[ajnin]

> websites which [...] also want to know how the passkey is being handled by the user’s device to keep their accounts safe

This is exactly where passkeys go too far. "to keep their accounts safe" is always the excuse used to reduce the freedoms of users. Web sites have no business deciding how things are handled on user devices but it's precisely what passkeys enable. The boundary of control of a website used to stop at the interface between the site and the user. Now that boundary will extend to the devices. The idea of property and ownership is attacked again. The device is not something the user owns and has full control over but something that is a gateway to access content controlled by the big Internet companies.

Knowing this, how long until Netflix, Disney other content providers (sorry I don't know which ones are popular right now) demand use of a passkey originating form a device with a Trusted Platform (aka Untrusted User) Module ? This is part of a long plan initiated years ago with Windows TPM requirements, Microsoft account requirements. The gap between closed and open platforms will widen and the path is clearly to apply the Smartphone model where everything is closed, controlled, DRM'd, to other computers. We're lucky the IBM PC architecture was an open one but the war on that is on.

[throwawayffffas]

Yep the whole tpm thing and the device constrained nature they have envisioned is the major drawback.

But no they have to live in their secured enclave or on a dongle so that you can't copy them between devices because nothing ever happened to a device.

As if the rest of the users system is compromised the user can't be tricked into providing access to their account.

And no one ever "recovered" someone else's account.

The main benefit of passkeys is that they are keys you don't have to send them over the wire. The main risk of having them on disk encrypted purely in software is that a compromised system can lead to the keys getting stolen.

Their trusted platform bulshit doesn't really escape that threat though, instead of stealing your keys the attacking malware can just get access to your service and maybe even enroll their own key.

If you tried to login to a website and you got two requests to allow the use of your key one after the other would you really have the wherewithal to say no wait a second I just gave permission for that key to be used, the second request is obviously from malware on this computer that's trying to gain access to my account.

That's ignoring that the malware can just read everything you are reading.

The whole tpm obsession is security theater on top of a power play

[m-p-3]

> But no they have to live in their secured enclave or on a dongle so that you can't copy them between devices because nothing ever happened to a device.

I'm actually fine with this. It's like how SSH private keys are supposed to be handled: generated on the device, and never supposed to leave it.

The proper way of doing Passkeys is to have several Passkeys enrolled in your account, so that you always have a trusted device to access your services. Now, if the service doesn't allow multiple Passkeys per account that IS a problem.

[stavros]

I've seen this argument many times, but I don't understand it. Can you explain a scenario where this would be an issue? So, Netflix makes me log in with a passkey that comes from their own hardware, instead of my password manager. What's the danger there, beyond the fact that this seems to me extremely unworkable because I'd just never sign in?

[array_key_first]

The danger is that you now can no longer use netflix without they're approved hardware? Of course, that's essentially already the case with netflix, but this becomes dicey when services that actually matter take this approach.

And then suddenly you're debanked.

[stavros]

No, we're talking about logins, not usage. Can someone explain to me a case where logging in only with an approved authenticator would be problematic?

[geonineties]

How exactly are you going to use a service that requires login if the login requires an authorized device you don't have?

[stavros]

OK, so what's the scenario? Netflix wants to make me not use their service? Surely there are easier ways to do that than to make a new auth standard?

[throwawayffffas]

It's not really Netflix. Its Microsoft, Apple and Google.

So say goodbye to using teams on Linux. Using Microsoft365 on any hardware that is not Microsoft approved.

Or logging in to your bank without an iPhone or an android. We will surely complain but the bank will say that we only support secure devices and that means iPhones and Android, and how come you are making a big deal about it just buy one of these two everyone else has one.

[petre]

> Web sites have no business deciding how things are handled on user devices but it's precisely what passkeys enable.

On the contrary, their operators can decide whatever they like, but I won't be visiting them if they go the passkeys route. I can live w/o Netflix or Disney just fine.

Your PII will leak off their platform anyway.

[ajnin]

You'll also have to live without banking, government ID ... The "I don't need those services" rhetoric only goes so far.

[JohnFen]

At least where I live, there are no actually important services that can't be done in person.

[throw-the-towel]

Yet.

[DANmode]

How do you keep out multi-device USB HSM users?

Arbitrarily?

I’ll die on that hill.