Do you people trust companies with passkeys?
I feel like big tech have started pushing for passkeys really hard lately. Microsoft has been asking me if I want to switch to passkeys pretty consistently. Google just automatically brings up the passkey registration fingerprint scan system dialogue every single time I’ve been signing in on Android. Without even asking if I want a passkey or not, it just does it without saying anything. I think the intention is pretty clear, an unknowing person sees the completely random fingerprint scan dialogue, doesn’t think much of it, scans their fingerprint, a passkey gets created automatically.
Well, I fell for their trick. I’ve been avoiding the passkey dialogue pretty consistently for a while now, but just now I was signing in while distracted and accidentally tapped my finger on the scanner by reflex on the prompt. I guess I have a passkey now. Yay.
I did some digging on my Google account settings and the internet, and I couldnt find a way to completely remove the passkey. It seems you can only disable the use of passkeys, but the passkey itself remains. There is also a setting called “Skip password when possible”, which is clearly what has been causing the non-stop passkey prompts. It’s on by default. It’s a shame I’m only aware of it now that its too late.
Theoretically, the passkey standart itself should be private and secure. Throughout the process, the biometric information used for the cryptographic challenges never leaves the device, and the server only gets access to a signature that has been signed with the client’s private keys that it can use to authenticate but can’t derive the private keys back from because of complicated math I didn’t spend enough energy to understand. Google automatically syncs the passkeys with its private keys with E2EE in the Google Password Manager tied to the account, which is where I start to get uncomfortable because I can’t bring myself to trust Google with E2EE.
What do you people think?
Passkeys are a potentially good technology, that is frequently implemented in an insecure and user-hostile way.
Good: a standard way for authentication that can be implemented in common on client and server, such that the user doesn’t need to know a secret.
Bad: Most OS and platform vendors breathlessly implemented this standard using their proprietary APIs and making it practically infeasible (read: impossible for typical end-users, therefore they won’t, therefore insecure) to attempt syncing your passkeys outside their walled garden.
It is entirely feasible to implement passkeys in a way that users are in control and can freely move between devices and operating systems. But many implementations make that impossible, while still calling their implementation “passkey”.
So, we need to reject any implementation which puts any barrier to the user freely migrating and syncing all their devices regardless of platform.
I thought the whole point was that a passkey belonged to a device. You have multiple devices, you register multiple passkeys with your account. That way you can remove them if you lose a device. Doesn’t iOS go so far as to lock them in the TPM?
No, it’s the opposite. Apple argued strongly that passkeys are intended to be a replacement for passwords and so must be syncable. And that’s how it’s implemented on Apple OSes. It syncs to iCloud Keychain or your password manager, and so that same passkey is available on all your devices. It’s not even locked into Apple’s ecosystem because of cross-platform password managers.
For once I am with apple on this one. The bad thing about passwords is their randomness. Humans are not very good at remembering very big entropy
That’s my understanding as well