top | item 42550426

(no title)

>exposing yourself to the mercy of a single organization

The nice thing about passkey is that unlike password, you can have multiple per account.

So you can register a passkey from 1password to website A, and also register a passkey from Apple keychain to website A, and also register a passkey from Google account to website A, and also register a passkey from yubikey to website A, so even if you are locked out from one of your accounts, you still have several other ways to log into your account at website A.

And _if_ your, say, Apple keychain is compromised, you can just revoke the passkeys from your Apple keychain from all the websites (yes it's tedious, but it's doable).

discuss

efitz|1 year ago

Having to have multiple passkeys per site to circumvent vendor identity lock-in is one of the main problems with passkeys.

shim__|1 year ago

I'd be so easy if this proposal were implemented: https://www.yubico.com/blog/yubico-proposes-webauthn-protoco... one could always register one or more additional keys without having access to them.

theamk|1 year ago

Even if it's possible technically, I don't think it's very practical, as UX is very heavily directed towards a single passkey provider. I can imagine doing this for one or two most important websites, but not for each of dozens (hundreds?) websites users have registeration on.

tzs|1 year ago

It's not actually all that bad. I went through today and added passkeys for all the sites I use that support them, and for most it went like this.

1. I login to the site using my password, supplied by my password manager (1Password).

2. I go to the site's security settings and find their passkey settings. I invoke their "add a passkey" function.

3. If I'm on my Mac, using Chrome, Firefox, or Safari, I get a dialog showing me the site and the user name and asking if I want to save a passkey in my 1Password.

There is a security key icon on the dialog that I can click if I want to save the passkey elsewhere. That replaces the 1Password dialog with one offering to save a passkey in my iCloud keychain for use on all my Apple devices.

That dialog has an "other options" link which brings up another dialog that adds options to use an external security key or to save a passkey on an iPhone, iPad, or Android device with a camera. The latter option will show a QR code that can be scanned on that other device.

I save the passkey in either 1Password or my iCloud keychain.

If I'm on my iPad using Safari it is similar, except the first dialog shows both 1Password and iCloud as storage destinations, with radio buttons to pick between them.

4. Repeat step #3 once, storing a passkey in whichever of 1Password and iCloud keychain that I didn't pick the first time through.

Some sites let you give the passkeys names to make them easier to remember so there might be typing a name in there somewhere.

All in all, it is only a few seconds to add a passkey after pressing the "add a passkey" button on a site, so adding two is no big deal.

fishywang|1 year ago

I'm not sure what UX you are talking about, the majority of the websites supporting u2f/passkey have UX to manage your u2f keys/passkeys. (the only exception I can think of is early Twitter when it first implemented u2f, and at that point it only allow you to add a single u2f key, but even Twitter fixed that later and supports multiple keys now).

And (this is probably not emphasized enough) you really should never only use a single u2f key/passkey for a website, that's the recipe to get you locked out when you can't find your u2f key/get locked out of the provider of your passkey. I have at least 2 yubikeys on my keychain all the time (one for usb-a and one for usb-c), plus one for each of my computers, and passkeys from 1password, google, etc.. And whenever I add u2f keys/passkeys to a website I add all/most of them.

gsich|1 year ago

Those websites are unimportant enough to just use normal passwords.

6510|1 year ago

> And _if_ your, say, Apple keychain is compromised, you can just revoke the passkeys from your Apple keychain from all the websites (yes it's tedious, but it's doable).

without the key?

rcxdude|1 year ago

Without a standard automatable way of doing this, it doesn't happen in practice, even assuming people implement it competently enough to allow multiple passcodes (TOTP codes, for example, are often only one per account, which is similarly annoying for maintaining a revocable backup)

FireBeyond|1 year ago

> The nice thing about passkey is that unlike password, you can have multiple per account.

I would charitably estimate that of the sites currently supporting Passkey, the ones that support multiple passkeys are in the single digit percentage. So, practically, you can't.

vel0city|1 year ago

As someone who actually uses them in a lot of places, the number of sites I know that only allows a single passkey is one: PayPal. What other sites do you know only allow a single one?

lostmsu|1 year ago

Ha, tell that to Apple. Last time I logged in to their App Connect it said that passkey can only be used from iOS or MacOS device.