Monday, May 8, 2023

Passkeys: A Loss of User Control?

Jeff Johnson (Mastodon, Hacker News):

One thing is painfully clear to me already: the BigCos are coming for our passwords, so passkeys can’t be ignored. Google recently wrote about the beginning of the end of the password. Apple has also indicated that it wants passkeys to replace and eliminate passwords. For example, the manager of the Authentication Experience team at Apple has said I’m really looking forward to working with all y’all to eliminate passwords and the harm they cause. Even 1Password, with “Password” literally in its name, has written about the passwordless experience you deserve[…]


With passwords and ssh keys, I can look at them. I can copy and paste them. I can write them down on a piece of paper. I can import and export them. I can back them up to external hard storage. Whereas in my testing with macOS Ventura and Safari, none of this is possible with passkeys. In fact, Apple requires you to enable iCloud and iCloud Keychain in order to save a passkey on a macOS or iOS device.


It’s opaque. You can’t see the specific details of iCloud’s sync operation, or manage it yourself. This is true of passkeys as well. I looked at the iCloud keychain in macOS Keychain Access, and all I saw for passkeys was a bunch of SOSDataSource-ak files with data that I couldn’t access.


I get the feeling, from how I’ve seen Apple behave and how Apple employees talk, that Apple has no intention to ever loosen their requirements for passkeys. And to be clear, these requirements are inessential, arbitrary, paternalistic. […] Apple’s attitude seems to be that users can’t be trusted with their own passkeys. My fundamental problem is, I don’t trust Apple to manage my passkeys, especially not via iCloud, nor do I consent to subject myself to the requirement of using their cloud services.

This echoes the concerns I had when Apple announced passkeys last year. I do not want everything to sync, and I do not want to be required to use iCloud Keychain, my access to which could be revoked at any time.

Ricky Mondello (Hacker News):

Passkeys will be importable and exportable, cross-device, and across passkey managers. They aren’t at this time, but they will be. It’s something that’s being defined and designed.

This sounds good, but I find it worrisome that Apple shipped the feature without providing users a way to access their data. Not only did it not announce that this was the plan, but it (in my view) strongly implied that this was, by design, not part of the plan. Hopefully there will at least be an official statement at WWDC.

I don’t want to count any chickens before they’re hatched. When I first switched to 1Password, it was with the understanding that it had CSV export. Only when I actually tried to export real data did I discover that it omitted lots of fields and that the only way to get my data out was to write code to parse an undocumented, not-quite-JSON format that did not fully preserve the dates.

With passkeys, it’s not just a question of getting at the data but also being able to do something with it. With passwords, you can always type or copy/paste. But will browsers let you do stuff with passkeys if you aren’t using the BigCo’s storage system? Will there be an API? There’s still no way to get Security Code AutoFill in third-party browsers. Maybe Apple sees this as temporary because “a passkey alone protects against so much more that it doesn’t need additional factors,” but so far I do not find that reasoning convincing, especially if they do add exporting.


Core to the early passkey design docs was the idea that the user can never ever export the private key.


Update (2023-05-16): Apple:

To help explain how to implement passkeys, the Apple privacy and security team hosted a Q&A to answer common questions about device support, use cases, account recovery, and more. Here are some highlights from that conversation.

There’s no mention of exporting.

Steve Troughton-Smith:

No amount of marketing is going to make me trust Apple as the single source for my passwords when my devices keep demonstrating how bad they are at remembering them 😅

Update (2023-05-17): John Gordon:

Surrogate use is a really big deal. Children yes, but also adult dependents (special needs), disabled family members, and especially elders (including bank accounts, medical records).

Even my wife often has me solve IT issues using her credentials (she has mine as well).

2FA made surrogate use much harder but SMS systems often allow multiple phone numbers. Passkeys though -- out of luck. Apple would need to add formal delegation.


I forgot about estate planning. How do I transfer passkeys when I pass?


Update (2023-05-18): See also: Hacker News.

14 Comments RSS · Twitter · Mastodon

iCloud required? Deal breaker!

Joshua Ochs

It's not for everyone, but I'll keep my self-hosted BitWarden as long as I can. I didn't like 1Password moving to their own cloud/sync service and eliminating local vaults; I like this even less.

