Ricky MondelloDec 30, 2024
I vibe with this. Does anyone have any examples of where and how any vendor’s dialogs around passkeys might lead people astray? The more feedback, the better.
https://infosec.exchange/@adamshostack/113743707996398149
Adam Shostack :donor: :rebelverified: (@[email protected])

@[email protected] I think the biggest thing is to (a) ensure dialogs are clear about what software is presenting them (b) where it plans to store the key and (c) letting people configure what their preference is for passkey management. Err, “things are”

Infosec Exchange
Show threadlj·rkDec 31, 2024

@rmondello I think we need something like arewepasskeyyet.org :'D
There's various papercuts yet which is why I seldomly can use Passkeys, even if I'd like to:

# Per OS

macOS and iOS are quite neat here, both providing not only integrated passkey management but also an API for 3rd party managers to hook into, similar situation on Android. Windows I don't use but is AFAIK getting there. Linux currently provides none but this is in active development. This means however, that at least for Linux I need to use the built-in passkey manager or a browser extension, which is kinda meh.

# Per Browser

Which leads us to browsers which have probably the best support (but also least to do). Chrome/Firefox can both use the system's API (if it exists), Chrome can also natively store passkeys.

1/x

Show threadlj·rk

@rmondello

# Per-Password Manager

This is already getting a lot worse. We don't have passkey transfer (yet), so people are hesitant to look into something or switch to a different keychain provider even if it supports better integration (e.g., Apple Passwords). And many password managers (1Password, BitWarden) don't use the system's APIs even if they exist (e.g., on macOS) so you still fall back to browser extensions. This has it's own issues, e.g., NMH to unlock both at the same time etc., but also conflicts if you use multiple (if you are part of different organizations): With BitWarden and Dashlane installed on Chrome on macOS I cannot store any passkeys on BitWarden anymore.

In addition, the better integrated password managers (Chrome/Android/Google and Apple) don't have enough platform coverage, you obviously cannot use Chrome passwords on Firefox, nor can you use Apple passwords there, nor on Linux.

2/3

Dec 31, 2024 at 1:03pmWeb
Show threadlj·rkDec 31, 2024

@rmondello

# Per Site

This is the worst honestly. Many sites require TOTP even when using Passkeys. Or use them as 2FA after a password. Or ask you to plug in a hardware security key. Also the UX here is often unpolished or very restrictive. Ideally, the UX should convey that Passkeys are a replacement for password+TOTP. But also you should, IMHO, be able to use physical security keys as 2F *even* if using Passkeys if you wish to do so (I'd like to do that for some highly critical stuff such as my password manager).