Archive for May 8, 2023

Monday, May 8, 2023

Passkeys: A Loss of User Control?

Jeff Johnson (Mastodon, Hacker News):

One thing is painfully clear to me already: the BigCos are coming for our passwords, so passkeys can’t be ignored. Google recently wrote about the beginning of the end of the password. Apple has also indicated that it wants passkeys to replace and eliminate passwords. For example, the manager of the Authentication Experience team at Apple has said I’m really looking forward to working with all y’all to eliminate passwords and the harm they cause. Even 1Password, with “Password” literally in its name, has written about the passwordless experience you deserve[…]


With passwords and ssh keys, I can look at them. I can copy and paste them. I can write them down on a piece of paper. I can import and export them. I can back them up to external hard storage. Whereas in my testing with macOS Ventura and Safari, none of this is possible with passkeys. In fact, Apple requires you to enable iCloud and iCloud Keychain in order to save a passkey on a macOS or iOS device.


It’s opaque. You can’t see the specific details of iCloud’s sync operation, or manage it yourself. This is true of passkeys as well. I looked at the iCloud keychain in macOS Keychain Access, and all I saw for passkeys was a bunch of SOSDataSource-ak files with data that I couldn’t access.


I get the feeling, from how I’ve seen Apple behave and how Apple employees talk, that Apple has no intention to ever loosen their requirements for passkeys. And to be clear, these requirements are inessential, arbitrary, paternalistic. […] Apple’s attitude seems to be that users can’t be trusted with their own passkeys. My fundamental problem is, I don’t trust Apple to manage my passkeys, especially not via iCloud, nor do I consent to subject myself to the requirement of using their cloud services.

This echoes the concerns I had when Apple announced passkeys last year. I do not want everything to sync, and I do not want to be required to use iCloud Keychain, my access to which could be revoked at any time.

Ricky Mondello (Hacker News):

Passkeys will be importable and exportable, cross-device, and across passkey managers. They aren’t at this time, but they will be. It’s something that’s being defined and designed.

This sounds good, but I find it worrisome that Apple shipped the feature without providing users a way to access their data. Not only did it not announce that this was the plan, but it (in my view) strongly implied that this was, by design, not part of the plan. Hopefully there will at least be an official statement at WWDC.

I don’t want to count any chickens before they’re hatched. When I first switched to 1Password, it was with the understanding that it had CSV export. Only when I actually tried to export real data did I discover that it omitted lots of fields and that the only way to get my data out was to write code to parse an undocumented, not-quite-JSON format that did not fully preserve the dates.

With passkeys, it’s not just a question of getting at the data but also being able to do something with it. With passwords, you can always type or copy/paste. But will browsers let you do stuff with passkeys if you aren’t using the BigCo’s storage system? Will there be an API? There’s still no way to get Security Code AutoFill in third-party browsers. Maybe Apple sees this as temporary because “a passkey alone protects against so much more that it doesn’t need additional factors,” but so far I do not find that reasoning convincing, especially if they do add exporting.


Core to the early passkey design docs was the idea that the user can never ever export the private key.


Update (2023-05-16): Apple:

To help explain how to implement passkeys, the Apple privacy and security team hosted a Q&A to answer common questions about device support, use cases, account recovery, and more. Here are some highlights from that conversation.

There’s no mention of exporting.

Steve Troughton-Smith:

No amount of marketing is going to make me trust Apple as the single source for my passwords when my devices keep demonstrating how bad they are at remembering them 😅

Update (2023-05-17): John Gordon:

Surrogate use is a really big deal. Children yes, but also adult dependents (special needs), disabled family members, and especially elders (including bank accounts, medical records).

Even my wife often has me solve IT issues using her credentials (she has mine as well).

2FA made surrogate use much harder but SMS systems often allow multiple phone numbers. Passkeys though -- out of luck. Apple would need to add formal delegation.


I forgot about estate planning. How do I transfer passkeys when I pass?


Update (2023-05-18): See also: Hacker News.

