100% of the arguments against using passkeys for e2ee data apply to using passkeys as credentials.

(Unless they are not credentials, and you can loose them then do a password reset via a phishing prone channel like email and SMS. Supporting this eliminates any possible user benefit of passkeys.)

In addition to the arguments in the article, when used as credentials, they are an obvious trojan horse allowing large websites to completely hijack your operating system.

Don’t believe me? Try logging into a bank or using rideshare/parking/ev charging with degoogled android. This is where passkeys are taking PCs, and it is their only purpose.

So, “Don’t use passkeys” would be a better title.

▲

lxgr 3 hours ago | parent | next [-]

> Don’t believe me? Try logging into a bank or using rideshare/parking/ev charging with degoogled android.

What does root detection and other device attestation have to do with passkeys? Passkeys (at least Google's and Apple's) don't support device attestation.

▲

inkysigma 9 hours ago | parent | prev [-]

Passkeys are an open standard? You might as well argue against SSH keys.

▲

hedora 9 hours ago | parent [-]

The standard includes a hardware attestation path.

That’s the backdoor allowing the eventual takeover of your OS.

First people use passkeys, and they become standard.

Then they become required for important accounts for security.

Then the important accounts require the attestation bit.

At that point, you cannot run web browsers on open source operating systems.

This is all boring and predictable. It is exactly what they did with Android, and exactly the same organizations are pushing passkeys.

Note: If they had good intentions, the operating system would manage any attestation, and not allow websites to query for or require attestation support.

▲

johncolanduoni 9 hours ago | parent | next [-]

The attestation actually has nothing to do with the browser, only the holder of the passkey's key material. You can satisfy the attestation by having a passkey on your Android device and doing the normal Bluetooth flow with your Firefox browser on your Framework laptop. So this mechanism is totally useless for enacting this plan.

The operating system doesn't manage attestation because that's totally useless for the stated goal of the attestation system. Enterprises don't want their SaaS vendors to accept passkeys from some random employee's BitWarden, instead of the hardware keys they issued the employee. If the OS manages attestation and doesn't send anything to the relying party, then it doesn't solve anybody's problem at all.

▲

hedora 8 hours ago | parent | next [-]

It seems like it will only be a matter of time before consumer sites start requiring a patched OS with an attestation bit set in the key.

Also, as I understand it, sites can whitelist credential hardware.

If not, then the attestation is security theater. I (or an attacker on your machine), can just make a sw emulator of a hw attestation device, and use that to protect my choice of OS, (and skim your credentials).

If a whitelist exists, then my “hijack your OS” plan works: Require the builtin macos/windows/signed chrome on signed os password managers. That’s 90% of the market (and dropping) right now.

▲

johncolanduoni 7 hours ago | parent [-]

As I said, the attestation structurally does NOT attest to your OS or your browser that are displaying the website performing the authentication. It attests to the device that holds the passkey's key material, which is usually not your desktop computer.

▲

Borealid 4 hours ago | parent [-]

The attestation is in fact readable by the FIDO Platform (the browser/OS). It is not encrypted to be readable only by the RP (web site).

It talks about whatever you used to authenticate and the platform can manipulate (or omit) it.

	▲	johncolanduoni 4 hours ago \| parent [-]
		Yes, but the attestation does not tell the RP anything about the browser. The whole point of the nightmare scenario above was for Google to sneak browser attestation in via passkey attestation. The browser being able to see the attestation doesn’t matter for that.

▲

doubled112 9 hours ago | parent | prev | next [-]

Does Firefox support the Bluetooth flow on Linux at this time?

	▲	johncolanduoni 7 hours ago \| parent [-]
		That's a matter of implementing an open standard. Google hasn't done anything to prevent open source browsers and OSes from implementing it, and nothing in the spec makes it difficult for Firefox/Linux specifically AFAICT.

▲

debazel 7 hours ago | parent | prev [-]

I do not want any business with Apple/Google/Microsoft at all, including owning an Android or iPhone for hardware attestation.

▲

jesseendahl 6 hours ago | parent [-]

You don't need to use anything from Apple/Google/Microsoft. Passkeys are just WebAuthn which is an open standard.

	▲	debazel 4 hours ago \| parent [-]
		An open standard that has attestation in it which allows sites to block all open implementations. FIDO Alliance spec writers have even threatened that apps like KeepPassXC could be blocked in the future because they allow you to export your keys.

▲

lxgr 2 hours ago | parent | prev [-]

> The standard includes a hardware attestation path.

Yes, and iOS and Android's Passkey implementation does not support it, since doing so would be lying about a given credential being hardware-backend when it's actually not (due to being cloud-synced and often recoverable via some process).

Attestation is only for hardware authenticators, either dedicated ones like Yubikeys or non-synchronized Android WebAuthN credentials. (iOS only supports them in MDM contexts anymore, I believe.)