There was a lot of news the other day about passkeys and portability - fidoalliance.org/fido-alliance… - that says in part:
"Until now, there has been no standard for the secure movement of credentials, and often the movement of passwords or other credentials has been done in the clear."
This is true, but... there is also still no standard for any of that. The specs are mostly empty placeholders.
fidoalliance.org/specs/cx/cxp-…
fidoalliance.org/specs/cx/cxf-…
Solid Mitch Hedberg energy here.
FIDO Alliance Publishes New Specifications to Promote User Choice and Enhanced UX for Passkeys - FIDO Alliance
The FIDO Alliance has published a working draft of a new set of specifications for secure credential exchange that, when standardized and implemented byLori Glavin (FIDO Alliance)
This entry was edited (1 month ago)
silverwizard likes this.
reshared this
mhoye
in reply to mhoye • • •reshared this
Justin Fitzsimmons, florian, Haelwenn /элвэн/, Hubert Chathi and Ben Zanin reshared this.
Kevin Boyd
in reply to mhoye • • •mhoye
in reply to Kevin Boyd • • •mhoye
in reply to mhoye • • •This is the most important thing you need to know about passkeys: that "Authorizing Party" box in the spec?
That's not you. They're not actually "your" passkeys.
reshared this
Alexander Bochmann, Charlie Stross and alcinnz reshared this.
enthraxxx
in reply to mhoye • • •Those passkeys have felt off from the start.
I'll keep my unique complex passwords that I alone control for the time being.
Mr. Completely
in reply to mhoye • • •Karl Voit
in reply to mhoye • • •That's a weird point of view when you think about where you are going to log in. 🤷
Almost never a good idea but I'll try a comparison with the physical world: on the key for my house it reads WINK HAUS but it's still my house and my key.
mhoye
in reply to Karl Voit • • •of you need to move your house key from one keychain to another, or make a copy for yourself, you don’t need your lock’s manufacturer’s consent to do that, or their participation mediating that exercise, and they can’t arbitrarily refuse to allow it.
But all of that is exactly how passkeys work.
D. Schmudde
in reply to mhoye • • •@publicvoit but it’s also not your house/computer. It’s someone else’s house/computer. You just happen to leave your stuff (data) inside there.
So they already control your access, regardless of who controls the keys.
What is being said about passkeys is still true. Just unsure of the significance within this reality.
Steveg58
in reply to mhoye • • •rj
in reply to mhoye • • •the last I saw github.com/keepassxreboot/keep… was that tests and certification were "being worked out" and I'm still left feeling like this entire endeavor is an attempt to DRM passwords?
being locked out of accounts because my password manager is "no longer blessed" sure feels like a bad idea.
[Passkeys] When UV is required, KeePassXC must request user verification or not handle the request · Issue #10406 · keepassxreboot/keepassxc
GitHubmhoye
in reply to rj • • •silverwizard
in reply to mhoye • •rj
in reply to silverwizard • • •silverwizard likes this.
Leonard Ritter
in reply to mhoye • • •Ben Rosengart
in reply to mhoye • • •Alex P. 👹 reshared this.
mhoye
in reply to Ben Rosengart • • •Styx
in reply to mhoye • • •mhoye
in reply to Styx • • •Softwarewolf
in reply to mhoye • • •mhoye
in reply to Softwarewolf • • •@faoluin Yeah. I realize I'm being glib, but passkeys are basically the answer to the question, what if SSH keys had landlords?
And nobody asks that question, or wants an answer to it, but landlords.