Doesn’t the post conclude the opposite however, that you can in fact manage your own passkeys outside of any “big tech”?
I dont know how you missed the whole first section… If the provider can force you into device/software attestation then that indeed means that you can NOT use your own passkey management system without having to worry about being locked out.
If all your passkeys are hanging out in plain text without a pin/biometric/other key gating their access, they are all compromised and should be rejected.
No thats actually not an issue at all if your device is secure and uses full disk encryption. And if your device isnt secure then any additional security measures like password managers are ineffective anyways. If i want to write down my private key on a piece of paper and type it in by hand then thats my issue to deal with and not theirs.
The problems highlighted in the first section are optional however. Forcing a particular authentication / device attestation method isn’t a passkey problem, it’s a provider problem. They are free to do that today with or without passkeys. Equating passkeys = bad because of that feels harsh; it is like any scenario where bad actors behave badly with any given technology.
Software passkeys can’t provide attestation and don’t. A service requiring it would reject every apple and google device too. Its a feature for hardware like yubikeys and smart cards used by governments to ensure it’s not a knockoff with backdoors.
No thats actually not an issue at all if your device is secure and uses full disk encryption.
Oh I see your computer is secure well then nothing to worry about 🤣
If i want to write down my private key on a piece of paper and type it in by hand then thats my issue to deal with and not theirs.
With a hardware FIDO2 key, the private key never leaves the device, instead it signs challenges. Malware on the PC can’t access the private key and make it’s own copy.
Using software keys, they are at least encrypted in the vault until you open it, then there’ll be a window of time with a plain copy in memory that malware can potentially grab.
Your plaintext private key file can be stolen by malware easily and immediately. You would actually be better off with it written on a post it note.
Course in real life malware is gonna be stealing your browser cookies to gain access to your accounts and avoid the whole keypass thing. In the world that FIDO was born, authentication is happening all the time and any possibility of key theft is considered a compromise.
I dont know how you missed the whole first section… If the provider can force you into device/software attestation then that indeed means that you can NOT use your own passkey management system without having to worry about being locked out.
No thats actually not an issue at all if your device is secure and uses full disk encryption. And if your device isnt secure then any additional security measures like password managers are ineffective anyways. If i want to write down my private key on a piece of paper and type it in by hand then thats my issue to deal with and not theirs.
The problems highlighted in the first section are optional however. Forcing a particular authentication / device attestation method isn’t a passkey problem, it’s a provider problem. They are free to do that today with or without passkeys. Equating passkeys = bad because of that feels harsh; it is like any scenario where bad actors behave badly with any given technology.
Passkeys give them an excuse to block devices 'for security reasons ’
Software passkeys can’t provide attestation and don’t. A service requiring it would reject every apple and google device too. Its a feature for hardware like yubikeys and smart cards used by governments to ensure it’s not a knockoff with backdoors.
Oh I see your computer is secure well then nothing to worry about 🤣
With a hardware FIDO2 key, the private key never leaves the device, instead it signs challenges. Malware on the PC can’t access the private key and make it’s own copy.
Using software keys, they are at least encrypted in the vault until you open it, then there’ll be a window of time with a plain copy in memory that malware can potentially grab.
Your plaintext private key file can be stolen by malware easily and immediately. You would actually be better off with it written on a post it note.
Course in real life malware is gonna be stealing your browser cookies to gain access to your accounts and avoid the whole keypass thing. In the world that FIDO was born, authentication is happening all the time and any possibility of key theft is considered a compromise.