Passkeys are incompatible with open-source software
Passkeys are incompatible with open-source software (was: “Passkey marketing is lying to you”) – Smoking on a Bike
Comments
The spec has issues due to usual RFC bullshit and corporate greed, but as per usual the viewpoint here is too narrow. I'm running my own open source authentication stack and choose what attestations are acceptable, say only allow the FIPS version of Yubikeys. That feature exists because companies want to be able to control which methods they consider secure enough for their own employees. This tech was built for corporate security, using it externally facing with end-users is a bolted on after the fact idea. Having control is necessary, it does not make the spec evil.
Now say GitHub enable attestations that only allow Windows Hello passkeys to go through, then yes that's technically possible. It would also be a support nightmare so they won't. (It's already a support nightmare for anyone limiting devices since for example security key vendors regularly forget to publish their fingerprints for new products.)
The whole biometrics thing? Total red herring. UV can be enabled in many different ways and totally "faked" as well, which is what all the software implementations do such as Bitwarden. Only way to stop it is approvelisting specific devices, see point above.
A passkey is a FIDO authentication credential that allows a user to sign in to apps and websites with the same process that they use to unlock their device (biometrics, PIN, or pattern).
… What? Stop. What are you talking about? My Linux desktop doesn’t even have a lock screen. Are you going to somehow notice my screensaver exiting to permit a login? How can that possibly work? Are they trying to tell me that their fancy new login system only works on certain proprietary operating systems? Really?
Article is bullshit, dude thinks potential use cases are mandatory features. That's mental
Very important message. I always had the feeling that passkeys were a corporate scam but this confirms those suspicions.
Doesn't the post conclude the opposite however, that you can in fact manage your own passkeys outside of any "big tech"?
I think one important detail the author missed is that passkeys are in most cases not a sensible replacement for a password. They can act as a convenient semi-permanent replacement or second factor, but you will always need a mechanism should the passkey, or device be lost, which will be a traditional password or account recovery.
If parties do not trust your particular passkey provider / system then you lose that convenience, but the spec does need someway to handle obviously flawed or broken client implementations. If all your passkeys are hanging out in plain text without a pin/biometric/other key gating their access, they are all compromised and should be rejected.
Doesn’t the post conclude the opposite however, that you can in fact manage your own passkeys outside of any “big tech”?
I dont know how you missed the whole first section... If the provider can force you into device/software attestation then that indeed means that you can NOT use your own passkey management system without having to worry about being locked out.
If all your passkeys are hanging out in plain text without a pin/biometric/other key gating their access, they are all compromised and should be rejected.
No thats actually not an issue at all if your device is secure and uses full disk encryption. And if your device isnt secure then any additional security measures like password managers are ineffective anyways. If i want to write down my private key on a piece of paper and type it in by hand then thats my issue to deal with and not theirs.
I wanted to be sympathetic to the author. Passkeys are complicated, especially since they now try to cover so many situations, and it certainly originates from the corporate world. But this guy is spreading FUD. Tim Cappalli pointing out security shortcomings in keepassxc's implementation a couple of times is not proof that FIDO Alliance is anti open source.