“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.
ITT: Incredibly non-technical people who don’t have the first clue how Passkeys work but are convinced they’re bad due to imaginary problems that were addressed in this very article.
This is a weird thread. Lots of complaints about lock in and companies managing your keys, both of which are easily avoidable, the exact same way you’d do so with your passwords.
I’m lost on this - is this better than GPG?
More usable for the average user and more supported by actual sites and services, so yes.
Meanwhile mobile Firefox doesn’t even support YubiKey / FIDO2 for some godforsaken reason.
I still have no idea how to use passkeys. It doesn’t seem obvious to the average user.
I tried adding a passkey to an account, and all it does is cause a Firefox notification that says “touch your security key to continue with [website URL]”. It is not clear what to do next.
After my password manager auto filled a password and logged me in the website said “Tired of remembering passwords? Want to add a passkey?” I didn’t know what it meant so I said no lol.
If the passkeys aren’t managed by your devices fully offline then you’re just deeper into being hostage to a corporation.
If you tell corporations there’s a way to increase lock-in and decrease account sharing, they’re gonna make it work.
One is a new technical specification called Credential Exchange Protocol (CXP) that will make passkeys portable between digital ecosystems, a feature that users have increasingly demanded.
I.e. I can copy my key to my friends’ device.
deleted by creator
That’s not how Passkey, and the underlying WebAuthn works.
(Highly simplifies but still a bit technical) During registration, your key and the service provider website interacts. Your key generated a private key locally that don’t get sent out, and it is the password you hold. The service provider instead get a puclic key which can be used to verifiy you hold the private key. When you login in, instead of sending the private key like passwords, the website sent something to your key, which needs to be signed with the private key, and they can verify the signature with the public key.
The CXP allows you export the private key from a keystore to another securely. Service providers (Netflix) can’t do anything to stop that as it doesn’t hold anything meaningful, let alone a key (what key?), to stop the exchange.
I believe that’s Apple talking to Google, not anything local you can own.
It’s gonna work with KeePass and Bitwarden once it’s finalized.
I’d love to see that.
Am skeptical
