Security vendors join forces to make passkeys more portable for everyone | Bitwarden Blog
bitwarden.com
external-link
FIDO Alliance publishes industry standards for consumers to easily and securely transfer passkeys across platforms and password managers.

Looks like a huge amount of security vendors are working to have a secure and open standard for passkey portability between platforms.

It is always good to see major collaboration in the security space like this considering the harsh opinions that users of some of these vendors have toward many of the others. I just wish apps and sites would stop making me login with username and password if passkeys are meant to replace that lol.

@lud@lemm.ee
link
fedilink
12M

I personally like it. Imo passkeys should optimally be device bound and the private keys should be stored in TPM or equivalent and be non-exportable.

When most sites refer to passkeys, they’re typically talking about the software-backed kind that are stored in password managers or browsers. There are still device-bound passkeys though. Also since they’re just FIDO/WebAuthn credentials under the hood, you can still use hardware-backed systems to store them if you really want.

While you’re right that device bound and non-exportable would be best from a security standpoint, there needs to be sufficient adoption of the tech by sites for it to be usable at all and sufficient adoption requires users to have options that have less friction/cost associated with them, like browser and password-manager based ones.

Looking at it through the lens of replacing passwords instead of building the absolutely highest-security system helps explain why they’re not limited to device-bound anymore.

Well, nothing is stopping you to keep passkeys only in one place, why force others to do what you like? Now we have options and less friction to switch to a competitor. Which results in more competition and that results in better products. Well theoretically…

@lud@lemm.ee
link
fedilink
1
edit-2
2M

I just don’t think synced passkeys should be the default for example iOS.

What Microsoft is doing with device-bound passkeys using Windows Hello is imo great.

So microsoft does not require that you backup your passkeys? I thought that was the norm in all OS 😅

I think that passkeys are backed up in cloud by default isn’t that bad for the average person, since they are likely not understanding passkeys (at least right now) and don’t get that they loose access to accounts, if they disable oldscool Passwords only use one passkey on one device for that account.

@lud@lemm.ee
link
fedilink
12M

You usually don’t lose access though. Passkeys rarely replace passwords so you could still use your password or reset it if you don’t remember it.

That is, because we are in transition phase, the goal is that passkey replace the less secure method, else you gain only a very little more security than only Password .

Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 57 users / day
  • 383 users / week
  • 1.5K users / month
  • 5.7K users / 6 months
  • 1 subscriber
  • 3.12K Posts
  • 78K Comments
  • Modlog