GlyphDec 30, 2024

This is a great writeup of the continuing failure of passkeys to meet their potential. It demonstrates the gordian knot:

1. the ecosystem is confusing due to the plethora of different interacting layers
2. therefore, to simplify, every vendor attempts to own as many layers as they can, obscuring other vendors' tools
3. therefore, users are confused into thinking that passkeys are platform-specific, because their platform vendor is obscuring alternatives

https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/

Passkey technology is elegant, but it’s most definitely not usable security

Just in time for holiday tech-support sessions, here’s what to know about passkeys.

Ars Technica
Show threadGlyphDec 30, 2024
This is a particularly painful and comprehensive example of an industry-wide trend, which is that vendors are expected to deliver things as fully-formed, self-explanatory products. Users, already justifiably wary of the upgrade treadmill, reflexively flinch away from anything that looks like a big learning investment, which means "user education" is treated as a sort of taboo, something that *cannot* be made a prerequisite to using a product, because if you're explaining, you've already lost.
Show threadGlyphDec 30, 2024
The failure of passkeys to date is a particularly dramatic example of this because it's extremely high-stakes, visible, and black-or-white (you're either switching your auth to passkeys or you aren't, whereas other apps you may use in a casual or incorrect capacity). But the same problem exists in other domains, and it's almost as bad.
Show threadGlyphDec 30, 2024
Almost every communication technology is like this. Email is bad so we *still* keep getting new email clients that try to "solve" email (or chat apps; remember when slack was going to "solve" email?). Don't worry, don't change your habits, you don't need to learn anything, just click this button. We made a "promotions" tab, and an "important" tab for you, so now you won't be overloaded. Just consume product, don't learn to be a better communicator. Here are some suggested AI replies.
Show threadGlyphDec 30, 2024
People need to develop sophisticated strategies and think deeply about their values and goals when using social media, but the only response that social media companies have to this is to introduce features or to constantly tweak their recommendation algorithms. Disinformation? Oh, that's okay, we'll block the word "suicide" so now everyone starts saying "unalive yourself in minecraft", great, teen mental health is solved. No need to have a difficult conversation about norms and pedagogy.
Show threadGlyphDec 30, 2024
I can't blame companies; users really do reflexively avoid learning, and have been conditioned to see their primary feedback mechanism as switching apps. If your app requires learning, you'll see massive churn and be harshly punished for that. I definitely can't blame users, who avoid learning because developing deep expertise with modern apps is rewarded by having your brains scrambled with constant A/B tests of everything being reshuffled to suit the users who *don't* put in effort.
Show threadGlyphDec 30, 2024
In a way, you can see the passkeys community pushing *against* this trend, trying to acknowledge this need, developing resources like https://webauthn.io to allow users and developers to cultivate a structured understanding of the technology as a whole, decoupled from vendor-specific solutions. But the ingrained product development habits from every vendor undermine this.
A demonstration of the WebAuthn specification

Demonstration of the WebAuthn specification.

WebAuthn.io
Show threadmccDec 31, 2024
@glyph I'm going to add something, it's not as big as the other problems you raised but I think it's a problem: Someone, somewhere, set it up so the non-vendor-locked version of passkeys so it *requires*, per the spec, for you to use Bluetooth, which simply means I will never use it. This is probably childish. But I am probably not the only person who hears "bluetooth" and immediately tunes out.
Show thread✧✦Catherine✦✧Dec 31, 2024

@mcc @glyph i am using non-vendor-locked passkeys with zero bluetooth

(keepassx supports it)

Show threadmccDec 31, 2024
@whitequark @glyph 🤔 are the passkeys stored on the same physical device that they are utilized on
Show thread✧✦Catherine✦✧Dec 31, 2024
@mcc @glyph yes
Show threadGlyphDec 31, 2024
@whitequark @mcc I'm not really clear on what "non-vendor-locked" means here, but it sounds like people aren't paying attention to an extremely stupid corner of the spec, so: great
Show thread✧✦Catherine✦✧

@glyph @mcc i am using a password manager with a browser extension that lets me do passkey logins in most places i've tried to do them

keepassx stores them in the password database, like everything else it stores

it's a normal file

Dec 31, 2024 at 7:37amWeb
Show threadCassandrichDec 31, 2024
@whitequark @glyph @mcc AFAICT passkeys are a half-baked solution to a non-problem that was already solved by "use a password manager and let it generate strong passwords".
Show thread✧✦Catherine✦✧Dec 31, 2024
@dalias @glyph @mcc PKI-based authentication is strictly better than what you're suggesting since you can no longer steal a credential (other than from the password manager), no matter what happens with the browser or the website
Show threadCassandrichDec 31, 2024
@whitequark @glyph @mcc That's assuming you want to store the keys on a separate device, which is a really bad idea for most normal users.
Show thread✧✦Catherine✦✧Dec 31, 2024
@dalias @glyph @mcc i said nothing about a separate device
Show threadmccDec 31, 2024

@whitequark @dalias @glyph I said something about a separate device (in a different part of the thread)

Continuing from here:

https://mastodon.social/@mcc/113748384835298072

…in addition to the website not being trustable with your password, it's also possible the machine on which the web browser is running cannot be trusted with your password. This is an important case to me personally, not on *all* machines, but on some machines separately.

