Mastodawn

Ricky Mondello Oct 6, 2023

If you can drop a single device in a lake and lose your credential, it’s not a passkey. Passkeys are backed up and synced across your devices to deliver a great and safe user experience, while also eliminating phishing.

If it’s device-bound, it’s not a passkey. :)

Show thread

Nick Oct 6, 2023

@rmondello if we’re going to accept that, then someone needs to have a chat with Yubico:

https://www.yubico.com/resources/glossary/what-is-a-passkey/

> The widely accepted passkey definition simply specifies that cryptographic keys are used for login rather than passwords.

I myself tend to agree with this, and I would argue that if you’re trying to make a distinction between different types of passkeys, neither of the derivatives should be called just “passkey.”

What is Passkey? Definition and Related FAQs

Learn the definition of Passkeys and get answers to FAQs regarding: What is a Passkey?, How do Passkeys work?, and more.

Yubico

Show thread

Ricky Mondello Oct 6, 2023

@e3b0c442 I am intentionally disagreeing with this definition because I think that thinking about “passkey” in this way will confuse consumers and harm the adoption of the best password replacement the industry has come up with.

Show thread

Nick Oct 6, 2023

@rmondello Honestly, I think this is a mountain/molehill situation, and not worth the energy. The vast majority of users are going to be well-served by consumer-level distributed passkeys. The people that need hardware tokens are going to understand why they need them and what the tradeoffs are. There’s really no need to disambiguate at the level you’re advocating for — they both work in the same way to replace passwords with non-phishable cryptographic authentication.

Show thread

Ricky Mondello Oct 6, 2023

@e3b0c442 I *hope* that you’re right. I’m afraid you aren’t.

Show thread

Nick Oct 6, 2023

@rmondello I think it's fair to give our users some credit, and frankly at the end of the day, economics is going to have a say here too -- why would anyone spend extra money on a hardware token when they've already got passkeys available in their browser password manager/mobile device? Yubico, et al. will have to sell on what differentiates them, _if_ they ever do decide to pursue the consumer market (something I highly doubt will happen).

Show thread

lj·rk Oct 6, 2023

@e3b0c442 @rmondello We're currently in the process of exploring both Passkeys and device bound WebAuthn/FIDO credentials. Sales people for IDMs confuse Passkeys for YubiKeys and also think they're a 2FA. And that's unfortunate where most "deciders" get their info from.

Show thread

Nick Oct 6, 2023

@ljrk @rmondello B2B marketing is a whole different animal here, that said...

"also think their [sic] a 2FA"

Both are, assuming the server is correctly set up to require user verification. Or perhaps I'm misunderstanding what you're getting at?

Show thread

lj·rk

@e3b0c442 @rmondello Yeah, end users may actually be more well-informed here...

Whoops, I shouldn't be typing when tired :D

They're confusing Passkeys for FIDO U2F, that is, still using a password + a YubiKey (wrong #1) for 2FA afterwards (wrong #2).

Using FIDO that way is totally fine, or combining Passkeys with YubiKeys as 2FA or whatnot, but it's not what Passkeys *are*.