Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
IT

FIDO Alliance Working on Making Passkeys Portable Across Platforms (macrumors.com) 31

The FIDO Alliance is developing new specifications to enable secure transfer of passkeys between different password managers and platforms. Announced this week, the initiative is the result of collaboration among members of the FIDO Alliance's Credential Provider Special Interest Group, including Apple, Google, Microsoft, 1Password, Bitwarden, Dashlane, and others. From a report: Passkeys are an industry standard developed by the FIDO Alliance and the World Wide Web Consortium, and were integrated into Apple's ecosystem with iOS 16, iPadOS 16.1, and macOS Ventura. They offer a more secure and convenient alternative to traditional passwords, allowing users to sign in to apps and websites in the same way they unlock their devices: With a fingerprint, a face scan, or a passcode.

Passkeys are also resistant to online attacks like phishing, making them more secure than things like SMS one-time codes. The draft specifications, called Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF), will standardize the secure transfer of credentials across different providers. This addresses a current limitation where passkeys are often tied to specific ecosystems or password managers.
Further reading: Passwords Have Problems, But Passkeys have more.
This discussion has been archived. No new comments can be posted.

FIDO Alliance Working on Making Passkeys Portable Across Platforms

Comments Filter:
  • by Junta ( 36770 ) on Friday October 18, 2024 @12:51PM (#64875025)

    The initial pass was basically handing the 'security' people everything they wanted:

    - A private key that is generated in one place and *cannot* be extracted (within reason). E.g. a 'huge' yubikey "vulnerability" was that folks figured out a way to get the private key material to come out of some pins that could actually be reached if you disassembled the devices.

    - A way for authenticators to limit the passkeys they trust to manufacturers the service considers trusted. In principle, you could demand that the user use YubiKeys, or only Apple, or only Samsung, or forbid use of rooted devices.

    Now we are walking it back to maybe something a bit more manageable, allowing keys to actually be backed up. Security folks said never back up keys, just have multiple valid keys at the same time, but logistically people are more easily able to cope with backed up content.

  • Your passkey is bound to one or more physical devices, like a phone, such that without the device you are screwed, right? Where you still have to either have a biometric read or enter a password/pin, right? So it's really no better than those dongles we used to carry around in the 90s that generated a new code every minute?

    If everything is protected by passkeys, how do I get my life back if I'm traveling, have to evacuate my hotel due to a fire and am on the street with nothing but the clothes on my back?

    • You either use the recovery process like you do now, or you already have another key registered and stored in another location.

      Passkeys which depend on not being read by even the user are just security by obscurity though, so they only really delay attacks and don't prevent them.

      • by AvitarX ( 172628 )

        It's not security through obscurity in the traditional sense.

        Traditionally security has always replied on secret knowledge.

        Security through obscurity generally involves obscuring the algorithms and workings of a device, not the key.

        If the device itself is well documented I would argue it's not security through obscurity.

        Now if the device has a back door to extract the information that they're relying on people not knowing about, or there are chips doing things that are not documented and the doings of those

      • It's more like security through preventing stupidity rather than through obscurity.

        Something this passkey portability is trying to work around for some reason. The better fix would be to allow multiple passkeys from the beginning. There should be no web site that allows just one form of 2FA. You should be able to add and revoke at will. Especially if it's a Passkey where my laptop might use my face and the CPU secure enclave but I still need to log in from my phone.

        I don't like Passkeys replacing passwor

    • by AmiMoJo ( 196126 )

      That's why they are adding the ability to export Passkeys, so you can make a backup. Most browsers have the ability to back them up in some form already. Sites can also offer recovery codes that you can download and keep safe, or other means of recovering your account.

      It's not really any different to using a password manager to store complex passwords or OTP codes. If you lose access to it and didn't create a backup, you better hope the sites allow you to do a password reset.

    • Literally every service provides secondary recovery processes for passkeys or 2FA devices being unavailable. Make sure you set them up.

      Some services use passkeys differently from passwords giving you the option of signing in with both. The former being device specific and sending only auth tokens around, the latter being you transmitting your password over the internet, hopefully securely, but still with the ability for its compromise to affect your entire account, not just your single device access.

    • by Cyberax ( 705495 )

      Your passkey is bound to one or more physical devices, like a phone, such that without the device you are screwed, right?

      Not necessarily. A passkey is just a derived public/private key pair bound to a particular website. You can host them anywhere, including your password manager.

      • by Junta ( 36770 )

        I admittedly haven't looked into extensions, but I know neither Chrome nor Firefox will deign to do a Passkey without some external device (phone or yubikey or similar) in Linux. In Windows they won't do it without "Windows Hello" or some external device.

        In principle, sure, they are just private/public keys. In implementation, the browsers have been particularly picky.

        • by Cyberax ( 705495 )
          Browsers (for now) don't want to get into the business of hosting and syncing passkeys. However, you can install BitWarden and have your keys synced across platforms. I'm using it for passkey logins on macOS, FireFox on Android, and (bletch) on iOS.

          The only missing piece is importing existing passkeys from KeyChain on macOS.
  • The underlying tech? Freaggin awesome, I love the passwordless lifestyle.

    But in the past month or two, I've noticed that Windows, MacOS, Bitwarden and others are overly aggressive in trying to take over the role of the passkey god on a local machine.

    I use Yubikeys for this purpose, and have several workstations and laptops I hop between. But its been frustrating to the point of pissing me off that I have to hunt down the NEXT checkbox to disable local passkey storage so I can continue to use my hardware tok

  • Can we get different types of passkeys?

    Initially, all passkeys were locked to devices. Pop a passkey on an iPhone, it follows that device. Save it to a Windows PC, it stays there. It is bound to something.

    Then PW managers started allowing them to be portable.

    Now we are going to have passkeys similar to Google Authenticator shared secrets -- easily backed up and synced.

    All of this is good, but it would be nice to have different security levels. For example:

    Tier 1 passkeys would be allowed to be shuffled

I'd rather just believe that it's done by little elves running around.

Working...