{"id":45393,"date":"2024-10-16T14:04:43","date_gmt":"2024-10-16T18:04:43","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=45393"},"modified":"2024-11-05T14:10:31","modified_gmt":"2024-11-05T19:10:31","slug":"passkeys-credential-exchange","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2024\/10\/16\/passkeys-credential-exchange\/","title":{"rendered":"Passkeys Credential Exchange"},"content":{"rendered":"

Filipe Espósito<\/a> (Hacker News<\/a>, MacRumors<\/a>, Dan Moren<\/a>):<\/p>\n

As just announced by the FIDO Alliance<\/a>, the new specifications aim to promote user choice by offering a way to import and export passkeys. The draft of the new specifications establishes the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) formats for transferring not only passkeys, but other types of credentials will also be supported.<\/p>

[…]<\/p>

1Password, which worked with the FIDO Alliance on the new specifications, has already committed to supporting the new passkey import and export formats<\/a> as soon as they become available. Other companies such as Dashlane, Bitwarden, NordPass, and Google also worked on the draft of the new specifications<\/a>.<\/p>

Although nothing has been said about Apple, the company is also part of the FIDO Alliance and was one of the first to introduce support for passkeys in 2022 with iOS 16.<\/p><\/blockquote>\n\n

I don’t love this framing because, to me, “export” means that it generates a standalone file that I can do with what I please. I can edit it. Or back it up and import it later—possibly into a different app. As far as I can tell, this is not that. It’s more of a way to transfer passkeys between password managers. It’s specifically designed to “export” an encrypted blob that can only be read by the password manager that requested the export. There’s no use even storing the exported file because, unless you have a way to back up the receiving private key<\/a>, you won’t even be able to import it again. Maybe a third-party developer will make an app that requests\/receives an export and lets you access your own data.<\/p>\n\n

Jeff Johnson<\/a>:<\/p>\n

\n

Export and import should have been extremely simple. Instead, they took years to come up with some convoluted system where the only possibility is to transfer from one vendor lock-in to another vendor lock-in.<\/p>\n<\/blockquote>\n\n

The FIDO Alliance would probably say that not allowing true exporting makes it more secure, but I think that’s only true in a kind of security-through-obscurity way. If you make an encrypted happy path for transferring credentials, people will use it because it’s easier. Credential exchange does<\/em> open the way for people to get at the decrypted data—it just makes it a pain and requires trusting an additional helper app. (Or are they going to somehow prevent non-big-players<\/a> from participating?) If someone has direct access to my Mac and unlocked password manager, it’s game over, anyway. So I fail to see what this is really protecting against. Do they think people will export CSV files and leave them on unencrypted storage?<\/p>\n\n

Jay Peters<\/a>:<\/p>\n

\n

“It is critical that users can choose the credential management platform they prefer, and switch credential providers securely and without burden,” the FIDO Alliance wrote in its press release.<\/p>\n<\/blockquote>\n\n

It’s about platforms, not giving you control of your data.<\/p>\n\n

Martin Pilkington<\/a>:<\/p>\n

\n

This is a big improvement, but I’m still very wary of any authentication system whose secret I can’t easily write down on a piece of paper.<\/p>\n

Yes that may seem insecure, but I would also consider having a system that pretty much only major vendors can support to also be insecure in other ways. Loss of access is just as bad as being hacked as an authentication failure point.<\/p>\n

I really want to like Passkeys given they’re technically much better, but their flaw is they require you to trust Big Tech (and do so in a far more important way than with passwords). Unfortunately Big Tech has used up pretty much all its remaining trust budget 🤷‍♂️<\/p>\n<\/blockquote>\n\n

Phil Dennis-Jordan<\/a>:<\/p>\n

\n

I particularly resent how they’re treating their proprietary, heavily networked implementations in always-connected devices as superior to a mostly-airgapped FIDO2 device. Those USB key like devices don’t have great UX, but I’d rather see some iteration on that idea than allowing Big Tech to silently sync (i.e. delete, copy, insert, etc.) those secrets in my phone.<\/p>\n<\/blockquote>\n\n

Micah R Ledbetter<\/a> (via Hacker News<\/a>):<\/p>\n

\n

Passkeys are a technically interesting idea with many upsides, but I am concerned about the power they take away from users.<\/p>\n

[…]<\/p>\n

The passkey spec is designed intentionally such that:<\/p>\n