Ricky MondelloOct 6, 2023

If you can drop a single device in a lake and lose your credential, it’s not a passkey. Passkeys are backed up and synced across your devices to deliver a great and safe user experience, while also eliminating phishing.

If it’s device-bound, it’s not a passkey. :)

Show threadFlorens Verschelde

@rmondello Is that a normative thing in a standard, or a spicy opinion?

I’m trying to understand what passkeys *are*, and so far I’m puzzled.
https://hachyderm.io/@fvsch/111182221089340118

Florens Verschelde (@[email protected])

Reading about passkeys and I’m finding 2 types of info: 1. How to use passkeys in a specific app or platform (what buttons to click and whatnot). 2. High-level descriptions of the public/private keys mechanism. But I’m missing info on the “social” component of passkeys. Things like: - Who generates and stores keys. - What’s the diff between proving you have a key and proving *identity*. - Will services accept any self-generated and self-managed key? Or require one from an identity broker?

Hachyderm.io
Oct 6, 2023 at 4:47pmWeb
Show threadNate Jones Oct 7, 2023

@fvsch

The latter. The standards body talks about the definition here https://fidoalliance.org/passkeys.

If that doesn't answer one of your questions lmk.

Passkeys: Passwordless Authentication | FIDO Alliance

Explore passkeys and how they provide phishing-resistant, passwordless login with faster sign-in and enhanced security. Start your passkey implementation.

FIDO Alliance
Show threadFlorens VerscheldeOct 7, 2023

@uint8 Thanks. Also reading this in their FAQ:

> When delineation is required, passkeys that are synced between user’s devices via a cloud service are generally referred to as “synced passkeys”, and those that never leave a single device (including those on UAF apps) are referred to as “device-bound passkeys”.

Show threadFlorens VerscheldeOct 7, 2023

@uint8 Though the FIDO passkeys FAQ also suggests that synced passkeys should be the default user experience:
 
> Syncing is critically important for FIDO to achieve its mission, which is to make sign-in easier and fundamentally safer by replacing passwords in as many places as possible.

> The usability of a password replacement must compete with the convenience of passwords, and one of the primary usability benefits of passwords is that they can be used from any device.

Show threadFlorens VerscheldeOct 7, 2023
@uint8 So “If it’s device-bound, it’s not a passkey” is a spicy opinion that does not quite match FIDO’s position (since they recommend the language “device-bound passkey”), but it does match the overall intent and intended primary use case of passkeys.
Show threadNate Jones Oct 7, 2023

@fvsch

> but it does match the overall intent and intended primary use case of passkeys.

For most consumer users, yes the ability to sync, back up, and restore your #passkeys is a good thing for usability. And it should probably be the default for most/all consumer scenarios.

However, defining "passkeys" to exclude device bound authenticators introduces an ecosystem/UI/UX split for little reason. It's the same technology stack top to bottom outside of the implementation details of the authenticator itself.

We can provide the good default user experience of synced passkeys without taking the freedom from security conscious enterprises/users to use Yubikeys on passkey supported websites.