Posted by ashergill 2 days ago
This is exactly where passkeys go too far. "to keep their accounts safe" is always the excuse used to reduce the freedoms of users. Web sites have no business deciding how things are handled on user devices but it's precisely what passkeys enable. The boundary of control of a website used to stop at the interface between the site and the user. Now that boundary will extend to the devices. The idea of property and ownership is attacked again. The device is not something the user owns and has full control over but something that is a gateway to access content controlled by the big Internet companies.
Knowing this, how long until Netflix, Disney other content providers (sorry I don't know which ones are popular right now) demand use of a passkey originating form a device with a Trusted Platform (aka Untrusted User) Module ? This is part of a long plan initiated years ago with Windows TPM requirements, Microsoft account requirements. The gap between closed and open platforms will widen and the path is clearly to apply the Smartphone model where everything is closed, controlled, DRM'd, to other computers. We're lucky the IBM PC architecture was an open one but the war on that is on.
But no they have to live in their secured enclave or on a dongle so that you can't copy them between devices because nothing ever happened to a device.
As if the rest of the users system is compromised the user can't be tricked into providing access to their account.
And no one ever "recovered" someone else's account.
The main benefit of passkeys is that they are keys you don't have to send them over the wire. The main risk of having them on disk encrypted purely in software is that a compromised system can lead to the keys getting stolen.
Their trusted platform bulshit doesn't really escape that threat though, instead of stealing your keys the attacking malware can just get access to your service and maybe even enroll their own key.
If you tried to login to a website and you got two requests to allow the use of your key one after the other would you really have the wherewithal to say no wait a second I just gave permission for that key to be used, the second request is obviously from malware on this computer that's trying to gain access to my account.
That's ignoring that the malware can just read everything you are reading.
The whole tpm obsession is security theater on top of a power play
I'm actually fine with this. It's like how SSH private keys are supposed to be handled: generated on the device, and never supposed to leave it.
The proper way of doing Passkeys is to have several Passkeys enrolled in your account, so that you always have a trusted device to access your services. Now, if the service doesn't allow multiple Passkeys per account that IS a problem.
And then suddenly you're debanked.
So say goodbye to using teams on Linux. Using Microsoft365 on any hardware that is not Microsoft approved.
Or logging in to your bank without an iPhone or an android. We will surely complain but the bank will say that we only support secure devices and that means iPhones and Android, and how come you are making a big deal about it just buy one of these two everyone else has one.
This is already possible (and common!) many banking apps, for better or worse, use device attestation features that require varyingly official copies of android. Were you already complaining about this?
Yes, "we" were, definitely. I already can't freely choose the OS that I have installed on my phone because I'm limited in the apps that I can install. For example many government ID and banking apps will refuse to work on GrapheneOS even though that OS is security-focused and will probably keep you safer than your regular Chinese Android flavor. But it's not sanctioned by a big international corporation so it's a no. Is your argument that we shouldn't complain since it is already happening somewhere ?
What's an "official" copy of Android ? AOSP is supposed to be open-source. "Official" means controlled by a multinational corporation. I'm very puzzled that the reaction to these entities gaining even more power, outside of democratic control, is met with a "oh it may me worse, it may be not" type of reaction.
Would you be ok if for example your government's website to pay your taxes mandated a device with attestation knowing you can only get one from Google, Apple or Microsoft ?
It's clearly just for getting that iso certification.
It's a power play by the platform vendors.
The vendors are literally saying:
We now have this "security" feature and banks have to use it to be compliant and it only works on our platforms, so I guess you have to use our platform unless you want to be unbanked.
Just to be clear, no one is saying
> banks have to use it to be compliant
nor are they saying
> it only works on our platforms
As far as I know, if systems were to use attestation it would be in a lot of senses more open than what attestation is available today (in the sense that more devices could use it). But also I don't think anyone who works on passkeys is saying banks need to support FIDO attestation to be "compliant".
On the contrary, their operators can decide whatever they like, but I won't be visiting them if they go the passkeys route. I can live w/o Netflix or Disney just fine.
Your PII will leak off their platform anyway.
