The SaneDec 9, 2022
Ricky Mondello

🔑 Huge news! Google’s announced that passkeys are available in Google Chrome 108. So we have iOS, iPadOS, macOS, Safari, and Chrome with support.

If you’re responsible for a website or app, or its authentication story, it’s time to look at passkeys. https://blog.chromium.org/2022/12/introducing-passkeys-in-chrome.html

Introducing passkeys in Chrome

We announced in October that passkey support was available in Chrome Canary. Today, we are pleased to announce that passkey support is now ...

Chromium Blog
Dec 9, 2022 at 4:53pmWeb
Show threadRyanDec 9, 2022
@rmondello <Adds to list…>
Show threadDrew FitzpatrickDec 9, 2022
@rmondello heck yeah! Passkeys can’t arrive fast enough!
Show threadAdam Hall   🇳🇿 🇺🇸Dec 9, 2022
@rmondello this is awesome, boosting for #InfoSec awareness
Show threadMigrated to @[email protected] 🏳️‍🌈🎃🇧🇷Luana🇧🇷🎃🏳️‍🌈Dec 9, 2022

@rmondello
N🧊!!

(your turn now, firefox)

Show threadGeorge GoldfishDec 9, 2022
@gothnbass
Show threadJan Lehnardt 🛋️Dec 9, 2022
@rmondello iCloud passwords for Chrom[ei][um] next <3
Show threadRichfletcherDec 10, 2022
@janl @rmondello would be fantastic.
Show threadLex PostmaDec 9, 2022
@rmondello I noticed that “simply” implementing the WebAuthn standard for security keys and biometrics results in automatic Passkey support. Is this correct?
Show threadFaisal MisleDec 9, 2022
@rmondello @lexpostma as I understand it, for the most part - yes. You may need to do extra legwork to make it fully passwordless as opposed to just a 2FA option though
Show threadLex PostmaDec 9, 2022
@faisal @rmondello ah yes of course, to make it truly passwordless more work needs to be done. But it stood out to me that all the system dialogs just used the Passkey words for the same things as where in the 2FA dialogs before
Show threadBrock Chapin (bchap1n)Dec 9, 2022
@rmondello cool!
Show threadalcinnzDec 9, 2022

@rmondello Glad its finally here.

And something I've long been interested in implementing, but I get the impression I can't adhear to W3C's specs since they're JS APIs...

Show threadMiron 🇪🇺Dec 9, 2022
@rmondello i’m waiting for @bitwarden support.
Show threadBitwardenDec 12, 2022
@hmiron @rmondello The team is working on passkey support! Currently you can use a passkey on iOS for example to authenticate into the web vault itself. The team will continue to research and develop open solutions for passkey storage and retrieval 👍
Show threadDimspaceDec 9, 2022
@rmondello I just put in the request at my employer that we look into supporting passkeys on our site!
Show threadEric ZarownyDec 9, 2022
@rmondello very cool! am I correct in assuming that I'll need something like 1Password to get cross-platform/cross-browser support? I guess I could also just use Chrome on iOS assuming I use Chrome on other platforms?
Show threadSarahDec 9, 2022
@rmondello @nsa why would I implement something that relies on a user owning a specific device constantly? Not only can a phone be confiscated but some people don't have consistent computer access. Can the keys even be transferred to another device or duplicated?
Show threadNina "Erina" Satragno 💫Dec 9, 2022

@gaycodegal @rmondello you can sync your passkey across devices of the same sync provider. And you can register as many devices of different providers as you want with each website.

Using a passkey requires passing a phone unlock. If confiscation is in your threat model you can set a strong factor like a PIN or password as your lockscreen.

Third party provider support in the roadmap for Google -- 1password & dashlane are already experimenting with implementations.

Show threadSarahDec 9, 2022
@nsa @rmondello there is no open source provider?
Show threadjonas Dec 9, 2022
@gaycodegal @rmondello @nsa this! I haven't trusted my yubikeys fully because if this. What if it breaks? :(
Show threadEmma Builds 🚀Dec 9, 2022

@gaycodegal @rmondello @nsa

Yes, this is not just a problem at a boarder crossing, but when police sweep the encampments of homeless people, they'll take or smash phones (which may be left for safekeeping or charging.)

Show threadSarahDec 10, 2022
@emmah @rmondello @nsa yeah this was more what I was getting at. Homeless folk complained a lot about mandatory 2fa and this seems less portable than that
Show threadJeff NoxonDec 9, 2022
@rmondello afraid to look to see if Cognito has support.
Show threadBart DecremDec 10, 2022
@rmondello how about an iOS Mastadon client w passkey support, @JPEGuin ?
Show threadNate BarhamDec 10, 2022
@rmondello Can not wait.
Show threadLuke KaniesDec 10, 2022

@rmondello @siracusa but… when are they going to be supported on their own actual user sites?

I keep waiting to be able to convert my accounts but… 😔

Show threadNikhil NigadeDec 10, 2022
@rmondello I’m on-and-off working on a side project which uses Passkeys as its only auth mode. Really impressed by the tech and what it enables for both end users and developers.
Show threadRobDec 10, 2022

@rmondello Excellent!

(I try to stay away from everything Google myself, but I hope this is a stepping stone for better passkey adaption by sites/services)

Show threadDima Pasechnik 🇺🇦 🇳🇱Dec 10, 2022

@rmondello

"Google has long recognized these issues, which is why we have created defenses like 2-Step Verification"

Dear Google, 2FA was patented by AT&T in 1989 😉

Show threadAaron Toponce ⚛️Dec 10, 2022

@rmondello Unfortunately, Linux is not supported without a phone and the ability to scan a QR code.

https://developers.google.com/identity/passkeys/supported-environments

Passkey support on Android and Chrome  |  Authentication  |  Google for Developers

Google for Developers
Show threadaaronDec 10, 2022
@rmondello Woo, finally! Only thing (which I don't expect you to answer - more of a general observation 😁) -- do these passkeys sync with the passkeys I have in Safari with iCloud keychain? 👀
Show threadaaronDec 10, 2022
@rmondello Ah - no https://developers.google.com/identity/passkeys/supported-environments#:~:text=Passkeys%20from%20iCloud%20Keychain%20aren%27t%20available%20in%20Chrome%20on%20macOS.
Passkey support on Android and Chrome  |  Authentication  |  Google for Developers

Google for Developers
Show threadlj·rkDec 10, 2022
@rmondello That's great to hear! We now have iOS/iPadOS, Chrome, ... still a bit of a way to go with Android and Linux though. Should make using password (passkey-) managers easier to use and set up in the long term. Looking forward to that :)
Show threadThat Blair GuyDec 11, 2022

@rmondello the question, and it’s not original to me, seems to be whether anyone has implemented them portably. I.e, if I have an android phone and switch to iPhone (or vice versa) is there a way to move my keys yet?

Or an I still stuck having to set up s as parallel set of keys/accounts?

Show threadseanDec 11, 2022
@rmondello having recently worked on both client and server side WebAuthn solutions this is fantastic news