No exporting really is a feature. Otherwise people would be tricked into giving away passkeys much like they are with passwords today.
You can always register multiple passkeys with providers though. Already have a passkey with google but want another one via a different password/account manager? Just go into settings on google and add it! This is effectively how you’re meant to move passkeys around. Create a new and register that with the same services as the old one.
The real hassle right now is remembering all the services you attached your current passkey to so you can register a new passkey with them and it’d be nice if there was something similar to ninite installer for passkey registration. But still it's not a huge blocker. You can absolutely use multiple passkeys and login with any one of them.
Is this really a common attack vector vs. a company leaking their whole customer database and a bunch of password being revealed that way?
I'd rather have the possibility of being "tricked" than get locked into another walled garden. Maybe I'm wrong for feeling that way, but there are literally dozens of us.
On the topic of authentication, it's solved. SSH nailed it, any further complexity is strictly worse. Signing up is uploading a public key. Signing in is cryptographically signing a commitment to the current ephemeral tunnel.
I guess a desirable trait of seniority is to balance the urge to play with new toys vs the feeling that sometimes we are running in circles, repeating the same mistakes with different tech.
What do you need to do to keep family from (a) not getting locked out and (b) not getting phished?
I can see how SSH could be used for authentication on the web. And I have no doubt that it would be sound out-of-the-box. But I am not sure what you mean by your last sentence. Do you mean that authentication targets are gated and only reachable by establishing a tunnel via some kind of forwarding?
Aside from the wonderful possibilities that are offered by using port forwarding of some kind, you could also simply use OpenSSH's ForceCommand to let users authenticate via SSH and then return a short-lived token that can then be used to log into an application (or even a SSO service).
I guess no one uses SSH for authentication in this way because it is non-standard and kind of shuts out non-technical people.
No, it's just how you authenticate with signing keys. Given that a secure channel has been set up with ephemeral keys, you can sign a commitment to the channel (like the hash of the shared secret key) to prove who you are to the other party.
> let users authenticate via SSH and then return a short-lived token that can then be used to log into an application (or even a SSO service)
This is exactly what I recommend. If everyone did this, then eventually then the browsers or 1password could support it.
Being in charge of the strength and security of your private key is something most people don't want to do, so we get multiple identities made "easy" by walled gardens getting popular in passkeys.
How do I sign in from multiple computers?
You can either have 1 key pair per service and sync them with something like 1password. Or you can have 1 key per service per device. Keys that never leave the device is usually considered more secure (and I agree for what I consider my threat model to be).
Important services like primary email, your bank, or cloud platform should probably do 1 key per device. Everything else benefits from the simplicity of 1 key per service with the keys synced.
Actually, a benefit of passkeys is the standardization of client-side cross-device authz operations via caBLE and similar; your secret keys never leave your primary device, but are usable from other devices over a variety of transports.
It also applies to SSH keys. I never said that passkeys couldn't do everything SSH keys can do. My criticism is that they are more complicated to do the same thing.
This is exactly what not valuing simplicity looks like.
This isn't such a big deal in the SSH ecosystem, but it would be a disaster on the Web where there is an enormous incentive to track users. Part of WebAuthn's complexity comes from addressing that.
Everything else about managing which public keys are for what does not need to be decided in a standard. The users can choose whatever key management solution works best for them. What those links get at is a problem of key management. A single set of keys, where you send all of them to every server all the time, is a bad strategy.
The complexity of X.509 belongs in the domain name system. If a bunch of large corporations want to come up with complicated formats so they can decide who gets to call themselves what on the internet, let them do that, but don't let them complicate basic security for the rest of us.
The experience to beat is swapping SSH keys. 95% of developers have setup access to a new machine using SSH. That should be the default experience for authenticating on the internet, and anything more complicated should be strictly opt-in.
Edit: or put another way, why should I have to load another library for PKA when I already have one that works just fine?
Ever tried to SSH with a security key... through FIDO2? Or would you say that having your private key as a file on your computer is strictly better than having it in a security key? :-)
Ditto
I have 50 terabytes of data breaches on a NAS with lots of plain text or badly encrypted passwords, and that's just a small subset of what's out there.
Signing into my accounts on my children’s devices has turned from a straightforward process to an incredibly frustrating experience. I find myself juggling all kinds of different apps and flows.
My kids use prepaid numbers, once I changed one and forgot to tell Apple, when I realized that I needed the old number later, it took me a month at least to get it back.
I really like passwords, the security risks are well known and really easy to handle compared to 2FA and all that crap, specially when 99% of your accounts are not sensitive enough to merit anything fancy.
