@gracjan we have some work in progress around Passkey support, hopefully they will be supported for login in the next version
Discussion
Loading...
Post
@renchap Do you mean 4.6 or 4.7? I’m glad it’s a possibility. Do you think this will be included with a beta on the Mastodon.online instance (like quote posts were here early) or will it be disabled until final release?
@gracjan 4.6, and yes it should be available on mastodon.online as soon as it is merged, we run the latest code on this server.
A first PR on this topic is here, to allow passkeys to be used as a 2nd facto without TOTP: https://github.com/mastodon/mastodon/pull/35811
Next we will need to enable them as a login method.
@rmondello That's what I would like, yes. And maybe one day being able to use a Passkey to create a passwordless account, but this has significant complexities.
I am the one pushing for this internally, but not everyone is convinced that Passkeys are a good thing to implement (mostly because they might lead to vendor lock-in), but I am trying to be persuasive, and at least ensure they are a working alternative for people who want to use them.
@renchap @gracjan The concern about passkeys leading to vendor lock-in is wildly important and legitimate. It’s important not just to me, but to the community that’s building out passkeys.
A group of folks in FIDO, where passkeys get standardized, have hashed out a data format for moving passkeys between credential managers: https://fidoalliance.org/specs/cx/cxf-v1.0-wd-20240522.html
Apple has *shipped* an API for apps to export passkeys to other apps: https://9to5mac.com/2025/07/12/passkey-portability-is-finally-here-in-ios-26-and-macos-tahoe-26/ — So far, I know that Bitwarden and Dashlane have adopted it. I have heard that 1Password and Google Password Manager are working on adoption.
I have heard that Android functionality is under development.
Password manager apps are working on browser extension to browser extension data transfer.
I also dedicated an important part of my recent keynote talk about making sure that people own their credentials. Here's a timestamp link to that part of the talk: https://youtu.be/otObbUSxcqs?si=y6RRupy1DaPx2-UW&t=1492 (Although I recommend folks who are passkey skeptics try watching the whole thing, because I think it does a good job explaining the “why” behind passkeys.)
This is a lot of text, but the point is: passkeys are not vendor lock-in. It’s not _completely_ done yet, but it is for sure happening. Not a single platform or credential manager I’ve spoken to is sitting this out.
@rmondello @renchap @gracjan Well, our passwords are in a KeePass database which is hosted on a NAS we own ourselves.
The mobile apps get the database using WebDAV. The netbook/laptops get it synchronised. And there are backup copies in online storage, also one place for which we should be able to remember the login.
So, I think I can say we own these credentials.
And the passwords? Well, some length I now thought to be sufficient, and where it's impossible to remember for any 'normal' person.
@rmondello @renchap @gracjan So passkeys are finally getting more vectors that enable phishing attacks? 🤔
~4 more replies (not shown)
@publicvoit @renchap @gracjan Nice try. Please watch my explanation that I sent to Renaud.
@rmondello @renchap @gracjan To my understanding, some implementations that allow migration of #passkeys to other accounts are prone to #Phishing.
https://arxiv.org/abs/2501.07380
"Another concern could be #socialengineering, where a user is tricked into sharing a passkey with an account controlled by an attacker." -> classic phishing, I'd say.
Convenience vs. #security, the usual trade-off.
According to that, roaming authenticators (classic #FIDO2 USB/NFC devices that are able to handle passkeys) are the only phishing-resistant method.
Still, Passkeys are much better than anything else (except FIDO2 HW tokens, of course) but it seems to be the case that the slogan that passkeys are 100% protecting against phishing isn't true any more.
What are your thoughts on that angle?
So good to hear this is making progress. It is the #1 reason by a huge margin why I don't recommend Passkeys to anyone today. The rest are really down to various corporate policy holdovers I haven't seen change much since I wrote this two years ago.
https://osma.medium.com/the-trouble-with-passkeys-64c791ef5620
@rmondello @renchap @gracjan
@renchap I hope it’ll be possible to fully get rid of both the password and TOTP after one adds a passkey. A password is not an asset for me — it’s a liability. If I have a passkey, I don’t need a password to be still available for use. I want a fully passwordless and phishing-resistant account.
Most websites don’t allow users to do this yet, but some do, and every site should eventually.
bonfire.cafe
A space for Bonfire maintainers and contributors to communicate
Automatic federation enabled