Here I note something important and problematic:

(Post 2 of 4)

Show threadmccDec 31, 2024
@whitequark @dalias @glyph The thing I want out of passkeys is completely different from what Catherine wants out of passkeys, which is (I think) different from what Glyph wants! I want SRP. I want authentication without the shared secret (password) having to travel from its trusted home (whereever that is) to the authenticating party, thus hitting peril from lazy/malicious Twitter engineers, malwared Microsoft Windows, etc. Glyph wants anti-fishing. Catherine wants (I think) convenience. (3/4)
Show threadmccDec 31, 2024
@whitequark @dalias @glyph Because we all want different things, some of us don't get them. Catherine seems satisfied with her passkey implementation, but glyph is not satisfied because for convenience it's been watered down to being not quite anti-phishy enough, and I— who wanted SRP but do not care at all about "phishing"— don't get SRP, because the "anti-phishing" rules erect barriers to me using my passkeys in the way I want (without transferring the keys to certain untrusted devices). (4/4)
Show threadmccDec 31, 2024
@whitequark @dalias @glyph Passkeys were trying to be too many things to too many people and I think this made them worse.
Show threadGlyphDec 31, 2024

@mcc @whitequark @dalias I think there is some validity to what you're saying—in particular, I think that passkey implementations could do a better job respecting individual autonomy and allowing individuals to provide input to their threat model, which the big vendors cannot have and is not universal.

But to the extent that "passkeys" are trying to do a thing, it's to solve a big *social* problem of password reuse and account compromise, which other solutions have demonstrably not addressed

Show threadmccDec 31, 2024
@glyph I'm sure, but the thing is, they are trying to push people's lives into a different shape without actually having the power to force that. Apple, or sometimes the government, can force people's lives in a different shape. The passkey body can't. So if they say "change the shape of your life or you can't use this thing" people just won't use the thing. And then probably sites won't support the thing, because people aren't using it. And that seems to be the reality we live in with passkeys
Show threadGlyphDec 31, 2024

@mcc Yup, 100%. I *did* start my thread by saying that they were failing, and this is a big reason why :).

But they do also need to address a huge range of personal use-cases in order to bend the will of the population at large in a more beneficial direction, and that does necessitate being all things to all people.

(Also, by "SPI", I think you meant "SRP"? Or is there another more general SRP-like thing called SPI?)

Show threadmccDec 31, 2024
@glyph Yes. I meant SRP. I blanked. (Also I think the current state of the art in SRP-like technologies has moved past SRP.)
Show threadmccDec 31, 2024
@glyph As I see it they had a choice between successfully solving a technical problem or unsuccessfully solving a social problem and they picked the latter. You said passkeys don't care about my preferences. Well, I have the option of not caring about passkeys. And so does everyone else. They have made it very, *very* easy to not care about passkeys.
Show threadGlyphDec 31, 2024
@mcc In the spirt of a transparent sprachspiel, the point of all my ranting on this topic is that I want my nerd friends to use them because I want us to be prepared to assist our normie friends to migrate to passkeys, once the normies have had their PayPal accounts popped enough times to start caring (which, unfortunately, is a growing demographic). So I do care a little bit about you using them but not to a degree that would be worth even a minor amount of discomfort on your part
Show threadGlyphDec 31, 2024
@mcc to that end, so I understand your use-case, you want to have a device — one of your own design? or is a phone okay for this? a hard token? — that serves as the credential store, which never ever exposes the plaintext of the credential material to the devices (presumably "not secure" things like, Windows machines, game consoles, STBs, etc) but allows them to be authenticated with relative ease?
Show threadGlyphDec 31, 2024
@mcc presumably it would be OK if this thing could sync an encrypted blob to some backup store (or "cloud" even) as long as there was no way that the credential material ever gets decrypted on any device with an insufficiently robust level of endpoint security, and importantly, the robustness of that security is something that _you_ want to evaluate, and not leave up to the inherently compromised judgement of the device vendor or IdP?
Show threadmccDec 31, 2024
@glyph I'm not sure how someone could convince me to trust a cloud service, whether I ran that cloud service or not. We have the technology for a forward-secret round-trip communication between the trusted device and the authenticating entity. I don't see why a cloud service would be needed for anything other than relaying messages between the two.
Show threadGlyphDec 31, 2024
@mcc I'm thinking of the cloud service as a storage bucket with provider-independent security on the contents of the credential vault. Device loss seems like a scenario worth defending against.
Show threadGlyphDec 31, 2024
@mcc Not something in the hot path of the auth handshake. I can imagine why such a thing might need to exist for e.g. a QR-code based flow but you have already ruled that out :)
Show threadmccDec 31, 2024
@glyph What I am seeking, basically, is something that can work over a degraded path, if I find myself needing to use a degraded path. I think I will not get this because you, and the standards body, have jointly decided that "phishing" is the problem we are trying to solve, and not eavesdropper-proof authentication, and my "degraded" use cases are indistinguishable from phishing.
Show threadmccDec 31, 2024
@glyph I'd like to authenticate from an untrusted device without "high trust" items like keys, passwords or shared secrets being shown to the untrusted device. I don't want there to be restrictions on the nature of the trusted device, and I don't want assumptions to be made about any device in the chain having cameras or bluetooth. I'm okay with using USB. I do not care if it is "easy" (I'd type a 40-digit base58 number if I needed to). I don't care about "proximity". I don't care about phishing
Show threadcthos 🐱Dec 31, 2024

