As far as I know you can only get one of them under a microscope, which seems to support your view, but "mind-brain identity theory", positing that mind and brain are literally the same thing, is still a thing in philosophy though not quite the hot item it was 60 years ago.
You will need to define "successful" within the context of your question; only then you will get meaningful answers. Because there are lots of solo entrepreneurs who are successful as per their own definition of success which may or may not match with your definition.
It is an unwritten(?) convention that all depiction of time should be 10:10. Don't know why that is but I learnt about this convention when a political party[0] in India launched its symbol, an analog clock.
This reminds me of a conversation with a CEO of an US startup working on Java hardware accelerator. They named their company JEDI, which was an acronym for the IP they had developed.
One day they received an email from Lucas Arts objecting to the use of the name JEDI :)
Startups, if successful, grow into bigger companies. But why do you think bigger tech(or non-tech) companies are not entangled in bureaucracy?
A government is far bigger and complex than any big company. So there will be more slowdown compared to big companies.
One example of successful public-private partnership is India's "Digital India" initiative where the government was able to churn out platforms like Aadhaar, Unified Payment Interface and RuPay, with other platforms on the way for digital commerce for MSMEs.
Writing mathematical proof is like writing code, compiling/interpreting(take your pick), debugging, fixing problems, and testing; all at the same time, and that too in real-time.
That is the reason more people find programming enjoyable but struggle with mathematical proof writing.
Why is there no discussion on users losing their private keys? Ask all those cryptocurrency users who lost their private keys. Now don't tell that there are crypto wallets/vaults that manage private keys; there are many ways key can be lost even when using wallets/vaults.
We engineers live in a different world, disconnected from the regular users who have no clue what public-private keys are!
The standard mantra for physical key-based 2FA has always been "register two keys and keep one in a safe", which seems doable for important accounts (like banks and government stuff) but no way am I going to get a key out of my safe when I want to order a replacement part on JoesDiscountDishwasherParts.biz. I really wish there was a way to register your backup key through your primary key.
Luckily, FIDO2 can fix a lot of these problems. People who don't have significant security needs can use a trusted service (currently Apple, Google, and a few small companies) rather than a physical device. Lose your phone? As long as you can get your account onto a new one, you can still access all of your stuff.
Once this type of auth will take off, I can imagine a business model for a FIDO2 company that focuses on customer service. The only problem with the system right now is that if you can't log in to your Apple/Google/whatever account, there's no recovery. Try contacting customer support and see how long it takes until they just block your number, because there is nothing they can do.
Having a business where you can go to a physical office and show up with ID so you can get your account back would solve this problem. Recovery would still be a massive pain, but it's better than spending years on a legal battle like some people trying to get their pictures back from their cloud providers after getting locked out.
> Luckily, FIDO2 can fix a lot of these problems. People who don't have significant security needs can use a trusted service (currently Apple, Google, and a few small companies) rather than a physical device.
And from the article:
> “If I'm Google implementing passkeys, I cede a lot of control to Apple if my user is on an Apple device, I cede a lot of control to Microsoft if the user is on a Windows device, I cede a lot of UX control to Android and browsers,”
To me it sounds like Google, Microsoft, Apple, etc. seizing the last bits of control away from the average person. Everyone will be absolutely beholden to a few big tech companies. Using a fake name or birthday on accounts will be unthinkable because a locked account will mean losing access to your life and the only way to get it back will be to verify your identity which better match the info you provided initially.
We used to have outrage over things like using real names and now we've somehow fallen to the point where everyone is going to mindlessly accept a scheme that could easily morph into verified identities managed by private companies. Participating online will require a verified identity and everything you do will be mapped back to it.
> Having a business where you can go to a physical office and show up with ID so you can get your account back would solve this problem.
I've wanted something similar, combined with a tree approach to account recovery where the effort for recovery can vary depending on the importance of the account.
Say I lose access to my McDonald's account. That's not a very important account. It just contains some reward points that would get me some discounts at McDonald's. That account would be a leaf on the recovery tree. It's parent node would be my email account, currently at Fastmail. Recovery of my McDonald's account would just require responding to a recovery email McDonald's would send to my email.
My email account is much more important. Its parent node would be my domain name, currently registered at Namecheap. Recovery of my email account at Fastmail would involve demonstrating to Fastmail that I control my email domain.
