Tag: blackhats.net.au

SECURITY: PASSKEYS appears to be NOT the secuirty “silver bullet””

Published on by reinkefjLeave a comment

https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/

*** begin quote ***

The Enshittocene Period

Since then Passkeys are now seen as a way to capture users and audiences into a platform. What better way to encourage long term entrapment of users then by locking all their credentials into your platform, and even better, credentials that can’t be extracted or exported in any capacity.

Both Chrome and Safari will try to force you into using either hybrid (caBLE) where you scan a QR code with your phone to authenticate – you have to click through menus to use a security key. caBLE is not even a good experience, taking more than 60 seconds work in most cases. The UI is beyond obnoxious at this point. Sometimes I think the password game has a better ux.

The more egregious offender is Android, which won’t even activate your security key if the website sends the set of options that are needed for Passkeys. This means the IDP gets to choose what device you enroll without your input. And of course, all the developer examples only show you the options to activate “Google Passkeys stored in Google Password Manager”. After all, why would you want to use anything else?

A sobering pair of reads are the Github Passkey Beta and Github Passkey threads. There are instances of users whose security keys are not able to be enrolled as the resident key slots are filled. Multiple users describe that Android can not create Passkeys due to platform bugs. Some devices need firmware resets to create Passkeys. Keys can be saved on the client but not the server leading to duplicate account presence and credentials that don’t work, or worse lead users to delete the real credentials.

The helplessness of users on these threads is obvious – and these are technical early adopters. The users we need to be advocates for changing from passwords to passkeys. If these users can’t make it work how will people from other disciplines fare?

Externally there are other issues. Apple Keychain has personally wiped out all my Passkeys on three separate occasions. There are external reports we have recieved of other users whose Keychain Passkeys have been wiped just like mine.

Now as users we have the expectation that keys won’t be created or they will have disappeared when we need them most.

In order to try to resolve this the workgroup seems to be doubling down on more complex JS apis to try to patch over the issues that they created in the first place. All this extra complexity comes with fragility and more bad experiences, but without resolving the core problems.

It’s a mess.

*** end quote ***

So this ends my interest in “passkeys”.  Too bad.  It had a lot of promise.

Argh!

—30—