So it adds no value over the long, randomly generated passwords from a password manager besides making a new standard and giving Microsoft a reason to push a new dark pattern on users to force higher uptake rates of this new, bespoke standard with limited support?
When you log into a site with a password, you're needing to transmit your actual password over the wire. Sure, you'll hopefully have encryption when sending that credential over, but in the end you'll be exchanging your actual password with some remote service. That remote service might be misconfigured, it might be misdesigned, it might be under attacker control. Now they have your whole credential.
A passkey doesn't transmit your actual, full, repeatable credential over the wire. It's a challenge-response protocol, so only that one authenticated session would be intercepted. Kill all questionable sessions and you're good, they're not reusing it.
> randomly generated passwords from a password manager
are impossible to enforce. If you present users with password field, a sizable percentage of them will just manually type in the same weak, compromised password that they've used on every other site they've ever created an account on in their life. Passkeys are much harder to misuse. That's where 99% of their value is.
Yes there are also other advantages, like the fact that passkeys use public key cryptography, but those are tiny compared to the human factors improvements.
Passkeys include a key that the website you're logging in to holds, if a site can't present that key then the passkey doesn't work, meaning phishing attacks no longer work because 0utlook.com doesn't have the key that outlook.com holds.
It's a standard supported by multiple parties, not just Microsoft, including multiple open source password managers.
And it does provide some benefits: phishing protection (no shared secret that can be intercepted or given to the wrong party) and the service does not need to store as much sensitive information (don't need password hashes that could be leaked and cracked, just a public key).
Device attestation to allow blocking "undesirable" devices from authenticating and lock in purposes.
*keypass was working on an export feature and there were already threats to use the attestation club to ban them from the landscape for not falling in line
I found this out in October when trying to figure out this complaint.
timcappalli from FIDO Alliance mentioned in that above thread that plain text exports shouldn't be allowed, and that password managers/providers should be blocked if they implement plain text export.
Since that thread, there's a new spec that allows users to securely migrate passkeys from one provider to another, but no way to export to plain text (for debug purposes, or if there's a bug in the export/import and you need to troubleshoot, etc).
For me, threatening to block providers for implementing a feature that I desire is a great way for me to lose all interest in passkeys completely. I don't trust FIDO Alliance to make the right call nor do I trust big tech companies to produce bug-free software.
This very much falls into the same box as “not your keys, not your crypto”: if you’re forced to trust someone else to manage the keys for you then they have them - necessarily, in order to permit “transfer” (under this scheme, not everything) to another party - in plaintext, while you’re not allowed to “for your own good”, then you’ve lost it all.
They can:
1. Impersonate you, gaining access to anything your keys unlock
1.a. Impersonate you, claiming to be you in a violation of “key use enables non-repudiation”
2. Deny you the ability to use your keys
2.a. Change any of your keys, locking you out of things
3. Deny you the ability to transfer your keys to anyone they “don’t like”
3. Provide your keys to anyone else, e.g. “with a court order”
3.a. Anyone “benefitting” under (3) can then do (1(a))
…and surely more Bad Things.
Every single time “passkeys” seems to like “okay, maybe”… some fucktards pull another one of these.
Then I go, “okay, ssh keys, PIV, or whatever else is Just Fine, and these people who are either state agents, idiots, or power hungry idiots working to advance total control over humans with lack of freedom and no way back can go die, or as an alternative be sentenced to serious computer-things-reeducation”. …and I kinda mean it. There are certain things you just don’t come back from, as a society, etc. and I just won’t support it. You only get one chance not to.
Passwords are also a standard supported by pretty much everyone, and password managers (including those built into browsers) already generate long, unique, phishing resistant (it only prompts on the matching domain) passwords.
The main difference I see with passkeys from a usability standpoint is that Firefox doesn't have built-in support for a software implementation, making them literally unusable for me.
Firefox does support passkeys but their native implementation is behind a feature flag. Beyond that Firefox add-ons (such as those for password managers) can enable support for their own purposes.
For example 1Password can be used for passkeys in Firefox.
I can't find that option's documentation. Do you have a link? The only documentation I've seen indicates that they only support hardware devices, and I don't own one.