My domain name is so important, since it is in the ultimate recovery path for so many descendant nodes, it would probably have at least two parent nodes (I didn't say anything about the tree having to be a binary tree).
They would be businesses that can verify my ID in person using government documents like my passport, and provide a way for me to prove that identity to third parties.
Banks would be good candidates to run such a business. Post offices would also be good candidates.
The protocol between the root verifiers and their direct child nodes could be a zero knowledge protocol so that the child node doesn't get your real identity and the root verifier doesn't know who the child node is. All the root needs to learn is that you are being verified for some site, and all the site needs to learn is that you are the same person who set up the account.
Such a zero knowledge protocol could also be good for age verification, which more and more jurisdictions are requiring from some sites. With such a protocol between the age verifiers and the sites you could have age verification without giving up anonymous accounts.
> My domain name is so important, since it is in the ultimate recovery path for so many descendant nodes, it would probably have at least two parent nodes (I didn't say anything about the tree having to be a binary tree).
If your domain name can have multiple descendant nodes and multiple parent nodes, is that still a tree?
Probably not. I should have said directed acyclic graph.
Actually I guess it doesn't even have to acyclic. You just need a directed graph where that has a non-empty set R of nodes such that (1) nodes in R do not have incoming edges, and (2) every node that has an incoming edge can be reached by some path that starts in R.
From what I can understand from the wikipedia page for the graph theory trees https://en.wikipedia.org/wiki/Tree_(graph_theory), what I'm used to calling tree ("computer science trees"?) are rooted trees, and what you described could be called a tree.
Which kind of makes sense, because a tree has stuff that branches out at the top (the branches) and at the bottom (the roots). The trunk has multiple parents and multiple children.
Definitions aside, I like your idea a lot. I feel like it's one of the few propositions that recognizes how important proving your identity already is, and how it will only become more important. The system is flexible and makes sense. It's the kind of thing that I think most people could understand, and thus use.
Wait - the way this works is you have a backup key, if you lose your primary you replace it using your backup. NB this is only needed when you move to a new device with a new secure enclave too, so at no point is this pizza situation likely.
I have to admit that I don't own an hardware security key. But since those let you use public key cryptography to login, you could at least theoretically use the same public key for multiple services. Whether the FIDO2 protocol lets you do that or not, I admit I don't know.
The keys are baked in to the devices and are tamper proof. So two devices means you have two different public keys.
I use YubiKeys for accounts I consider important and they're a pretty huge hassle compared to a password manager. I'm also scared to get rid of any of the old ones I've got just in case they're linked to an account I forgot about.
It’s possible, at least for GPG. I’m not sure about WebAuthn. Regardless, generating the key right on the device is the most secure way of doing it.
It’s also hard to manage keys you’re loading yourself. Once I loaded a private key onto my YubiKey and accidentally failed to backup the private key because I used the wrong syntax when I exported it. I didn’t even realize until I got a new YubiKey and went to load my GPG keys onto it. I was only using it for signing, so it wasn’t a huge deal, but if I’d been using it for encryption / decryption it would have been a disaster.
It doesn’t, which would make disaster recovery a huge pain. You would have to register your backup key for every account you have.
The Apple/google “passkey” approach lets you use WebAuthn while having encrypted, cloud stored, private key escrow. It is much more convenient. Obviously with the downsides that implies.
I am in IT but not this side and I must admit I do not grok this move... At all. I don't understand the risk to Benefit story. It seems (possibly incorrectly) to put all my eggs into one basket - whether phone (which annoys the heck out of me as it is NOT my primary device) or some cloudy account I'm supposed to trust with my life. It also seems to impose geographical dependencies (I want to check my email at my friend's but my phone is at home which is precisely why I want to use their computer etc). It also seems to bring terrifying consequences of losing some ethereal items nobody (regular) understands how to safekeep.
I feel like I'm an old grouch who wants things to stay the same... And that's kinda the case :-)
The device is not mandated to be a phone. A hardware passkey is also an option. You carry the keys to your home everywhere, don’t you? And you take good care of them? Why would carrying a webauthn-compliant hardware key be any different?
If you lose your keys, you can replace them pretty easily. The mental model for doing so is pretty simple and doesn't require contacting tens or hundreds of websites.
