from Hacker News

About Passkey – the password-free tech Apple is betting on

by gautamsomani on 7/1/24, 6:27 AM with 37 comments

  • by hgyjnbdet on 7/1/24, 8:22 AM

    These articles never seem to mention the issues with passkeys asthey relate to Apple and other companies like them being in control of you account accessibility. What happens if you're device is list or stolen? What happens if that company decides you can no longer access your account with them?

    I'll be using keepassxc and passwords until I'm forced to use passkeys and then I'll use passkeys in keepassxc. No way am I tying my accounts to one of more devices controlled by multinational advertising companies.

  • by kats on 7/6/24, 1:41 AM

    I was having trouble understanding what they are.

    Summary: It's a password manager on your phone. You sign into your password manager with something easy like biometrics or a PIN. Then all the 'real' passwords for sites are autogenerated and those are what's sent to sites when you log in.

  • by heavyset_go on 7/6/24, 2:19 AM

    Passkeys are a nice solution, and it's entirely possible to adopt them without locking yourself into Apple or Google's walled garden. That seems to require you to forgo using your Apple/Google devices as passkeys themselves, unless you use an unrelated app as your passkey manager.

    It's interesting seeing how they're being used for lock-in, though. As mentioned in this thread, attestation in the standard will be abused towards that end.

  • by AnonHP on 7/6/24, 5:53 AM

    > And if a passkey were somehow stolen and added to a bad actor’s device, it would become useless because the thief wouldn’t have access to the true owner’s biometrics.

    I’m not sure if the author really understands passkeys well, because this statement seems either illogical or false (depending on which platform, device and passkey app one is using).

  • by Yaina on 7/6/24, 1:39 AM

    The biggest hurdle to passkey adoption is going to be, how complicated they are to implement for developers (relative to their advantages). I think that's the much more pressing matter than user adoption.

  • by unethical_ban on 7/6/24, 2:45 AM

    I'm inebriated and curious, allow me to ask the laymans' question:

    Is this just public/private keys with apple managing the keys and the security of the keys via their auth stack?

  • by cyberax on 7/6/24, 3:07 AM

    Yeah, Apple's gonna Apple.

    In other words, they'll use Passkeys as a way to deepen the vendor lock-in. It has already started. For example, try to log into your Apple ID account using Safari, and it works via passkeys. No password needed. That's because Apple created a Passkey for apple.com automatically behind your back.

    Now try the same from Firefox with BitWarden, and it doesn't work. And of course, there is no way for you to set up the passkey manually.

    There's also no API to export it. Wouldn't it be nice if you could install BitWarden desktop client, and then use it migrate your passkeys? Nope. Not an option. The entitlement to interact with the Keychain for passkeys is only given out to browser vendors.