Google, Apple and Microsoft: A password-free future is in the making (FIDO/Passkeys)

Passwords are necessary, secure passwords are a must. But they are a pain in the back. :slight_smile: No matter what tools we use to make handling passwords feasible.

There have been efforts for years to replace passwords.

Google, Microsoft and Apple have just announced that we will see results “in the coming year”.

I can’t wait! :slight_smile:

2 Likes

TBH, I rarely find passwords to be a problem. I can’t remember the last time I had to reset a password due to something being my problem.

I’m all for easier, but only if I’m not reliant on a Single provider. The horror stories you hear about people locked out of their Google or Apple accounts with no ability to speak to a person or in many cases to appeal against an unjust or non descript “ban” in a fair process makes me fearful.

I like my accounts to be disconnected from each other and to a large extent in my control rather than one entity.

4 Likes

I agree. If this results in a solution that offers greater security then I’m all in. As long as it doesn’t lock me into one provider I’ll definitely take a look at, after it’s been in use for a couple of years.

1 Like

Even 1Password is joining this future:

4 Likes

I didn’t see that coming :grinning:

2 Likes

That’s smart and good for the long term for 1Password as they strategically plan changes.

3 Likes

That would raise questions about how users would deal with the loss of a device and seemingly eliminate the possibility of signing in using someone else’s device, but those are implementation details

Sigh. Long experience has taught me that “implementation details” frequently don’t get hammered out well until long, long after something is implemented.

1 Like

This is just public key cryptography:

More info:

I use it on my Macs now when I SSH from my Studio to my Mini. macOS has command line tools to facilitate this. It appears this effort is to make it easier for everyone to use.

2 Likes

I get that it’s public key cryptography, and have no real objection to that part. But we’re not talking about a tech that tells people to get a private key and then safeguard it because they’ll be locked out of their entire life if they lose it.

We’re talking about practices like somebody’s device being the thing that ties them to their private key, with all the weirdness and unpredictability that entails.

I’ve been down too many roads with people that couldn’t get into (Apple ID / Microsoft account / GMail) because they lost a device - and putting even more blind faith in those (IMHO) semi-rickety systems doesn’t feel smart to me.

If you lose your iPhone, for example, will Apple have your public key? What if you can’t get a replacement iPhone, and grab an Android? Will Google be able to get your key that was previously authenticated only via your iPhone and TouchID? There are a lot of questions, and device manufacturers have - again, IMHO - historically done a bad, bad job at answering those questions.

1Password is just about the only saving grace here, because they’d save the key in their software rather than tying it to your device. That’s a win.

1 Like

I do not know about how Fido will handle things. But I know that Apple currently allows adding one’s private key to the Keychain. Which IIRC can be shared with all devices with the same Apple ID.

So If I were to lose my iPhone, then I could use any other Apple device with the same Apple ID. Including a replacement iPhone.

Of course I’d need to know my Apple ID and password, but that is the same as with 1Password.

And If I could only get an Android phone, then I’d need to re-authenticate with the services I use. Today I’d use the “I forgot my User Name and Password” mechanisms. With Fido I suppose I’d need to generate a new key pair and start sharing my new public key.

Fortunately I’ve never had the experience of someone losing a device and subsequently being locked out of a service. So maybe I’m being overly optimistic. But if that happens with the mechanisms in place today, how would this change make things worse?

1 Like

Ah, but that’s the rub. Apple requires two-factor. “We sent you a code on your device”. Assuming you have the device. And that you haven’t changed your phone number from whenever you originally set up your Apple ID, or that you’ve had the foresight to anticipate being locked out and update it.

But how do you do that without the old device so that you can prove it’s you trying to change your credentials? Probably not a huge deal for Netflix, but could be a Big Problem for email. For example, Google locked out a friend of mine and would not allow him to use his recovery email to reset his password without him having his physical device.

It would be worse because right now if you lose your phone, you might lose your access to your Apple account. It would suck, and it would cost you money, but you could make another one. If FIDO is poorly implemented, losing your phone could cause you to lose access to EVERYTHING in your online life.

These problems are solvable, but tech companies are historically Very Bad at doing so IMHO - especially when the service isn’t a profit center for them.

1 Like

Good points. Thanks.

I don’t know if it’s regional feature but here in Brazil I can use my phone number to receive SMS with the 6-digit code.

If I’m without access to my Mac, or my iPad and…

If I loose my phone (I’ve been there) I just erase it remotly, buy a new SIM card, properly link to my phone number and put on the new SIM card on any phone while I buy a new phone and solve any security issue.

We have SMS two step login here, too. Recovery is convenient, but the downside is that if someone manages to port your number to a new sim (doable, unfortunately), they can bypass you, likely reset passwords, etc.

1 Like

Glenn Fleishman has done an awesome job explaining how passkeys will work - for the rest of us.

Highly recommended (if you are a developer or a power user that already knows everything about passkeys, this article may not be for you)!

I do not see any issue with FIDO/passkeys. I think that many of us have experienced over the years how hard it is to deal with secure passwords especially for the every day user that we keep projecting the issues passwords have onto FIDO/passkeys. Glenn Fleishman’s bullet points speak for themselves:

  • Each passkey is unique—always.
  • Every passkey is generated on your device, and the secret portion of it never leaves your device during a login. (You can securely sync your passkeys across devices or share them with others.)
  • Because passkeys are created using a strong encryption algorithm, you don’t have to worry about a “weak” password that could be guessed or cracked.
  • A website can’t leak your authentication credentials because sites store only the public component of the passkey that corresponds to your login, not the secret part that lets you validate your identity.
  • An attacker can’t phish a passkey from you because a passkey only presents itself at a legitimately associated website.
  • Passkeys never need to change because they can’t be stolen.
  • Passkeys don’t require two-factor authentication because they incorporate two different factors as part of their nature.

Those are just the bullet points. He does a great job explaining everything in depth.

3 Likes

I noticed that my Passkey (for Cloudflare) synchronizes between iOS 16 and macOS 12 (with Safari 16) via iCloud Keychain, but not with iPadOS 15.

Is this intended behavior?

Do I need to wait for iPadOS 16 for full sync support?

(I can create a separate Passkey on iPadOS 15, but can’t see that item in the Password section in iOS Settings and it does not sync to other devices)

PS: Unfortunately Cloudflare uses the Passkey for 2FA only, it does not replace username/password :cry:

I do not know for sure, but I think that passkeys do need the new versions of all operating systems that are being released this fall. So, it very well might be the reason why you are not seeing it working through all of your devices in its full functionality.

It will not take much time until iPadOS 16 is released. And I guess that we will learn more about the macOS Ventura release date pretty soon.

1 Like

Thank you for that link; I did not know that Apple clearly states that iOS 16 (and thus probably iPadOS 16 - though they forget to mention that…) is required to sync Passkeys.

1 Like

Does this link with hardware passkeys such a Yubikey?

Beside the use of Passkeys with some private installlations, or on special geek sites, I wonder that I haven’t been confronted with the possibility to use a passkey on the internet, or with an app on one of my devices yet.
If this really is the Holy grail, why is it not yet be in use on a wide base?
Or are your observations different regarding the availability of passkeys?

1 Like