Update (2023-09-14): Thomas Cannon (Mastodon):

“Okay, but what about THIS failure scenario with passkeys?”

Update (2024-05-03): Ricky Mondello:

The FIDO Alliance’s members are working on a solution for portability that maintains phishing-resistance. It’s going well. It’s important to me that portability is part of passkeys as soon as it’s safely possible.

Rapid Security Response Version Numbers

Howard Oakley:

Because these are ‘hot’ fixes to address vulnerabilities that are either being exploited already or are considered urgent, I can see a case for temporary secrecy. As they’re easy to uninstall, unlike regular macOS updates, any resulting problems should be easy to address.

What I hadn’t expected was the mess this has brought to macOS version numbering.


This new version numbering system introduced with Big Sur doesn’t provide for RSRs. One logical solution might have been to extend it to a fourth digit, making last week’s RSR Perhaps the least appropriate would have been to introduce letters and punctuation marks other than the stop/period already used, and that’s exactly what Apple has chosen by making this first RSR 13.3.1 (a).


Interpretation of build numbers is more controversial, and has now reached a new height of opacity: apply this RSR to build number 22E261 and it becomes 22E772610a. Quite where the three additional digits come in remains a mystery that we can rely on Apple never to explain.

Howard Oakley:

How can you tell which upgrades and updates your Mac has downloaded and installed? If you wish, you can rummage through those listed in System Information’s Installations. I’d prefer to browse something a bit more selective and ordered: SystHist.

This new version now handles RSRs in its three panels.

Howard Oakley:

I’m delighted to announce what I think is a unique resource: a detailed listing of all updates to macOS over the last four years and more, with links to full information about each. These include regular updates, security updates, and Supplemental Updates.

You can access this list at this page.


Update (2023-05-09): Howard Oakley:

The most significant risk with any RSR is relative lack of testing before release. This is countered by its ease of removal, and its relative isolation from the sealed system. Unlike a full macOS update, it makes no changes to the sealed system, and once removed shouldn’t leave any trace.


Limiting iPhone USB-C Speeds

Joe Rossignol (Hacker News):

It was rumored in February that Apple may be planning to limit charging speeds and other functionality of USB-C cables that are not certified under its “Made for iPhone” program. Like the Lightning port on existing iPhones, a small chip inside the USB-C port on iPhone 15 models would confirm the authenticity of the USB-C cable connected.

“I believe Apple will optimize the fast charging performance of MFi-certified chargers for the iPhone 15,” Apple analyst Ming-Chi Kuo said in March.


In response to this rumor, European Commissioner Thierry Breton has sent Apple a letter warning the company that limiting the functionality of USB-C cables would not be permitted and would prevent iPhones from being sold in the EU when the law goes into effect, according to German newspaper Die Zeit.


The Downfall of Brydge

Chance Miller:

Brydge, a once thriving startup making popular keyboard accessories for iPad, Mac, and Microsoft Surface products, is ceasing operations. According to nearly a dozen former Brydge employees who spoke to 9to5Mac, Brydge has gone through multiple rounds of layoffs within the past year after at least two failed acquisitions.


Those former Brydge employees largely attribute the company’s failure to mismanagement during growth, misleading statements from its two co-CEOs, and an overall hostile working environment that led to a high turnover rate.


The response to the first iteration of the Brydge Pro+ was mixed at best. At that point, iPadOS 13 didn’t offer native trackpad support, so Brydge was forced to rely on a workaround using Apple’s Assistive Touch accessibility feature. It was far from an ideal solution, and the early reviews made that clear.


Just three months later, Brydge was hit with a major surprise when Apple unveiled the Magic Keyboard for iPad Pro, its first iPad keyboard accessory with a built-in trackpad. Alongside that, Apple released iPadOS 13.4 with native trackpad support without using the Assistive Touch accessibility feature.

iPadOS 13.4 did not make the full suite of trackpad capabilities offered by the Magic Keyboard available to third parties like Brydge, however. […] The sentiment among Brydge executives and employees was that Apple left them out to dry while giving Logitech special access to its software.