There is no reason a passkey can’t be portable - even the so called “device bound” credentials these vendors are claiming prevent export are actually implemented as credentials synchronised throughout their own ecosystems - i.e multi device.
NOTHING in the FIDO2/WebAuthn spec forbids user controlled portability.
It’s just bigtech trying to make it harder to leave their ecosystems - and when passkeys become widely adopted you won’t be able to log into those sites/apps without some form of recovery on a case by case basis should you decide to switch from Apple to android, windows to Mac, etc.
>Device loss scenarios
>Users are largely unsure about the implications for their passkeys if they lose or break their device, as it seems their device holds the entire capability to authenticate. To trust passkeys as a replacement for the password, users need to be prepared and know what to do in the event of losing one – or all – of their devices.
>Backing up and synchronising passkeys with a Credential Manager makes it easier to recover access to them compared to other existing second factor options. However, this relies on the user having prepared their Credential Manager account for recovery. Users need help in understanding and implementing the right steps so they can feel ready to go passwordless and use passkeys without extra worry and hassle.
And on the other hand I can only load them to another keepass instance I can't switch credential managers.
If you are worried your system is running malware that will steal your plaintext keys, well bad news they can steal the encrypted keys and keylog your password.
No, I'm not worried about this since I do not and will not copy my keys.
I'm worried about my friends or family using the most secure options possible (passkeys) and still getting phished because they paste their plaintext secrets into a scam site.
The point of encryption at rest is to protect your data if your device is accessed by a third party. Not from user action.
The point is that data shouldn't really be copyable, but a backup should at least be encrypted.
Ideally you don't have or need a key transfer mechanism, because sites have the ability to register multiple keys and you add or remove devices by adding or removing new keys, and you recover a backup to the same passkey-manager.
"Please upload the backup of your password manager and enter the root password" is not a thing you should ever do, and reasonable users, even technically incompetent ones understand that. The only people who want that behavior to be possible are weird power users whose desire makes it easier for anyone who uses such a password-manager to be phished.
Like, I've had this conversation before on this site, and my personal rule of "I should never copy a private key, and I should certainly never copy a private key between devices or onto a cloud" remains something I'm confident in. If I need a private key used across devices, I can trust it to a key-management scheme like the ones built into Signal or the various passkey managers I use. I don't want to manually copy my signal cypher-data between devices either!
Yes you. Others do. Whenever I switch laptops the first thing to do is copy over all ssh keys. I am not going to roll a new key and add it to 100 servers.
A couple of years back I switched password managers, I didn't go over 1000 sites and changed all my passwords, my password manager exported a plaintext file and I had it imported in the other after a small transformation step.
> "Please upload the backup of your password manager and enter the root password" is not a thing you should ever do, and reasonable users, even technically incompetent ones understand that.
No they don't and if they did they would also understand not to upload their plaintext credentials.
Security for the lowest denominator cannot be used as an excuse for locked down computing for everyone or at least it shouldn't. At some point we have to put on our big boy/girl pants and know the implications of what we are doing.
And, modulo the "plaintext" part, I think this is a reasonable usecase. It's equivalent to the "backup" case. I transfer an encrypted blob between devices and decrypt it locally is reasonable.
> No they don't and if they did they would also understand not to upload their plaintext credentials.
Except that you have already stated that you have done exactly this, and you claim to know what you're doing!
Most accounts seem to. Personally, I think I've only found one or two out of around 25 that I've added passkeys to that would not let me add more.
Of devices currently sold, the only secure biometrics I'm aware of are on iPad mini/Air; Google Pixel; Honor Magic; and possibly Samsung Galaxy S21 and newer.
On second reading, I'm thinking this might mean, "since Apple only implements Face ID, biometrics on Apple devices is less secure", which makes more sense (to me).
https://duckduckgo.com/?origin=funnel_home_google&t=h_&q=fac...
Fingerprints are much more non-deterministic and therefore more secure.
Nice read https://techrights.org/n/2025/05/02/Passkeys_Are_Vendor_Lock...
