New Passkey Specifications Will Let Users Import and Export Them (9to5mac.com) 13
9to5Mac's Filipe Esposito reports: Passkeys were introduced two years ago, and they replace traditional passwords with more secure authentication using a security key or biometrics. To make the technology even better, the FIDO Alliance published on Monday new specifications for passkeys, which ensure a way to let users import and export them. Currently, there's no secure way to move passkeys between different password managers. For example, if you've stored a specific passkey in Apple's Passwords app, you can't simply move it to 1Password, or vice versa. But that will change soon.
As just announced by the FIDO Alliance, the new specifications aim to promote user choice by offering a way to import and export passkeys. The draft of the new specifications establishes the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) formats for transferring not only passkeys, but other types of credentials will also be supported. The new formats are encrypted, which ensures that credentials remain secure during the process. For comparison, most password managers currently rely on CSV files to import and export credentials, which is much less secure.
As just announced by the FIDO Alliance, the new specifications aim to promote user choice by offering a way to import and export passkeys. The draft of the new specifications establishes the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) formats for transferring not only passkeys, but other types of credentials will also be supported. The new formats are encrypted, which ensures that credentials remain secure during the process. For comparison, most password managers currently rely on CSV files to import and export credentials, which is much less secure.
Good and bad (Score:5, Insightful)
The inability to copy passkeys was originally touted as a benefit. Unfortunately that means, there always needs to be less secure means of authentication because hardware-based authentication must be replaced, sooner or later. This fixes that problem, returning us to all the old problems with authentication technology.
We've had TOTP for 12 years, why did it take so long to make a necessary and much-needed inter-change standard?
Re:Good and bad (Score:4, Informative)
TOTP, as in Google Authenticator does have the ability to do backups, as it is just a shared secret. Most PW managers allow easy export and backups of that.
PassKeys, on the other hand, are public/private keys. Unlike TOTP, where the hashing is symmetric, the security with PassKeys is public key. It also is highly resistant against phishing attempts [apple.com]. Normally they are bound to devices and can't get backed up. However, some apps like 1Password can back those up and allow them to work on different hardware.
Overall, being able to back up PassKeys is a good one. Less need of dealing with recovery stuff.
Re: (Score:3)
What could possibly go wrong indeed?
Re: (Score:2)
Re: (Score:1)
The inability to copy passkeys was originally touted as a benefit.
A touted promise that is, at this level, difficult to guarantee.
Passkeys slot in at the same level as session cookies, but being public/private key based instead of shared secret, that gave the optional benefit of secure private key management.
Options are good. It's the promise that option is always available that is bad.
PC 1 has a proper TPM chip that can store such keys, but PC 2 a year older with the same model number has an older TPM (or none) so falls back on some software solution that stores data on
Re: (Score:2)
Being able to copy Passkeys was touted as a feature from day one. They would sync accross devices, i.e. be copied.
The advantages were never anything to do with not being copyable. They were things like not working with phishing sites (because they are tied to a specific domain), and being much more difficult to crack than the average user's password.
Less Secure (Score:3)
I was trying to come up with a joke, but I got nothin funnier than that titan of an understatement.
Re: (Score:2)
...or alternatively in raw SQL";DROP TABLE passkeys;
Re: (Score:3)
For a password manager not running in a secure enclave, it's not much less secure. Okay, you could leave a copy in a cloud email archive, but what's more likely to get hacked? Your PC or a cloud provider?
It's like all the blowhard accusations of disastrously poor safety when software doesn't encrypt stuff at rest even though it doesn't use its own password to start, often leveled at Firefox ... what's the bloody point if the decryption key is right there too?
Now maybe Apple will quit badgering me... (Score:2)
...to turn on iCloud keychain, which i #donotwant
What I dislike (Score:3)
I use a password manager, probably most /. people do. If I need to log into a website, I can copy/paste the password into the browser. Unless I let it, the browser does not remember or process the password in any way.
From what I'vecsern, that's not true with passkeys. They require a browser plugin, and your password manager has to hand off the passkey to the plugin. Like handing your car keys to a valet - maybe he's a stand-uo guy, and...maybe not.
It's an extra step, one more agent that has to work, and have no security issues. For the moment, at least, I'll stick to passwords...
Re: (Score:2)
If you don't trust the browser then you are already screwed, because when you copy/paste your password in it can be snagged by malware.
Most peolpe use the browser's built in password manager, or something like Bitwarden via an add-on.