I really don't know how I feel about this shift in passwords. I have long preferred the use of a password manager knowing that if they do something shady I don't like (like when I moved from lastpass to 1password) I could just pick up and move and I was not locked into that platform.
That doesn't mean I have not used SSO before with my Apple ID, but it was not my preferred way to log in.
My primary worry is being locked into a specific provider of login (like 1password) and not able to ever leave them. I ditched google long ago but I still have some accounts I have to log in with Google.
Is there a part of Passkey that makes this a non issue that I am unaware of or are we kinda just doing another version of SSO with a biometric component?
Also related, what about devices without biometrics? Does it fall back to your phone or something?
I also don't love the idea of the provider of the passkey authentication having data about where I go, where I login and when.
At the end of the day passkeys are a public/private key pair. While now they're new and it seems everybody's doing some sort of lock in, I would expect standards to emerge soon to export the private keys and reimport them in a different apps.
Unlike passwords, passkeys protect against phishing and are not shared with the server (the server knows the public key, not the private one).
Biometrics on phone are used to unlock password manager/passkeys, but they're not sent to the server (thanks god!) for verification. So they can't really be used for remote authentication.
You hit it right. It's not much different than saving your HOTP/TOTP key into your password manager. Instead you'd save the WebAuthn private key and nobody could impersonate you without gaining access to your private key from your password manager (1Password, Android, iOS, Chrome, etc.). At least that is how I have come to understand the inner workings of it all. People rely on PKI for encrypting messages, signing messages, secure remote access, etc., so I think it only makes logical sense to extend it to web application authentication.
It’s not really a new standard, it’s FIDO2, it’s been around for a while using security keys (yubikeys, solokeys…).
Passkeys used to be called non-resident keys.
In the world of hardware security keys there was no backup/share of private keys.
In this new wave of software authenticators (typically backed by the hw coprocessor that’s now available in phones & laptops), they called them passkeys, added sharing across devices, and a few debatable features like interactions with servers that may lead to lock in/tracking/etc (or may not).
Correct. Nothing is centralized about Passkey (other than where you may choose to store your authenticators). Each site gets a unique keypair. If your keypair is compromised you can delete it on that given site.
Passkeys is more or less just a more convenient implementation of FIDO2 or the like, as you'd traditionally have with a Yubikey token. Instead you move it to a supported password manager or mobile device.
If you want to try it out go to https://passkeys.io on your Android or iOS device. I do believe Passage is more or less what Passkeys is/already was.
I'm patiently waiting for Bitwarden to implement passkey support. The ability to self-host the key synchronisation/generation mechanism is the biggest blocker for me right now.
1Password supporting them as a relative outsider (i.e. not Apple/Google/Microsoft) is a nice improvement to the system.
That doesn't mean I have not used SSO before with my Apple ID, but it was not my preferred way to log in.
My primary worry is being locked into a specific provider of login (like 1password) and not able to ever leave them. I ditched google long ago but I still have some accounts I have to log in with Google.
Is there a part of Passkey that makes this a non issue that I am unaware of or are we kinda just doing another version of SSO with a biometric component?
Also related, what about devices without biometrics? Does it fall back to your phone or something?
I also don't love the idea of the provider of the passkey authentication having data about where I go, where I login and when.