Passkeys: A Loss of User Control?
Jeff Johnson (Mastodon, Hacker News):
One thing is painfully clear to me already: the BigCos are coming for our passwords, so passkeys can’t be ignored. Google recently wrote about the beginning of the end of the password. Apple has also indicated that it wants passkeys to replace and eliminate passwords. For example, the manager of the Authentication Experience team at Apple has said I’m really looking forward to working with all y’all to eliminate passwords and the harm they cause. Even 1Password, with “Password” literally in its name, has written about the passwordless experience you deserve[…]
[…]
With passwords and ssh keys, I can look at them. I can copy and paste them. I can write them down on a piece of paper. I can import and export them. I can back them up to external hard storage. Whereas in my testing with macOS Ventura and Safari, none of this is possible with passkeys. In fact, Apple requires you to enable iCloud and iCloud Keychain in order to save a passkey on a macOS or iOS device.
[…]
It’s opaque. You can’t see the specific details of iCloud’s sync operation, or manage it yourself. This is true of passkeys as well. I looked at the iCloud keychain in macOS Keychain Access, and all I saw for passkeys was a bunch of SOSDataSource-ak files with data that I couldn’t access.
[…]
I get the feeling, from how I’ve seen Apple behave and how Apple employees talk, that Apple has no intention to ever loosen their requirements for passkeys. And to be clear, these requirements are inessential, arbitrary, paternalistic. […] Apple’s attitude seems to be that users can’t be trusted with their own passkeys. My fundamental problem is, I don’t trust Apple to manage my passkeys, especially not via iCloud, nor do I consent to subject myself to the requirement of using their cloud services.
This echoes the concerns I had when Apple announced passkeys last year. I do not want everything to sync, and I do not want to be required to use iCloud Keychain, my access to which could be revoked at any time.
Passkeys will be importable and exportable, cross-device, and across passkey managers. They aren’t at this time, but they will be. It’s something that’s being defined and designed.
This sounds good, but I find it worrisome that Apple shipped the feature without providing users a way to access their data. Not only did it not announce that this was the plan, but it (in my view) strongly implied that this was, by design, not part of the plan. Hopefully there will at least be an official statement at WWDC.
I don’t want to count any chickens before they’re hatched. When I first switched to 1Password, it was with the understanding that it had CSV export. Only when I actually tried to export real data did I discover that it omitted lots of fields and that the only way to get my data out was to write code to parse an undocumented, not-quite-JSON format that did not fully preserve the dates.
With passkeys, it’s not just a question of getting at the data but also being able to do something with it. With passwords, you can always type or copy/paste. But will browsers let you do stuff with passkeys if you aren’t using the BigCo’s storage system? Will there be an API? There’s still no way to get Security Code AutoFill in third-party browsers. Maybe Apple sees this as temporary because “a passkey alone protects against so much more that it doesn’t need additional factors,” but so far I do not find that reasoning convincing, especially if they do add exporting.
Core to the early passkey design docs was the idea that the user can never ever export the private key.
Previously:
- Google Authenticator Adds Syncing
- iPhone Thieves Locking Users Out of Their Apple Accounts
- Google Account Deleted Due to CSAM False Positive
- Apple Accounts “Permanently” Blocked
- Locked Out of an Apple Account
- Apple Passwords Deserve an App
- Multi-Factor Authentication Recovery Distrust
- Passkeys
- Safari Security Code AutoFill
- 1Password Standalone Vaults and PasswordWallet
Update (2023-05-16): Apple:
To help explain how to implement passkeys, the Apple privacy and security team hosted a Q&A to answer common questions about device support, use cases, account recovery, and more. Here are some highlights from that conversation.
There’s no mention of exporting.
No amount of marketing is going to make me trust Apple as the single source for my passwords when my devices keep demonstrating how bad they are at remembering them 😅
Update (2023-05-17): John Gordon:
Surrogate use is a really big deal. Children yes, but also adult dependents (special needs), disabled family members, and especially elders (including bank accounts, medical records).
Even my wife often has me solve IT issues using her credentials (she has mine as well).
2FA made surrogate use much harder but SMS systems often allow multiple phone numbers. Passkeys though -- out of luck. Apple would need to add formal delegation.
[…]
I forgot about estate planning. How do I transfer passkeys when I pass?
Previously:
Update (2023-05-18): See also: Hacker News.
Update (2023-09-14): Thomas Cannon (Mastodon):
“Okay, but what about THIS failure scenario with passkeys?”
Update (2024-05-03): Ricky Mondello:
The FIDO Alliance’s members are working on a solution for portability that maintains phishing-resistance. It’s going well. It’s important to me that portability is part of passkeys as soon as it’s safely possible.