I'm pretty skeptical that passkeys are going to yield much benefit. Websites will still have to maintain a "recovery" flow for the reason above and this is already the weakest link a lot of the time.
Maybe think of the "recovery" flow as authentication itself and the passkey as a cache of the most recent valid check. Put you passkey manager under the same umbrella as your "recovery", or sync you passkeys through another service you trust.
Under this model, new authentication pretty much should always leaves a paper trail, while passkey login, could be more like the "remember me" cookie from the old days.
Sorry for the tangent, but has anyone ever heard anything about cross-device cookie synchronization?
In its core, WebAuthn is a way for a site to say "I want to authenticate" and the browser/device to say "OK, here are my credentials".
Nothing is stopping you from generating a private key from a password that you have in your head, and using that to authenticate to every site.
Obviously, if that password gets stolen, the thief can get into any of your accounts, but that's a choice you have to make. WebAuthn doesn't mandate a specific way of storing credentials.
> You carry the keys to your home everywhere, don’t you?
Perhaps most people do.
There's also quite a few people that lose those keys - perhaps through neglect or being stupid, perhaps through an accident or getting mugged.
Note that of those unfortunate people that lose their keys, very, very few of them lose their house and everything in it as well - there's many paths to normally quick recovery that would need to be replicated digitally.
I guess it's tricky because at work, a central secret store with permissions and some kind of audit trail is a good idea. At home some cloud backup / syncing should be done, but I don't think that replaces local backups and everything.
What's the issue here, people can't export backups of the passkeys?
> What's the issue here, people can't export backups of the passkeys?
Quite the opposite. You can, and are always advised to, have a second key as backup that you can keep in a secure location. So in the same way as you don't lose your home if you lose your home's keys, you don't lose your digital access if you have a backup passkey. There is a slight difference between the two scenarios as in the case of your home, you wouldn't lose it regardless of whether you have a backup key or not. But since you can easily have a backup passkey the difference is very small.
The difference is that normal people don't have 50-200 houses and don't have to toy with the main/backup keys for every single one of those + each time they add a new "house", which may be often.
I think the issue here is we don't understand how to.
I can, and do, backup and safeguard my KeePass database in ways many and various. I have a fairly robust system to backup "traditional stuff" - including sync to my local NAS, a monthly off-site exchange of external drives with my best friend, and a cloud sync.
I have NO clue how to backup my whatever this is keystore or database or whatever, in a way that I'll feel confident I can seamlessly resume my life. It all seems to be embedded in some cloudy or device-internal ethereal opaque invisible places that make my life super easy when they work and when I do predictable things, and make my life devastating when they don't work or I do unpredictable things. I'm literally and genuinely and actually scared of these changes - not for when they work well, which is apparently magical; but when they don't work well or I fall through system cracks through some unknown change or issue.
Passkey objects on macOS are encrypted at rest within the iCloud Keychain sqlite database in Library/Keychains/*/. It shouldn't be too hard to adapt the keychain extraction tools that exist.
I don't know why you would want to though. Since (1) passkeys will rarely be a required nonreissuable credential, and (2) losing access to iCloud Keychain is extremely improbable. For many users, showing ID to a phone store clerk is sufficient for iCloud recovery. For others, it's using their laptop, a recovery key, or a recovery contact.
> Passkey objects on macOS are encrypted at rest within the iCloud Keychain sqlite database in Library/Keychains/*/. It shouldn't be too hard to adapt the keychain extraction tools that exist.
Really? That sounds awful. So now everything is passwordless and tied to a single database that can be stolen?
I thought the whole point of passkey was to tie the login to a TPM, Secure Enclave, HSM, etc. managed key because that means the private key is in hardened, tamper proof storage that simply signs challenges.
Sorry, that's only speculation, since I haven't had more time to analyze the database. If you read Apple's passkey security document, it claims that passkeys are distributed identically across devices. And that you can recover the passkeys even in the event that all associated devices are lost. It's also possible to share passkeys at any time.
passkeys.com:
> When a user sets up a passkey, a key is generated and synchronized to the cloud. When the user connects from another device in the same ecosystem, it will use the same key.
WebAuthn supports verified attestations for hardware-backed authenticators. Passkeys seem to be designed for normal consumers, who worry about losing authenticator devices.
