Post · bonfire.cafe

RE: https://mastodon.scot/@benh/116544719470523258

When I use the word “passkey”, I am *never* referring to a credential stored on a hardware security key, because the user experience of something saved, synced, and resilient to device loss is fundamentally different from the experience of using hardware security keys. (You better have more than one and never lose them!)

If your threat model means that you cannot trust a cloud provider, achieving phishing-resistant online account authentication takes a lot more effort.

Brandon Bennett

@nemith@hachyderm.io · 1 hour ago

@rmondello the problem with cloud providers isn’t a security threat but one of longevity and intentions of the cloud model. Business going out of business or change their buisness plans. It isn’t 2010 and we aren’t still pretending that big tech has our best interests at heart for the long term

The question is more fundamental to the survival of passkeys and I think is a huge hurdle. Even if it is for the uber geeks and not for the moms and pops.

Portability and self hosting is required.

Nils Goroll 🕊️:varnishcache:

@slink@fosstodon.org · 1 hour ago

@rmondello this is my main criticism of passkeys: used with this model, you don't own them, and instead of websites leaking millions of passwords, we now need to worry about vault providers leaking millions of passkeys.

Royce Williams

@tychotithonus@infosec.exchange · 8 hours ago

@rmondello No true disagreement - resilience to physical loss was the big thing missing from physical security keys.

I admit I'm biased but we may have to haggle a little about how much effort is "a lot", vs how a bit of effort could have a big payoff.

Don't get me wrong -- the effort really starts to ramp up when trying to use physical keys for everything, with all of the crazy overhead and tracking required to manage which keys were used with which sites, etc. Passkeys are the big win at volume.

But it can be quite manageable to selectively using N physical keys to protect just one or two critical credentials -- like email / identity. And people can handle the mental model analogy of spare house / car keys (with a "much harder to call a locksmith" rider).

So a sweet spot for a non-trivial number of users might be "three physical keys for your Apple/Google account, and passkeys for everything else".