[jmsgwd]

I keep hearing it repeated, but where does this "tied to a single device" idea come from?

The default, built-for-the-masses implementation of passkeys is called "synced passkeys". They are designed to sync between all your enrolled devices, ideally using end-to-end encryption.

You authenticate with whatever device you happen to be using at the time - phone, tablet, laptop, desktop - doesn't matter. If you lose one, you replace that device and re-enroll - then all your passkeys magically re-appear on the new device.

If you're cross-platform, modern password managers work across ecosystems - for example, 1Password syncs passkeys between Mac, Windows, iOS, Android, and Linux. If you're all-in on Apple, their native passkey implementation syncs passkeys between all your Apple devices. I thought Google and Microsoft do something similar now.

It's a real mystery why people believe passkeys have to be stored on your phone only.

[everfrustrated]

If I use windows at home (gaming), mac at work and android on my phone - how exactly are these supposed to seamlessly work together?

[jmsgwd]

There are many cross-platform password managers that sync very nicely, which would solve for the machines you control - the Windows gaming machine and Android phone.

For machines you don't control, such as your employer Mac, well that's a special case. In theory you can use "FIDO Cross-Device Authentication", which is a passkey flow designed specifically for authenticating on one device using a passkey stored on a different device, and involves scanning a QR code.

I've never tried this though. Personally I tend to avoid mixing personal stuff with work stuff, so the problem rarely arises.

[spencerflem]

Because by default, they do, and you have to explicitly install software to let it be moved. And even if you do, it’s discouraged and the spec is allowed to deny you access.

[timmyc123]

This is not correct. The default credential manager on all devices except for Windows, creates synced passkeys. And Windows will be changing soon.

[spencerflem]

Synced to one ecosystem tho. I don’t care if Microsoft deigns to let me use it across all of my devices they own.

Passwords I can bring anywhere.

[timmyc123]

Not exactly. For example, the default credential manager on Android is Google Password Manager, which works on Windows, macOS, iOS, and Ubuntu. There are also dozens of other third party choices.

[timmyc123]

> it’s discouraged

Why do you say that? There are billions of synced passkeys being used by users with some of the largest sites and services in the world.

[spencerflem]

Last I heard, they were pushing hard for resident keys only, maybe that's changed. I don't like that there's still the option to restrict it to that in the same way having the option to force remote attestation makes me uneasy.

[timmyc123]

A passkey is a discoverable credential (aka resident key) in spec terminology. But the type of credential has no relationship to attestation (which is not used in the consumer passkey ecosystem).

[spencerflem]

Ah my bad, I thought the distinction was resident = stored on a YubiKey/Secure Enclave/TPM and that was what made them resident.

To my credit I think yubikey uses the term that way and webauthn has a different definition but in the context of passkeys you’re right.

[jmsgwd]

Just to point out, protecting a key using the secure enclave and syncing it using end-to-end encryption aren’t necessarily mutually exclusive.

The security property you care about is that the plaintext key is only ever processed in use within the secure enclave (transiently, during authentication).

That doesn’t preclude syncing or backing up the encrypted key via a cloud service - if the device allows the application to do that.

[timmyc123]

> stored on a YubiKey/Secure Enclave/TPM and that was what made them resident.

Stored in an authenticator/credential manager in general, not specific to a security key, secure enclave, or TPM.

[jmsgwd]

> Because by default, they do, and you have to explicitly install software to let it be moved

Apple's native passkey implementation doesn't require doesn't require you to install extra software, and the passkeys sync by default. I thought Google's and Microsoft's were similar - but I haven't tried them.

> And even if you do, it’s discouraged

Really? Where is it discouraged? I thought synced passkeys are intended as the solution for consumers.

> the spec is allowed to deny you access

Yeah but I thought that's for enterprise use cases, not consumer. E.g. employers that want to enforce device type restrictions on their employees.

[spencerflem]

It does if you want to share accounts between my iOS phone and Linux desktop. And it still puts you entirely at the whims of Apple, etc. if you’re allowed to log in to unrelated accounts.

& I think it is mostly being used for enterprises for now ,but much like TPM and remote attestation running on “my” computer, I don’t like that it’s an option