@mcc @glyph I'm having trouble keeping up with this thread, but it does sound like what you want is a FIDO key, but actually well implemented by a given service provider. (Ideally a non-resident key, imo).

Secret never leaves the device (except the side channel Dan reported on a while back), isn't shared with the hardware, can't be enumerated (since the private key is derived from a thing the service provider holds), works over USB.

Show threadmccDec 31, 2024
@cthos @glyph Yes, what I want is a FIDO key. However, no one has yet given me a compelling reason why my phone cannot be a FIDO key. And the fact they seem to have erected artificial technical barriers to my phone acting as a FIDO key makes me feel, frankly, resentful about the entire enterprise. I don't understand why I need to buy, set up, and not lose a FIDO key when I have a phone right here.
Show threadcthos 🐱Dec 31, 2024

@mcc @glyph So yeah that's a whole thing.

Your phone *can* be a FIDO key, the secure element's capable of storing the secret, but there's some spiciness (which it sounds like you're already aware of) around providing the BLE interface to said key if it's present on the device.

There's nothing stopping Graphene, eg, for allowing usb-only support from a phone besides all the APIs for doing so being in Google Play services apparently.

Show threadcthos 🐱Dec 31, 2024
@mcc @glyph And actually, I don't think there's anything in CTAP 2 that specifies you _have_ to provide a bluetooth interface even if the hardware's present - but Google / Apple have decided that it will.
Show threadÖlbaumJan 3, 2025

@mcc Then you’re not the target audience for passkeys. The audience for passkeys is users who don’t want to have to know what password managers are or why 2FA is imposed on them, and the goal is to make auth easier and more secure than passwords.

The mere fact of passkeys trying to do so is laudable, because the goal of the alternatives (SMS or app 2FA, hardware tokens) is for nerds to assert their superiority over non nerds by making them miserable with the excuse of more security.
@glyph

Show threadmccJan 3, 2025
@oscherler I want the ability to sign into websites without risk from eavesdroppers in the chain. It really fucking sucks that I'm not allowed to have that because I am "not the target audience for passkeys". Maybe they should have allowed a broader target audience.
Show threadGlyphJan 4, 2025

@mcc I should note that within the spec, this *is* entirely possible to achieve with passkeys. Nobody has yet built the extremely specific device you want, because I think it is a fairly esoteric threat model. But nothing precludes it.

(I keep wanting to convince you to drop some of these constraints, because I wanted the same thing at one point and I was happier after _I_ was convinced to drop those aspects, but I do not think our threat models overlap exactly, so this impulse is misguided.)

Show threadGlyphJan 4, 2025
@mcc (Specifically what I think you want is a roaming authenticator that implements a ctap2 device in software.)
Show threadmccJan 4, 2025

@glyph What I'd really like:
- I say "Authenticate with passkey" in Firefox
- I get a notification on my phone*
- I tap "authenticate" on my phone
- My phone contacts the appropriate server and/or some anonymizing proxy hosted by whoever forwarded the push notification, and does the authentication handshake with the server

It should be possible to just do this over the internet.