Passkeys can also be stored on yubikeys / fido2 devices, what problem you have with those?

I’ve been really surprised at how many tech writers I’ve seen who are just ready to throw all in with passkeys, when I still see so many foreseeable issues. In addition to all of the above, what about password/account sharing? If I need to sign into one of my kids’ accounts to fix an issue and I have to do it remotely, how do I do that with passkeys?

I mean, I hope the other password managers (and esp. BitWarden/VaultWarden) are able to integrate passkeys. That would obviously ameliorate the worst of the concerns.

@Avi Hardware dongles are hard to use in practice and are therefore mostly of interest to (really or actually) important people with (real or actual) concerns about credential theft; they are inconvenient for the vast majority of consumer users. (Which isn't to say that they aren't fun to muck about with; if you can get an offer on a bundle of keys from somewhere, get them to experiment.)

I’ve used Keychain for years (a decade+?) with no issues - started with less critical accounts of course but now almost all is there and it’s never failed me.

The future is biometrics all the way - probably multiple forms - if this is an interim measure then great - otherwise, meh!

>This sounds good, but I find it worrisome that Apple shipped the feature without providing users a way to access their data.

Which makes me wonder how this complies with the various laws that require users to be able to access their data? I guess maybe there are probably some sort of carve outs on those laws?

Another ridiculous and yet seldom discussed aspect of the switch to Passkeys is that account recovery will always require a fallback password or some description.

Let us imagine the “average” non-Silicon-Valley Apple user has an iPhone and a Mac. Simply by getting mugged that average, ordinary user could lose access to all their devices at once, needing to trigger some sort of account recovery flow to regain access to their synced passkeys — or to each individual account they operate. Anybody can get mugged or burgled at some point.

How could this even work without fallback passwords? Apple cannot ask its customers to proceed to the nearest store with government-issued ID to unlock accounts. They cannot even seem to be able to restore access for the handful of people who have been recently featured by the WSJ and whose claims appear unimpeachable. How would they deal with homonyms, fake IDs, or countries where IDs are not mandatory?

Ultimately, Passkeys are about wrestling the “one password” away from password managers. Instead of having to protect your 1Password password, you will have to structure your life around your Apple ID’s password, making Apple (or Google or Microsoft) the centre of our online experience.

The fact that Passkeys were launched without any clear roadmap to export them is very telling: none of the companies involved want users to access their data, but, by not having written this into the standard, they retain plausible deniability and attract plenty of good press — including in the mainstream media. They also avoid the legal issues mentioned above by Peter Lewis.

By the way, with banks closing safe deposit boxes all around the world, how long will users be able to keep these recovery keys, or 2FA bypass codes safe?

The user must have ultimate control of their data. Period. The cloud has its uses but cannot, under any circumstances, be required.

> The future is biometrics all the way

@Niall Biometrics are a login, not a password. Authorization needs to be something only you know or possess that cannot be easily replicated or cloned.

The biggest advantage of Passkeys is that they very effectively prevent traditional phishing attacks. That alone is a good reason to start using them for high value accounts like your primary email or for payment services like PayPal.

I don't think that traditional passwords will be replaced soon though. It will take a long time to educate users about how Passkeys work and how to manage them.

Also, there needs to be an easy way to use Passkeys from third-party apps and a way to move them (import/export) between devices without using iCloud. I hope Apple is working on this.

If you trust a company to keep your data and passwords safe, then you should trust them with passkeys too. Here's a great article on Ars Technica that addresses many questions and concerns about passkeys.

@Steve I have some issues with the precursor to that article, and this one misunderstands the MacStealer DMG signing issue. I think the bottom line is not that the technology is unsafe but that, because it’s more complicated, you are forced to rely on other companies and so you have to trust them (plus the more complicated interactions involving their software). And you also get less flexibility, i.e. can only do the things that they let you do.

And this is just laughable:

Independent security experts have yet to report any discrepancies in Apple’s claim that it lacks the means to unlock the credentials stored in the iCloud Keychain.

[…] Passkeys: A Loss of User Control? […]

Leave a Comment