What would it take for you to switch to passkeys?

An entirely FOSS way to use them and back them up, with no attestation that I'm using a stack that's been officially blessed by one of the megacorps.

I want to manage passkeys myself. I don't want to use iCloud Keychain sync, and I don't want to use 1Password. This is a non-negotiable requirement for me. Other than that, I'm fine with the idea.

I would not want to use any service with keys that you can't copy and back up, no matter what, unless there was no alternative.

If it were built into BitWarden and synced with the vault, and as easy to use as passwords as in "This site wants to create a passkey using your passkey provider" I'd be all for it.

It'd be great to have a standard to share passkeys, and we'd be more than happy to include a reference implementation in solokeys firmware.

Passkeys is "just" the new (and much better!) name for FIDO resident keys. They are available in most (all?) security keys, though they're usually not extractable from hardware devices.

From a purely technical pov, I don't see any major complexity in exporting keys from one device to another (maintaining the required level of security), but of course if we want to do it across vendor we need a standard.

To the best of my knowledge both Google and Apple have their own proprietary way to share passkeys claiming better end-user security. It'd be nice to get to a standard that everybody can implement, and not just a way to share passkeys safari/iOS <> chrome/android.

Wouldn't these fall under the "something you know" factor? (It's something you gave during registration, versus something they gave to you, right?) If so, isn't a public key just a really long password? Why not just let people use really long randomly-generated passwords stored in a password manager?

> However, I do see some hesitance in the idea of passkeys.

Interesting, my impression is that everyone is ready for passwords to die.

> I do see some problems with them, namely that it seems like passkeys are locked to the iPhone/Android device and are hard to sync.

This will apparently be solved with password managers, which will handle sync across devices/platforms. (One source: https://www.future.1password.com/passkeys/)

> What would you need to switch to passkeys?

Password manager support with cross-device/platform sync.

The only thing I want is GPG-style interop. If I can sync a cryptographic login keyfile between my devices with something like Syncthing or SFTP, that would make it trivial to integrate it into my workflow.

Multiple passkeys support by default. Many websites only support one hardware token and hardware is not infallible.

Too many services only support a single MFA enrollment.

I have a pair of yubikey but don't use them most of the time because most services won't let me register both concurrently, and I'd rather not be permanently locked out if one of the yubis gets lost / contact pins wear out / etc.

That said, you're lucky if they support one FIDO2 auth method at all instead of just SMS.

I need to know that I can use them on all my platforms, right down to my Raspberry Pi Zero with practically no memory not processing power

A completely open standard, at least partially human-readable /-parsable, with an open source reference implementation.

Any risk of proprietary lock-in, whether to Google, Apple, or Agile Bits, is unacceptable.

I’m ready to switch as soon as sites support them and provide a transition mechanism from password to passkey.

(Apple ecosystem user)

Couldn't passkey fingerprints be used to identify you, regardless of login?

in terms of value, i assume the push for passkeys is to make sure you have a device tracking your location with you at all times. so, obviously there is great value.

I will not use them unless there's stronger laws about biometric data and privacy. I realized that the whole point of passkeys is to replace passwords. It won't be immediate, but it is clearly the long term goal. I don't want my secrets/password secured to a ecosystem login. If I don't control my secrets, they aren't my secrets. It's a single hardware point of failure.

If passkeys are made mandatory, I want TOTP/HOTP to be primary and mandatory for every login as well.

In a hypothetical scenario where a government is looking to unlock your data, using a passkey would guarantee them acess to your data since a warrant will let them take the physical key or force you to unlock your device.

"A man must use his fingerprints to attempt to unlock his phone, an Illinois federal district court ordered in signing a search warrant, finding that the request does not violate the Fourth or Fifth Amendment." [1]

The marketing from some companies that it will replace both password and TOTP codes with just passkeys make me wonder the motivation behind this push.

I took time to understand passkeys, and they are essentially a new implementation of the idea behind YubiKey locked behind major corporations like Google. "Your" phone device is a YubiKey that you can add to websites. And just like YubiKeys, they don't allow exporting keys. Worse they are tied to a megacorp login. The attestation requirement is already satisfied in current YubiKeys.

Until an open source "weak" hardware or software implementation of passkeys exists and is clearly allowed by websites, I will not believe that attestation will not block this. Exporting secrets, while possible to code in an implementation, breaks one of the core ideas behind using something like a YubiKey where the assumption is one device per private key. Why would a website willing allow a "weakened" implementation? That would compromise the security model.

I felt like a conspiracy theorist considering how the US government is becoming more of an"authoritarian government" but I realized I was giving the benefit of the doubt to an entity that doesn't deserve it. The US government is becoming agressive in dismantaling people's constitutional rights with technology.

"Once a warrant is secured, the type of passcode becomes the next deciding factor in whether law enforcement can gain access to a phone's contents. Cell phones are typically protected by a passcode that is either numerical or alphabetical, or by biometrics, such as a fingerprint or faceprint.

A Virginia circuit court ruled that police can require someone to give them access to a cell phone as long as the passcode is biometric, such as a fingerprint. That's because a fingerprint is considered something you have — physical evidence — and thus not self-incriminating. Stanford's Pfefferkorn said this can also extend to facial recognition.

But numeric or alphabetical passwords, on the other hand, are often considered something you know. This is where courts are divided." [2]

1. https://news.bloomberglaw.com/privacy-and-data-security/forc...

2. https://www.tampabay.com/business/when-can-police-compel-you...

https://www.governing.com/security/search-warrants-can-requi...

https://psmag.com/social-justice/can-the-government-force-yo...