A second Yubikey in a safe is a lower cost option than a second passkey compatible device...
What is the recovery process and what prevents it from being gamed itself?
A passkey only authenticates a device (or group of devices). All passkey providers must provide secondary methods for validating the identity of their users so that additional passkeys can be issued when a device is lost.
But if that secondary validation is garbage then the passkey is also garbage, but that problem is not unique to passkeys. (Strong passwords have the same problem, they're only as strong as the reset mechanism).
Wasn't the whole point of passkeys over FIDO2 keys the fact that you can have the same secrets stored on more than one device? (thus mitigating the largest pitfall of FIDO2 keys -- losing the physical key)
Always do threat modeling when talking about security, otherwise you end up just bike shedding.
No joke, I once recovered access to google account by loading a TOTP backup in an app in Android emulator. Otherwise I might have been a bit in trouble.
Have you considered the case of "the wrong person" taking the device from you non-accidentally?
I'm glad that you live in a world where you've never had anything stolen (..or confiscated by officials).
What a wonderful feature: give anyone who can snatch/break my phone an easy way to lock me out of all my accounts. Especially useful when traveling.
Not to mention the absolutely-never-happening scenarios like, um, dropping the phone. Should've backed up you keys!
(Apple will gladly restore them for you from the cloud once you purchase a new iPhone)
Oh wait, never mind: "The inability to move them is a feature, not a bug."
>All passkey providers must provide secondary methods for validating the identity of their users
Like what, getting an OTP on a known device / phone number / email that you no longer have access to?
Who's enforcing that must?
And finally, and please think about it for a moment:
If another means to verify identity MUST be provided, passkeys are not REPLACING anything - so why do we need them?
See 1:10-ish[0] for the demo - I found this at least somewhat surprising, though I submit this as a passkey advocate (for a while, my side business only-supported passkeys, but we backed away from that).
[0]: https://developer.apple.com/videos/play/wwdc2024/10125/?time...
If I were to switch to Linux, I guess it just means that I'd have to go through the forgotten pass(key) flow on every site on first login?
I'll stick to Yubikeys and TOTP 2FA for as long as I can instead of jumping into passkeys.
This doesn't have to be true, there are third-party password managers with Passkeys support (e.g. BitWarden), but they are not going to be able to access Passwords. It's specifically locked to only browser applications, Apple will not provide entitlement to access the keychain for any other app.
You can't just install 1Password later and click "Import Passkeys".
Generally I thought with passkeys, the logic is that you provision one passkey per app you want to have access to a service?
Ie, I can provision a separate passkey for GitHub, for instance, both in 1Password, and in Keychain if I like, and sign in to the service with either one?
Or am I missing something?
However, Apple does not provide entitlements to read iCloud Keychain even on macOS: https://developer.apple.com/documentation/bundleresources/en...
I don't believe there are easy legitimate ways to work around it. Disabling SIP (System Integrity Protection) will render passkeys inaccessible, though I'm not sure about that.
> Generally I thought with passkeys, the logic is that you provision one passkey per app you want to have access to a service?
Passkey is basically a private key that is specific for a given site. Nothing more, nothing less. So you will have separate passkeys for Hacker News, Slashdot, Reddit, eBay, etc. They will be stored in iCloud Keychain and synchronized across devices.
Apple is not going to provide easy ways to bulk-export all this data if you want to migrate to Windows. Or maybe even to switch a browser.
If you use an alternative password manager like BitWarden, your ability to export passkeys will depend on its implementation.
The trouble is, Apple devices, which Apple can update remotely and for which no one external can see the source code, are trusted. There's this one huge single point of failure.
Can you use this without iCloud? Can you avoid any iCloud involvement?
1Password supports passkeys. So yes, you can
So no, it seems you are locked in to the platform
I'm all for scrutinizing the rollout of passkeys to make sure it doesn't turn into a lock in situation, but editorializing a video title is particularly egregious because, as we see in this comment thread, people are even more likely than usual to read only the title.
[0] https://developer.mozilla.org/en-US/docs/Web/API/Credentials...
I really hope that developers ask their users before installing a passkey on their behalf. The assumption that whatever happens to log in now should be trusted for future logins seems dangerous, and I’d hate for passkeys to get a reputation for something people use to hijack their exes accounts or whatnot.
I can't believe they'd be that shortsighted when designing up the APIs for this.
Think about all the regular (read: non-Hacker News) users out there who fall for a phishing email/SMS, or who re-use passwords and get popped by a credential stuffing attack. Passkeys provide not only massively-improved security (they can’t be keylogged; they are linked to a specific domain so can’t be spoofed by look-alike fake login pages; they’re protected from replay attacks even if the transport mechanism is compromised), but a much nicer login flow as a bonus.
Many people also don’t understand how easy it is to login from a different device: say an Android user created a passkey for a site with Chrome. Now that user needs to sign in to the same site on a Mac running Safari (where there is no passkey for the user). They can still use their Android device to login from the Mac by selecting “use a passkey from another device”. Safari will show a QR code that they scan using the Android phone, and verify with their screen lock. A one-time passkey signature is transferred to the Mac, which the website uses to authenticate the user. The two devices verify that they are in proximity with each other using Bluetooth. This cross-device, cross-operating-system mechanism of passkey authentication is standardized under FIDO; no additional work is needed by the website to enable this login flow.
If you are “anti-Apple” or “anti-Google” and have strong aversions to them securely backing up things like passkeys (again, think of all the non-Hacker News readers where this is not the case), then go ahead and continue to use passwords. But we should be encouraging our parents, grandparents, siblings, friends, etc. to embrace passkeys to make all of their accounts more secure and phishing-resistant. The more passkey FUD they see, the longer people will have to deal with annoying (and still insecure) SMS codes, the longer passwords will be stolen/re-used, etc.
(We are only using this GitHub account for this one thing, and we don’t use it for commits etc.)
Instead of downvoting, please help me understand: how would one re-gain access to services used with passkeys in this scenario?
Note that T-Mobile won't ship a SIM card overseas.
-----
Great reason to not use Apple ecosystem.
Having a cellphone / laptop broken and/or stolen is enough hassle without all the authentication being tied to the device that you aren't likely to use for more than a couple of years anyway.
And yes, things like that actually happen to people who are not CEO of Apple. Especially while traveling, when your other devices are far away.
It sounds like someone decided to reinvent 2FA hardware in the worse way, combining the inconvenience of needing a physical key with all the hassles of password and adding a million ways for the key to self-destruct.
Oh, the passkeys can be transferred through the cloud? Explain like I'm five how that's more secure than email/SMS OTP for authentication then (which are an awful thing too, but at least I can have my own email). So we have one more link in the security theater that I absolutely trust is more secure than having passwords.txt in Dropbox (how is it different, again?).
From a user's perspective, passkeys sound like a solution in search of a problem. The only thing I can see passkeys doing for me is locking me out of my accounts when I need them most.
Or facilitating other parties in that.
