FIDO Alliance Working on Making Passkeys Portable Across Platforms

[Avenged110]

What is so inconvenient about passkeys? I am genuinely curious. I use passkeys every day, they work without friction. Have you actually tried it?

I have no doubt that the process of using them can be very simple depending on what devices one uses and how he uses them. Right now, a password is something I can, if I choose, generate and store in my head, as simple text, or speak aloud. A passkey is not. Now, I've never used these so I'm no expert on the technology, but it would appear that there are specific and varying processes for generating, storing, sharing, and updating/resetting them. Even just in the case of this MR article, the standards body itself is still working out how to even make them cross-platform. Then there's a whole bit in Apple's support article about having to generate a QR code to scan for signing in on another device. Some of this may be self-inflicted as I don't use iCloud keychain or a device passcode on iOS, and run iOS 15 on my phone, so I assume that would complicate things as well. Nonetheless, even the process of trying to understand and learn about all of the nuances and edge cases is more complicated than just creating and "writing down" a password. I'm sure the process will improve over time, but for now, everything I've seen about it is more of a headache than anything I currently deal with for little-to-no benefit, at least in my case.

 

[applepotato666]

I never started using these because I don't understand them and have some non-Apple devices. I also don't understand whether they're in my iCloud Keychain or device-specific and I'll need to use the device I set it up with to log in through. It's overall a poorly communicated feature and I don't care enough to do my research because my iCloud is already secured with all the 2FA in existence and the passwords are there.

 

[Victor Mortimer]

No. Not going to passkeys.

The problem with passkeys is that they're going to result in LOTS of people losing access to accounts and having a very hard time getting that recovered.

 

[ctyrider]

I have no doubt that the process of using them can be very simple depending on what devices one uses and how he uses them. Right now, a password is something I can, if I choose, generate and store in my head, as simple text, or speak aloud.

Sure, it would be even more convenient to not have any passwords at all. Or just set all passwords to “12345”.

Anything you can store in your head is likely to be highly insecure and recoverable by modern hacking tools in the matter of minutes.

Security has a cost. But the reality is - compromised passwords already cost us as a society probably billions of dollars. Passkeys are fundamentally an order of magnitude more secure than ANY password, simply because they don’t require secret material to be transmitted over the wire and stored on the servers.

As a technology, it’s time for passwords to go. It’s not just about you personally or your convenience, but the overall cost to the society as a whole.

 

[Avenged110]

Sure, it would be even more convenient to not have any passwords at all. Or just set all passwords to “12345”.

And sometimes I do set passwords to the easiest thing I can for accounts that don't matter or out of spite for overly-restrictive password policies. As it is my prerogative to do so.

As a technology, it’s time for passwords to go. It’s not just about you personally or your convenience, but the overall cost to the society as a whole.

There's nothing wrong with letting people make their own decisions and having a bit of personal accountability for the management of, and access to, their accounts and services. If someone wants to use passkeys or something else arguably more secure than passwords, fine; he can do so. For now, this system isn't necessarily better overall, just different. So I want to be able to continue using what I consider to be the better of the two. I don't care to have (what amounts to) someone else exerting even more control over everything I do just because it may protect idiots from themselves.

 

[MacBH928]

Well, the ‘something you have’ factor when it comes to MFA and Passkeys are concerned is particularly important given that the additional factor such as a PIN used to unlock the device is not necessarily as secure as a full blown password. As such, the original conception behind Passkeys was to make them tightly bound to some given physical device (i.e., the ‘something you have’ factor) by typically relying on a secure hardware element in the device itself to store Passkeys. Given this, providing a method to easily port the Passkey between devices was not given a high priority.

Imagine a scenario where someone breaks into your password manager or iCloud account and they are easily able to move or replicate a Passkey from a device you possess to one of their own devices. They are now able to log into an account secured by that passkey. However, if the Passkey was set up as a device-bound Passkey it would be impossible for them to remotely move or copy it to any of their own devices. For this reason I personally prefer to only set up device-bound Passkeys and avoid schemes that make a Passkey portable.

Understandable, but what about me? what if the device dies? or I lose it? or I have multiple devices to login from (laptop+smartphone) ? what if I decide to upgrade and buy a new device? Not to mention I will always need that "physical factor" in hand.

This is why I like passwords. If you know it you can login from any where no issues. Good passwords have proven reliable enough. I have been online for 20+ years and hardly lost an account due to "hacking".

I think passkeys can be beneficial to high security uses like logging to bank accounts or some government computer system, but too much trouble for Netflix, gmail, and macrumors.com

 

[MacBH928]

Sure, it would be even more convenient to not have any passwords at all. Or just set all passwords to “12345”.

Anything you can store in your head is likely to be highly insecure and recoverable by modern hacking tools in the matter of minutes.

Security has a cost. But the reality is - compromised passwords already cost us as a society probably billions of dollars. Passkeys are fundamentally an order of magnitude more secure than ANY password, simply because they don’t require secret material to be transmitted over the wire and stored on the servers.

As a technology, it’s time for passwords to go. It’s not just about you personally or your convenience, but the overall cost to the society as a whole.

lets stay my passkeys are stored on my macbook and my macbook dropped in the sea when I was on a boat trip. Now how can I login back to my online accounts? bitcoin wallet?

 

[ctyrider]

lets stay my passkeys are stored on my macbook and my macbook dropped in the sea when I was on a boat trip. Now how can I login back to my online accounts? bitcoin wallet?

You need to have a recovery strategy, just like you would with passwords. My passkeys are stored in iCloud keychain, which is synced to multiple devices - Macs, iPhones.

Even if all my devices are gone at once - I can regain access to my Apple ID and iCloud keychain via 28-character recovery key I have printed out and stored in a secure location.

 

[IIGS User]

Are you able to install iCloud on your work machine ?

Naa. These things are locked down like Federal Prison. I can't install anything on my work machine.

 

[Judo]

I understand, but I'd still argue for trying to help educate and train people to be less stupid than (inevitably) robbing the rest of us of even more control and choice. I don't subscribe to the cult of unnecessary "security," so I'd much rather just use regular passwords and a manager. Sure, I can do that just fine...for now. But for how long? I'm convinced this will eventually become just like the infuriating 2-step login garbage that is now forced upon me by certain companies.

It's actually quite the opposite. It still has a way to go to become fully ready for mainstream though, form both the users side and the developers side.

It's a lot more secure than passwords. It's an open standard, and with this new update, you won't to be tied to one vendor (Apple Password, 1Password, Dashlane, etc). You will be able to move between any of them.

Passkey has 2-step login built in, so when you go to a website to login with a Passkey, all you need to do is click the login button. No email to enter, no password to enter, and no 2-step authentication.

Not only will it be more secure, it will be easier to use.

Now having said all of that, of course there will be security issues, but we have security concerns with the current login/password method as well.

 

[Mr. Heckles]

Using a password manager such as Bitwarden already accomplishes this.

No they don’t. You can’t export passkeys. Yet.