(customer identity and access management is a component of my work at a fintech)
The reality is that TOTP has been obsolete for awhile now. It's a net negative for ordinary users that is kept front-of-mind for everyone because nerds like us are attached to it.
IME as a customer/user, financial institutions are some of the worst culprits for doing appalling things in the name of security (theatre) anyway.
Everything else is a security theatre and an UX pain.
This argument was made in the context of moving out of the Apple ecosystem (are there other ecosystems one would want to leave where the only option is paying for something like 1password?). I don’t really buy it because I can’t work out a situation where one is switching from some expensive ecosystem but unable to pay a low fee for 1password. But maybe I’m missing an example.
Bitwardens free tier is also generous enough that a lot of people won't have to pay
Author here. Insert your favorite ecosystem in that people currently have. If you have a windows 11 computer you end up with Windows Hello passkeys for free. If you have a Chromebook then it will be something else.
Apple devices show up in low income households somewhat regularly where I live because of subsidized iPads for education.
Just now, at least in Europe, there is a huge push to force users to authenticate themselves with their actual identity, even for ordinary Internet services. This is happening simultaneously in many countries (including non-EU countries like Switzerland). It almost has to be a coordinated effort....driven by whom? Passkeys play into this.
Call me paranoid...
Yes, it's awful during the transition period while the tech matures, but there is a path towards a great future.
The last time I tried to use passkeys, the desktop was easy. What about mobile? There wasn't a local third-party password manager that could work with passkeys on Android.
We already require TOTP-based 2FA, and have even implemented secure TOTP via our mobile apps. Customers still do not understand 2FA and probably never will; we regularly have customers request 2FA resets after using their 10 backup codes. SMS- or email-based 2FA is a no-go.
We don't require hardware attestation, as that is the recommendation of the FIDO alliance and Google/Apple/Microsoft. It doesn't make sense to cut out iCloud/Google-synced passkeys given the clear security benefits over passwords+2FA.
Keep in mind that for our service, we regularly see attackers set up copycat sites to phish user credentials, and pay for Google Search ads to appear before our site in search results. These phishing attempts are sophisticated and customers will send their 2FA codes through them. _This is impossible with passkeys._
I just use a simple shell script with dmenu/xclip/oathtool:
#!/bin/zsh
typeset -A opt=(
Docker ABC
GitHub DEF
# ...
)
k=$(print -l ${(ko)opt} | dmenu -i)
[[ $k != "" ]] && oathtool --totp --base32 $opt[$k] | xclip -rmlastnlI don't know if that would work but it is an interesting idea to me. However, it also illustrates that authentication and protecting user identity on the web without sacrificing anonymity is a _political_ problem not a technical problem. I have always been told that when thinking about security you have to define what threat are you trying to protect yourself from. I see discussions on security and virtually all of them ignore that the govt or govt controlled corps (i.e. fascism) is a much bigger threat to individuals and freedom than so called "hackers" or "terrorists" and other boogie men, etc.
Not being able to use the passkey manager at all is a bigger concern. For example Keepassxc works with some sites but not with others. It's super annoying and way worse than situation with passwords.
bmandale•2h ago
The name of the issue reveals the actual problem: "should never be exported in clear text". If the export was encrypted with a passphrase in a standard format, then there would be no issue. It's specifically doing it in plain text that causes consternation. Of course, in practice it doesn't make much of a difference when users are incapable of choosing secure passwords, let alone passphrases. But requiring exports to be encrypted is the least one can do to maintain a degree of security while still allowing exports.
> For many years already, people lose access to their Google account every day and can never regain it. Google is well known for terminating accounts without stating any reasons. With that comes the loss of access to your data. In this case, you also lose your credentials for third-party websites.
In practice this is frequently already true. Many sites require an email to sign up. Whenever you attempt to log in on a new device, they require you to type in a code sent to your email. Without access to your email, you cannot sign in.
tuckerman•2h ago
I am sympathetic to the intent but the words of Patrick Henry come to mind too often in conversations like these. I love passkeys and appreciate secure defaults but I feel strongly that user freedom is a more fundamental requirement than preventing phishing attacks.
AlotOfReading•2h ago
Moreover, "just" password protecting a file isn't allowed by the draft CXP standard (https://fidoalliance.org/specs/cx/cxp-v1.0-wd-20241003.html#...), you have to use a HPKE scheme where the key exchange is manually orchestrated by the user to export offline. I get it from a security perspective, but that's stupid.
tadfisher•1h ago
AlotOfReading•1h ago
tadfisher•1h ago
There is no such guarantee if credential-stealing malware can export your private key material in plaintext!
AlotOfReading•48m ago