alt Hacker NewsCredentials for Linux: Bringing Passkeys to the Linux Desktop
Comments
I'm a big fan of passkeys, but they are currently harder to manage/reason about than passwords (even autogenerated ones stored in a password manager).
My web browser wants to own the passkeys, my OS wants to own the passkeys, I have to deny them before I can get to my hardware key. Some providers will sync passkeys amongst devices, which at some point seemed to be against the spec.
It's all rather confusing. I wish there was a straight forward best practise that can be followed without the niggling worry that you're doing it wrong, or that you might get locked out of services.
Passkey/webauthn is a cool tech, and I'd really like to use it everywhere, but I find the anti-user attitudes of the spec authors concerning. The spec contains provisions about "user verification" (the software must force user interaction) and not allowing the user to access the plaintext keys. It appears that the spec authors do not consider the keys to be owned by the user at all.
KeepassXC implements passkey support, but they do not implement these anti-user features. As a result, they are being threatened with being banned via attestation:
https://github.com/keepassxreboot/keepassxc/issues/10406
https://github.com/keepassxreboot/keepassxc/issues/10407
Screw these "You'll own nothing and be happy" people. I'll own all my keys no matter what. The software I run on my device should never betray me to signal things like "this passkey is allowed to be backed up!".
That's interesting. How the actual passkeys will be stored with this approach?
No thanks, it stinks.
I just wish more people would protest this instead of things like secure boot.
Password managers and/or operating systems can manage private keys just fine. websites shouldn't be concerned with how the keys are managed, or be able to make demands on how users store credentials, or know device details for users.
One thing I dislike even with systems like FIDO2 is that the websites/apps can block list your FIDO key's vendors. Similar trends suck. Passkeys are just one iteration in a long line of systems designed with corporate interests in mind.
The system validating the authentication needs only to verify that the credentials are correct. If users want to use TPMs, HSMs,etc.. or none at all, that's up to them. And no information, other than what is strictly required to verify the credential should be transmitted over the network. a signature of challenge data from the app should be sufficient. the user's public key shouldn't be signed at all by hardware, a trusted 3rd party,etc.. the registration process should take care of establishing public key trust to the authenticator/app. The whole thing feels insidious.