I am in IT but not this side and I must admit I do not grok this move... At all. I don't understand the risk to Benefit story. It seems (possibly incorrectly) to put all my eggs into one basket - whether phone (which annoys the heck out of me as it is NOT my primary device) or some cloudy account I'm supposed to trust with my life. It also seems to impose geographical dependencies (I want to check my email at my friend's but my phone is at home which is precisely why I want to use their computer etc). It also seems to bring terrifying consequences of losing some ethereal items nobody (regular) understands how to safekeep.
I feel like I'm an old grouch who wants things to stay the same... And that's kinda the case :-)
The device is not mandated to be a phone. A hardware passkey is also an option. You carry the keys to your home everywhere, don’t you? And you take good care of them? Why would carrying a webauthn-compliant hardware key be any different?
If you lose your keys, you can replace them pretty easily. The mental model for doing so is pretty simple and doesn't require contacting tens or hundreds of websites.
I'm pretty skeptical that passkeys are going to yield much benefit. Websites will still have to maintain a "recovery" flow for the reason above and this is already the weakest link a lot of the time.
Maybe think of the "recovery" flow as authentication itself and the passkey as a cache of the most recent valid check. Put you passkey manager under the same umbrella as your "recovery", or sync you passkeys through another service you trust.
Under this model, new authentication pretty much should always leaves a paper trail, while passkey login, could be more like the "remember me" cookie from the old days.
Sorry for the tangent, but has anyone ever heard anything about cross-device cookie synchronization?
In its core, WebAuthn is a way for a site to say "I want to authenticate" and the browser/device to say "OK, here are my credentials".
Nothing is stopping you from generating a private key from a password that you have in your head, and using that to authenticate to every site.
Obviously, if that password gets stolen, the thief can get into any of your accounts, but that's a choice you have to make. WebAuthn doesn't mandate a specific way of storing credentials.
> You carry the keys to your home everywhere, don’t you?
Perhaps most people do.
There's also quite a few people that lose those keys - perhaps through neglect or being stupid, perhaps through an accident or getting mugged.
Note that of those unfortunate people that lose their keys, very, very few of them lose their house and everything in it as well - there's many paths to normally quick recovery that would need to be replicated digitally.
I guess it's tricky because at work, a central secret store with permissions and some kind of audit trail is a good idea. At home some cloud backup / syncing should be done, but I don't think that replaces local backups and everything.
What's the issue here, people can't export backups of the passkeys?
> What's the issue here, people can't export backups of the passkeys?
Quite the opposite. You can, and are always advised to, have a second key as backup that you can keep in a secure location. So in the same way as you don't lose your home if you lose your home's keys, you don't lose your digital access if you have a backup passkey. There is a slight difference between the two scenarios as in the case of your home, you wouldn't lose it regardless of whether you have a backup key or not. But since you can easily have a backup passkey the difference is very small.
The difference is that normal people don't have 50-200 houses and don't have to toy with the main/backup keys for every single one of those + each time they add a new "house", which may be often.
I think the issue here is we don't understand how to.
I can, and do, backup and safeguard my KeePass database in ways many and various. I have a fairly robust system to backup "traditional stuff" - including sync to my local NAS, a monthly off-site exchange of external drives with my best friend, and a cloud sync.
I have NO clue how to backup my whatever this is keystore or database or whatever, in a way that I'll feel confident I can seamlessly resume my life. It all seems to be embedded in some cloudy or device-internal ethereal opaque invisible places that make my life super easy when they work and when I do predictable things, and make my life devastating when they don't work or I do unpredictable things. I'm literally and genuinely and actually scared of these changes - not for when they work well, which is apparently magical; but when they don't work well or I fall through system cracks through some unknown change or issue.
Passkey objects on macOS are encrypted at rest within the iCloud Keychain sqlite database in Library/Keychains/*/. It shouldn't be too hard to adapt the keychain extraction tools that exist.
I don't know why you would want to though. Since (1) passkeys will rarely be a required nonreissuable credential, and (2) losing access to iCloud Keychain is extremely improbable. For many users, showing ID to a phone store clerk is sufficient for iCloud recovery. For others, it's using their laptop, a recovery key, or a recovery contact.
> Passkey objects on macOS are encrypted at rest within the iCloud Keychain sqlite database in Library/Keychains/*/. It shouldn't be too hard to adapt the keychain extraction tools that exist.
Really? That sounds awful. So now everything is passwordless and tied to a single database that can be stolen?
I thought the whole point of passkey was to tie the login to a TPM, Secure Enclave, HSM, etc. managed key because that means the private key is in hardened, tamper proof storage that simply signs challenges.
Sorry, that's only speculation, since I haven't had more time to analyze the database. If you read Apple's passkey security document, it claims that passkeys are distributed identically across devices. And that you can recover the passkeys even in the event that all associated devices are lost. It's also possible to share passkeys at any time.
passkeys.com:
> When a user sets up a passkey, a key is generated and synchronized to the cloud. When the user connects from another device in the same ecosystem, it will use the same key.
WebAuthn supports verified attestations for hardware-backed authenticators. Passkeys seem to be designed for normal consumers, who worry about losing authenticator devices.
> showing ID to a phone store clerk is sufficient for iCloud recovery
Can you walk me through how that works? I don't know how Verizon, for instance, could get me that access. Or did you mean at an Apple store or something?
Basically: For some subset of iCloud Keychain users, SMS is used in combination with the lost device's passcode (or a user-chosen password) to recover the keychain. Since the device is lost, you re-issue the phone number with a carrier. I think 2FA or ADP may require another device or a recovery key, but my memory is hazy on this.
>You carry the keys to your home everywhere, don’t you?
Nope. If I don't need my car keys I don't carry my keys. I do tend to carry a small wallet and my phone but also carrying a separate hardware token routinely would actually be a pain for me.
Twice in college, where I needed to have a roommate let me in.
Once at my first home, where I climbed in through the bathroom window (this was a PITA - it was some 12 feet off the ground and just barely big enough to get through.
Once at my current home, where I just used the porch door that I literally never lock.
----
And I'm actually pretty good about not losing my things. But over a 20 year span, I would have been permanently locked out of digital accounts 4 times if you want to play this game.
For me, that's a complete non-starter. So recovery flows will HAVE to exist. At that point, we're right back to where we are now, where I'm much less worried that someone is going to crack the salt+hash of my password, and I'm much more worried that someone will call customer support and pretend to be me.
If you are homeless or your current housing is unstable or unsafe what do you do? Not everyone has a safe place to keep physical objects. Homeless individuals already have communication issues because they usually don't have a reliable long term phone or phone number.
> Homeless individuals already have communication issues because they usually don't have a reliable long term phone or phone number.
And that locks them out of most email providers and online services, especially if their only source of internet access is a public library that "looks like a robot" because a lot of people use it simultaneously.
i have a bunch of copies of my house key, including one at a neighbors house and one in a realtor-style lockbox in my back yard. If I somehow lose all of them, I can still call a locksmith who can re-key my locks for maybe $300ish. There is no conceivable circumstance in which losing my key(s), no matter how badly I mess up, even if I only had one copy and threw it in the ocean in a fit of rage, will permanently deny me entrance to my home.
> I make a hobby of defeating them at friends' houses. Takes a few minutes.
Fair and good warning, but I'm curious, how long would it take you to pick my front door lock instead? Are you saying those lockboxes are significantly easier to defeat than a standard front door lock? (I am genuinely curious! I imagine it could depend on both the particular brand/model of lockbox and door lock!)
(Plus I have bars on some basement and first-floor windows in places that aren't easily seen from the street so seem especially vulnerable, but not on all my windows, someone could always break a window instead. I do not live in a secure military facility).
Most houses aren't all that burglar proof anyway. I personally really don't care about the quality of my locks, since they're installed on a glass door...
Previously, in Northern Europe, I had a condo where the door+lock manufacturers literally cautioned you that the fire department cannot force a quick entry in case of emergency. Think bolts on hinge side of door, etc.
> I feel like I'm an old grouch who wants things to stay the same...
It does seem like it. The things you mention aren't drawbacks of this technology, and this is par for the course for whenever I see discourse on WebAuthn. People just mention random fears that they have, the vast majority of which aren't true.
Sure, but "I don't understand" cannot reasonably be followed by "therefore I will inject my own fears into this". WebAuthn is just a way for a website to tell your device it needs to authenticate. It has nothing to do with a specific company, hardware or software, etc.
If you want, you can keep on using your existing password manager for WebAuthn, or use a password. The standard doesn't care.
I feel like I'm an old grouch who wants things to stay the same... And that's kinda the case :-)