Episode 022: 11‐06‐2024 Debunking Misconceptions About Passkeys - GluuFederation/identerati-office-hours GitHub Wiki

Title: Debunking Misconceptions About Passkeys

Linkedin Event

Description

Tim wrote on Linkedin:

There have been a few blog posts (and resulting social media and forum discussions) going around the past few weeks about #passkeys, mostly painting them (or organizations who have been working hard to bring passkeys to users all over the world) in a negative light. Many of the responses have been accusatory, conspiratorial, or just plain incorrect.

In this episode Tim and Matthew are going to discuss the top misconceptions:

  • User Verification is DRM - Tim
  • Passkeys are just big tech lock in. What is CXP? - Matt
  • passkeys are proprietary - Tim
  • passkeys sync my biometric data / websites get my biometrics- Matt
  • Enterprises waiting for passkey panacea - Tim
  • Passkey = federated login * Tim
  • Passkeys require my phone every time - Matt
  • a password in a password manager is just as secure - Tim
  • passkeys don't work on linux - Matt

Homework

Takeaways

  • Is there the potential for lockin? Yes, although the same case could be made for any password manager. But I think it's defensible. In chapter one of his awesome book The Effective Engineer, Edmond Lau says "Focus on High-Leverage Activities"--i.e. focus on the tasks that produce the most value. Are passkeys perfect--heck no! But for consumers, the biggest attack surface area is stolen passwords and phishing. So if we can reduce this impact, and reduce vendor lock-in later, as General Patton said, "A good plan [diligently] executed now is better than a perfect plan executed next week".

  • When you register a FIDO credential, you are not storing any biometric template on the server, or providing any identifier that can be used by third parties to correlate you (like your gmail or apple id). Importantly, a federated IDP cannot track the websites you visit, because the keychain delivers the key to your browser--it doesn't return tokens to the RP. Matt mentioned that the FIDO specs might even deprecate sending the modality of the second factor (e.g. fingerprint, pin, etc) to the RP.

  • While IMHO passkeys were initially targeted at consumers, workforce adoption is possible. To paraphrase Tim, it's closer then ever. But there are still gaps in user experience that may present challenges to workforce deployments, like enrollment or weird behavior from browsers supporting "legacy" passkey features.

  • Webauthn is about the browser, but for mobile (iOS / Android) operating system calls it's mostly analogous. IMHO, passkey adoption may make more sense in first party mobile applications where there is more control of the user experience. The variety of browsers and end user FIDO devices make passkey support for workforce or consumer web authentication somewhat unpredictable. First party native applications don't need claims, they just need authn, so passkeys are a great fit--offering better user experience, security and privacy.

Livestream Audio Archive

here