> showing ID to a phone store clerk is sufficient for iCloud recovery
Can you walk me through how that works? I don't know how Verizon, for instance, could get me that access. Or did you mean at an Apple store or something?
Basically: For some subset of iCloud Keychain users, SMS is used in combination with the lost device's passcode (or a user-chosen password) to recover the keychain. Since the device is lost, you re-issue the phone number with a carrier. I think 2FA or ADP may require another device or a recovery key, but my memory is hazy on this.
>You carry the keys to your home everywhere, don’t you?
Nope. If I don't need my car keys I don't carry my keys. I do tend to carry a small wallet and my phone but also carrying a separate hardware token routinely would actually be a pain for me.
Twice in college, where I needed to have a roommate let me in.
Once at my first home, where I climbed in through the bathroom window (this was a PITA - it was some 12 feet off the ground and just barely big enough to get through.
Once at my current home, where I just used the porch door that I literally never lock.
----
And I'm actually pretty good about not losing my things. But over a 20 year span, I would have been permanently locked out of digital accounts 4 times if you want to play this game.
For me, that's a complete non-starter. So recovery flows will HAVE to exist. At that point, we're right back to where we are now, where I'm much less worried that someone is going to crack the salt+hash of my password, and I'm much more worried that someone will call customer support and pretend to be me.
If you are homeless or your current housing is unstable or unsafe what do you do? Not everyone has a safe place to keep physical objects. Homeless individuals already have communication issues because they usually don't have a reliable long term phone or phone number.
> Homeless individuals already have communication issues because they usually don't have a reliable long term phone or phone number.
And that locks them out of most email providers and online services, especially if their only source of internet access is a public library that "looks like a robot" because a lot of people use it simultaneously.
i have a bunch of copies of my house key, including one at a neighbors house and one in a realtor-style lockbox in my back yard. If I somehow lose all of them, I can still call a locksmith who can re-key my locks for maybe $300ish. There is no conceivable circumstance in which losing my key(s), no matter how badly I mess up, even if I only had one copy and threw it in the ocean in a fit of rage, will permanently deny me entrance to my home.
> I make a hobby of defeating them at friends' houses. Takes a few minutes.
Fair and good warning, but I'm curious, how long would it take you to pick my front door lock instead? Are you saying those lockboxes are significantly easier to defeat than a standard front door lock? (I am genuinely curious! I imagine it could depend on both the particular brand/model of lockbox and door lock!)
(Plus I have bars on some basement and first-floor windows in places that aren't easily seen from the street so seem especially vulnerable, but not on all my windows, someone could always break a window instead. I do not live in a secure military facility).
Most houses aren't all that burglar proof anyway. I personally really don't care about the quality of my locks, since they're installed on a glass door...
Previously, in Northern Europe, I had a condo where the door+lock manufacturers literally cautioned you that the fire department cannot force a quick entry in case of emergency. Think bolts on hinge side of door, etc.
> I feel like I'm an old grouch who wants things to stay the same...
It does seem like it. The things you mention aren't drawbacks of this technology, and this is par for the course for whenever I see discourse on WebAuthn. People just mention random fears that they have, the vast majority of which aren't true.
Sure, but "I don't understand" cannot reasonably be followed by "therefore I will inject my own fears into this". WebAuthn is just a way for a website to tell your device it needs to authenticate. It has nothing to do with a specific company, hardware or software, etc.
If you want, you can keep on using your existing password manager for WebAuthn, or use a password. The standard doesn't care.
Passkey is a concept that even the majority of tech enthusiasts seem not to have groked as of today. The thing that google/Apple have brought to the table is cloud backup of your private keys (yes, you should have lots of questions about how that is managed). This should enable disaster recovery/device transition for people using a phone as one of their passkeys. You’d probably add a fingerprint from your laptop for convenience, and if that laptop is all you have then no disaster recovery for you.
However, to be fair, if people have one of something it’s going to be a phone. If you use google or android, then those keys are backed up into the cloud “securely”. Those keys are also “secured” on the device. Not as good as HSM, but if you dig into the details it’s probably much more solid than you’d expect.
> The thing that google/Apple have brought to the table is cloud backup of your private keys (yes, you should have lots of questions about how that is managed).
Absolutely. I keep my BitLocker keys in my Microsoft account because it's a simple solution that provides good enough security for me. If someone wants access to my data they have to get the key and my disk. I understand it and I'm satisfied with how it works.
