Misconceptions about passkeys #363
Comments
|
passkey code requires approval by FIDO before it can be trusted by browsers or relying parties (i.e. - this is still FIDO and requires approval from FIDO) |
|
|
I believe that one of the primary concerns is vendor lock in. It's not just a theoretical one. There doesn't seem to be any clear migration paths between keychains/vaults/password managers. It also doesn't seem easy to sync them between various OSes. Like what should I use if I have an iPhone and a Windows PC or an Android phone and a Linux PC with Firefox? Use a third party Passkey manager? Sure, but that's only supported on Android >= 14 and that's just 10% of Android devices. Another concern is the unclear threat model that UV is trying to prevent against. Is it a user leaving their PC unlocked the threat? Even if UV is required to use the passkey, an attacker could just export the database. Should that require UV too? Most personal devices have only one account that might not require entering a password to gain admin/root access. An attacker could just dump the memory in that case. Should the password manager check whether UAC/sudo requires a password and refuse to run if it doesn't? What about the case where an attacker just deploys a RAT on the device? |
|
FIDO requires secure origin binding and TLS. But that is not accessible to all password managers, so a man-in-the-middle-attack only requires spoofing the origin to be part of the origin used for the key. (in other words, the FIDO binding does not seem to apply to what happens in the xxx-manager unless the xxx-manager is fully integrated into a browser that is FIDO compliant) |
This issue is to aggregate misconceptions about passkeys which will be turned into a new page on passkeys.dev.
Original call for comments is here: https://www.linkedin.com/posts/timcappalli_passkeys-activity-7190040234418425856-iZIM
The text was updated successfully, but these errors were encountered: