Looks like a huge amount of security vendors are working to have a secure and open standard for passkey portability between platforms.

It is always good to see major collaboration in the security space like this considering the harsh opinions that users of some of these vendors have toward many of the others. I just wish apps and sites would stop making me login with username and password if passkeys are meant to replace that lol.

  • unskilled5117@feddit.org
    link
    fedilink
    English
    arrow-up
    86
    ·
    edit-2
    2 days ago

    Seems like people in the comments are misunderstaning the point entirely. This protocol is about import and export from password managers and not about having them synced between devices. It would prevent a lock in effect. This is a great development!

    FIDO Alliance’s draft specifications – Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) – define a standard format for transferring credentials in a credential manager including passwords, passkeys and more to another provider in a manner that ensures transfer are not made in the clear and are secure by default.

    • Petter1@lemm.ee
      link
      fedilink
      arrow-up
      4
      ·
      12 hours ago

      Lock in effect of passkeys is just infuriating 😂good to see progress!

      • lud@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        3 hours ago

        I personally like it. Imo passkeys should optimally be device bound and the private keys should be stored in TPM or equivalent and be non-exportable.

        • Petter1@lemm.ee
          link
          fedilink
          arrow-up
          2
          ·
          1 hour ago

          Well, nothing is stopping you to keep passkeys only in one place, why force others to do what you like? Now we have options and less friction to switch to a competitor. Which results in more competition and that results in better products. Well theoretically…

          • lud@lemm.ee
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            43 minutes ago

            I just don’t think synced passkeys should be the default for example iOS.

            What Microsoft is doing with device-bound passkeys using Windows Hello is imo great.

        • Spotlight7573@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 hour ago

          When most sites refer to passkeys, they’re typically talking about the software-backed kind that are stored in password managers or browsers. There are still device-bound passkeys though. Also since they’re just FIDO/WebAuthn credentials under the hood, you can still use hardware-backed systems to store them if you really want.

          While you’re right that device bound and non-exportable would be best from a security standpoint, there needs to be sufficient adoption of the tech by sites for it to be usable at all and sufficient adoption requires users to have options that have less friction/cost associated with them, like browser and password-manager based ones.

          Looking at it through the lens of replacing passwords instead of building the absolutely highest-security system helps explain why they’re not limited to device-bound anymore.