With passkeys, having a cloud backup doesn't even make sense to me. If I'm using a YubiKey or a TPM, the private key can't be extracted to back it up, so what do they back up? Do I have to opt in to a weaker system to get cloud backups?
At the very least, I should be able to designate trusted parties (parents, siblings, kids) where at least one of them has to approve the recovery of a cloud backup. Microsoft, Google, etc. shouldn't be able to access it at all. I trust my family, not big tech.
Should you trust Apple? Is this secure enough if a password can still be used that recovers all these keys?
Ultimately there is always a convenience/security trade-off. The “passkey” concept has it right for the 99% of users case (in my opinion). For that 1%, it’s still WebAuthn, so nothing stops you from using a Yubikey with a second safe-held Yubikey for disaster recovery.
I’m guessing that means there’s some kind of key derivation happening which means it’s super similar to modern password managers IMO. I realize there are some benefits, but in a password based world I can memorize my highest value passwords and salt others with a common password.
I don’t see the value in making such a big change for such little gain.
I have always maintained that 3rd party password managers were a bad idea because now you've got three parties heavily involved instead of two.
For most, this is that but worse -- you have essentially have three parties, and the least savvy is the one with the most to lose (maybe the ONLY one with something to lose) -- and is now the one with even less understanding and control.
Across the board, getting rid of passwords is a stupid idea. I get that what we have now isn't great, but this is way worse; I am certain this fails repeatedly and badly, unless we do the thing we haven't yet done, which is real cost/penalty/liability for the 3rd parties who get it wrong.
A web password is effectively a private secret, that can be used, for example, to derive a ECC keypair, but this secret is passed around in plain text between your device and the target site or service. It might be encrypted on the wire, but it must be known by both.
So any system that replaces web auth passwords is, worst case, just as bad as a password from a key-ownership perspective. Such a system also has the potential to be much better than a password, for example your auth secret is only entered on a secure keyboard (thumb reader, etc.) and used locally on a device you own, which then handles all auth tasks.
The question is how do you recover it when you lose it?
For a password I just click the “I forgot my password” link, I get an email with a link to click, and my account is recovered within minutes. I have recovered 15 year old accounts this way.
If you can’t do that with passkeys, then the system is doomed to failure because people lose their credentials and devices all the time.
You authenticate to a cloud escrow provider using any of your account's other associated devices. If you have none, because Yellowstone erupted while you were away, and someone also yoinked your phone in the ensuing chaos, then you input either (A) your device's passcode and an SMS code, or (B) a recovery key. If you have neither, then you use an established recovery contact. If those steps didn't work, then it's not too late to visit Wyoming.
Surely a system where you have a single point of trust and key backup is better than the current mess of using a single password on multiple sites, like most people do.
And no, the solution to that is not security education, people don't change and a system that expects behavioral changes without enforcing them is simply an insecure design. The truth of the matter is that passwords are insecure and problematic for the vast majority of non-technical people.
I run a company that cracks passwords for people that have lost the passwords to their crypto wallets.
Since the early days in Bitcoin people have been talking about backing up their private keys, and the methods of doing that have become simpler and simpler. Yet we talk to people every day that didn't realize that they can't just "contact Bitcoin" and ask them to reset their password.
Some platforms for creating "secure" backups of wallets apparently had back doors built in (BitcoinPaperWallet dot com I'm looking at you!)
A non-trivial portion of the population (based on my personal experience) is struggling with mental health issues and true analytical weaknesses that make it really hard for them to understand what's happening, or correctly recall what did happen.
Is all of that really compatible with moving secrets into the background (instead of remembering passwords)?
> Why is there no discussion on users losing their private keys?
I think that's best handled through some iteration: We don't need to flip a switch and make the whole world change to this system overnight. Instead, we could roll it out in managed environments, like companies and schools with IT departments.
I suspect that, for consumers, something like a (the horror!) government agency could handle this. Or a bank. Or your ISP. Or your phone service provider. Or the AAA (who handles passport and license renewals in the US.)
Cryptocurrencies are a spectacularly bad counterexample. If password-derived private keys had ever become commonplace, the ensuing theft would have absolutely dwarfed the losses from lost wallet keys. I'm not sure if there's even a comparable instance of successful widespread public-key cryptography adoption.