I read about Passkey comittee being against open source passkey managers during start of this year (can't reference it, sorry) but with open source password/key managers already supporting passkeys, i don't think it turned out to be true.
Here's an Okta employee threatening to use the attestation (anti)feature of passkeys to block open-source implementations, because they allow you to export your passkeys: https://github.com/keepassxreboot/keepassxc/issues/10407#iss...
> The unfortunate piece is that your product choices can have both positive and negative impacts on the ecosystem as a whole. I've already heard rumblings that KeepassXC is likely to be featured in a few industry presentations that highlight security challenges with passkey providers, the need for functional and security certification, and the lack of identifying passkey provider attestation (which would allow RPs to block you, and something that I have previously rallied against but rethinking as of late because of these situations).
Tim's talking the reality of KeePassXC and the reality is that this specification is being built in a way where the user is fundamentally out of control. Where the industry at large has total control over your material, gets to say how you can store your keys, and will refuse you credential managers that they don't like.
The proposed Credential Exchange Protocol draft also does not allow you to backup your key. A credential manager will only Export the key to another credential manager service, across public endpoints on the internet. Never transiting the user's control. So you have to trust your credential manager that they actually will let you export your credentials, to someone you can trust, at a future point in time. There's an issue open for this, but no real hope this ever gets better. https://github.com/fido-alliance/credential-exchange-feedbac...
Passkeys seem designed to never be trustable by users. There's always some online service somewhere holding your materials that governments will be able to legally strongarm the service into getting access to. You won't be able to Export when you need it. The security people seem intent on making sure computers are totally controlled by corporations and governments, in the worst ways. The top post is right. https://news.ycombinator.com/item?id=45737608
We're completely on the same side, to be clear. I just have zero fear of KeePassXC (which I sometimes use with Okta!) being blocked by anything consumer-facing.
Edit: forgot to add Apple account
because they allow you to export your passkeys in plaintext, for easy stealing.
"Information wants to be free" should not apply to passwords!
For example Apple's Passwords app on MacOS/iOS/iPadOS 26 now supports export and import of passkeys to/from other apps that support that standard. I don't know if any other apps have yet actually released such support.
Passkeys support transfer to any vendor you want.
[1] https://old.reddit.com/r/Bitwarden/comments/1efs5d2/how_can_...
[2] https://old.reddit.com/r/Bitwarden/comments/1di8nbz/import_p...
Doesn't that defeat one of the centrals aims of passkeys? In what ways is your setup different than random passwords in bitwarden - what's the additional security?
Other than that they shouldn't have a big advantage for a more professional user with unique, long, and random passwords. For the common user it should be a great upgrade, giving all these advantages with better UX.
Basically, any site that does 2FA should take passkeys.
> Backing up and synchronising passkeys with a Credential Manager makes it easier to recover access to them compared to other existing second factor options. However, this relies on the user having prepared their Credential Manager account for recovery. Users need help in understanding and implementing the right steps so they can feel ready to go passwordless and use passkeys without extra worry and hassle.
The benefit to the user of a passkey is that they don't have to remember passwords ("what you have" and not "what you know"). But if you lose what you have, you're screwed. There's no straightforward way to mitigate this.
Proposed solutions I've seen just add an extra layer of "what you know," but this just changes the security back to "what you know" if it supersedes the passkey.
For example, my family has had to call me for help on the interaction between passkeys on Apple & Amazon multiple times. They have a shared Amazon account, which neither Amazon nor Apple seem to like. The first problem came when they didn't even know they'd been moved to passkeys - there was a popup that one of them didn't understand, they clicked OK to get it to go away, and suddenly the other partner can't log in, and neither of them can figure out how to log into Prime Video on their AppleTV. Another time one of them got "nudged" to add a fingerprint to the account, again freezing out the other person.
Until that nonsense stops happening, Passkeys aren't ready.
Passcodes just freak him out.
* Click login button
* Window pops up asking you which passkey you want to use, you click the one you want
* You're in
Anything on top of that is just added friction, and I haven't seen many sites get it right.
Google does not care about FIDO or standards compliance. They care about vendor lock-in their proprietary passkey offerings allow.