* For anti-phishing, maybe there is a symbol or 5-digit code on both firefox and the phone & you check if they match

Show threadGlyphJan 4, 2025
@mcc as I understand it, you're describing the camera-based QR flow, and the "esoteric" part of the threat model is the part where you need this to be achievable without the camera, instead using a weaker short code. You might be correct that this is not esoteric, I admit my argument in favor rests on at least 2 rhetorical fallacies (none of the major vendors have seen fit to implement it [authority], and I sort of assume they have market research to drive their decisions [question-begging]).
Show threadmccJan 4, 2025
@glyph Not saying anything I haven't said already but: I don't think this is an esoteric model! This is a model they already explicitly planned for with the camera/bluetooth mechanism. It's just that the mechanism they came up with for solving it is baroque, irritating and makes too many assumptions about the user's hardware
Show threadWolf480plJan 4, 2025

@glyph @mcc
> a fairly esoteric thret model

Idk to me it sounds very similar to the threat model for which smartcards and yubikeys were invented

Show threadIrenes (many)Jan 4, 2025
@mcc @glyph at this point we need to point out, because we can't tell whether it's already agreed-upon context, that yubikeys and similar devices work fine with WebAuthn today, on all common browsers and OSes
Show threadGlyphJan 4, 2025
@ireneista @mcc I think this is more or less taken as read from our numerous previous interactions, but it's still good to note. people have been following me from my passkeys thinkfluencing™ at a rate like 3x greater than normal so there are probably new people reading these all the time :)
Show threadIrenes (many)Jan 4, 2025
@glyph @mcc we have noticed that with every new authentication technology, there are people who want stronger authentication, and there are people who want less-secure authentication, and vendors and specs promise to be both of those simultaneously, and it leads to a lot of public confusion
Show threadIrenes (many)Jan 4, 2025
@glyph @mcc this is perhaps an unfair and unhelpful thing to say in this discussion
Show threadIrenes (many)Jan 4, 2025
@glyph @mcc we just meant to point out that there is a tension that needs to be navigated somehow
Show threadRobDec 31, 2024

@glyph that’s a surprising motivation given that this article gives a really strong explanation for why this seems unlikely to ever happen with this technology.

I admit to being willfully obtuse, but I’m still not clear on what a passkey is, in the way that I understand what a password is and what a second-factor physical token like the blue fido usb key is or what a Authenticator-like number-producing second factor is. And maybe that’s because it’s not one thing?

Show threadGlyphDec 31, 2024
@mcc @whitequark @dalias "passkeys" don't (and shouldn't) care about your, or my, individualized preferences for credential management, except inasmuch as those are a proxy for meaningfully large populations whose change in behavior would result in a reduction in account compromise in aggregate. And while I have personal preferences around passkey management, this is the thing that I ultimately want from "passkeys" writ large too. Even if they make my workflows personally a bit worse in doing it
Show threadCassandrichJan 1, 2025

@glyph @mcc @whitequark It's my view that the "social problem of password reuse and account compromise" is a problem mostly for sites, not actual people, users, and trying to force users to change behavior & put themselves at risk of credential loss to solve it is hostile cost externalization.

Most compromised passwords are for garbage accounts people never wanted to have. They should have been offered ability to use service without account or with Craigslist style login.

Show thread✧✦Catherine✦✧Jan 1, 2025

@dalias @glyph @mcc don't a lot of people reuse passwords between "trash site nobody cares about" and "gmail with keys to their kingdon"? like this is how a bunch of high profile people got popped, afaik

i agree re: accounts being pointless, but also like... how would you enforce that? EU decree? no idea what else

Show threadClaudius LinkJan 1, 2025
@whitequark @dalias @glyph @mcc
Thank you all for this interesting thread
and sharing different perspectives
I learned a lot 🙏🏻
Show threadCassandrichJan 1, 2025
@whitequark @glyph @mcc One obvious mandate: to put a clear warning on the signup page: DO NOT GIVE US YOUR EMAIL PASSWORD.
Show thread✧✦Catherine✦✧Jan 1, 2025
@dalias @glyph @mcc the problem is that people ignore these things
Show threadCassandrichJan 1, 2025
@whitequark @glyph @mcc Yeah but there's only so much you can do. One other feature that would help on the browser/pw-manager integration side: tracking "important" site passwords and interrupting/warning you if you try to use the same password on another site.
Show threadKahanisJan 1, 2025
@whitequark @dalias @glyph @mcc Makes me wonder if it would be legal to attempt to log in to the provided email/password via imap, and if it succeeds - reject it and tell the user "no really, do not use your email password here".
Show threadCassandrichJan 1, 2025
@Kahanis @glyph @mcc @whitequark Almost surely not legal, but.. nice? 😁 If you did this you'd also need to submit compromised account report, which would probably lock the user out of their email...