#Apple and #Google have hijacked passkeys to keep users locked into their walled gardens.
Here's how we can make #passkeys work for everyone: https://proton.me/blog/big-tech-passkey
Big Tech passkey implementations are a trap
Big Tech companies want to chain your passkey to their products. Enter Proton Pass, which allows you to manage and use passkeys across all devices seamlessly.Son Nguyen (Proton)
reshared this
Matthew Miller :donor:
in reply to Proton • • •This is pretty FUD-y, @protonprivacy. Most people online don't use any third-party password managers, so it's been important for Apple and Google to get the passkeys experience right with their own password managers for sake of mass adoption. And syncing between operating systems is challenging, but being worked on right now.
Why not use your launch of passkeys support to celebrate the benefits of passkeys instead of making it look like you're the only ones to "do passkeys right"?
Avoid the Hack! :donor:
in reply to Matthew Miller :donor: • • •@iamkale I'm going to play devil's advocate here: they're not really _wrong_ though (and neither are you).
Recent history shows that Big Tech doesn't like inter-operability where it hurts user retention in their ecosystem.
We saw/see this with password managers (ex: can't export Keychain from iOS alone - you need a Mac) and TOTP apps (Microsoft authenticator doesn't have a formal export function, you have to use the backup work around.)
Additionally, and rather anecdotally, I still wouldn't say we even saw mass adoption with password managers or more secure MFA (TOTP) from Big Tech efforts either.
So many people don't use the password managers bundled with iOS/Mac or Android/ChromeOS. Even if they do, they're still reusing passwords, defeating the purpose.
tim cappalli
in reply to Avoid the Hack! :donor: • • •Avoid the Hack! :donor:
in reply to tim cappalli • • •@timcappalli Are they?
Are we sure it's not just cloud sync for that vendor's platform? Ex: Apple to iCloud and Google to Google Drive?
Last I heard/read was that users would still have to create another passkey for new "custodians."
https://fidoalliance.org/passkeys/
Passkeys (Passkey Authentication)
FIDO Alliancetim cappalli
in reply to Avoid the Hack! :donor: • • •Avoid the Hack! :donor:
in reply to tim cappalli • • •tim cappalli
in reply to Avoid the Hack! :donor: • • •Avoid the Hack! :donor:
in reply to tim cappalli • • •@timcappalli We wouldn't know until they actually roll it out to be fair, I am just spitballing considering the closest thing I can think of to something similar we have now are ssh keys.
In theory custodians could never allow an unencrypted export of the key per protocol, who knows.
Edit: Meant to say I use Bitwarden so it is a non-issue currently.
tim cappalli
in reply to Avoid the Hack! :donor: • • •Wilhelm
in reply to tim cappalli • • •I find this argument a bit problematic. Just because software like @Team KeePassXC gives users control and choice over their passkeys, which Apple / Google / ... currently don't, doesn't mean they are irresponsible. From what I can tell KeePassXC devs were not involved in the discussions around transfer of passkeys.
Big tech wanted to get passkeys into user hands, which is a great thing, as are passkeys in general. But the statement that it is somewhat of a lock-in situation currently is not false.
And finger-pointing at software that does give users the option to transfer passkeys at their desire is not helping I think. Especially when that aspect has not yet been standardized.
If transfer can happen in encrypted form, that is clearly preferable. You filed https://github.com/keepassxreboot/keepassxc/issues/10407 which is a good thing. The discussion shows however, that the way the debate was going on so far was not ideal.
#passkeys #security #passwordless
[Passkeys] should never be exported in clear text · Issue #10407 · keepassxreboot/keepassxc
GitHub