof you known (like MFA).

“never leaves your device(s)” aka “vendor lock-in” :)
That's not what it means? Or certainly not what I meant. As part of the protocol exchange, you do not send the private key. You're free to backup, duplicate to other devices, or write out your keys by hand... but the service has no right or capacity to demand the private key.
Eh, I don't know.

Many of the password storage services support passkeys (which are crossed platform). You can also use a Yubikey as a passkeys.

Regardless, most people will store their passkeys in their iCloud or Google accounts, and given that those certs live in secure enclaves, this is way more secure than writing passwords everywhere or using SMS for 2FA (especially given SIM cloning attacks and the whole Chinese hackers in our networks thing)

If you can't export them to local storage or an HSM of your choosing, can't inspect them, and can't lend them to others, then they're proprietary BS. The problem is the notion of a passkey provider with a "trust us to keep your private key intact and confidential on our servers" cloud-required mindset.