“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

  • @rickdg
    link
    English
    441 month ago

    If you tell corporations there’s a way to increase lock-in and decrease account sharing, they’re gonna make it work.

    • umami_wasabi
      link
      fedilink
      English
      231 month ago

      One is a new technical specification called Credential Exchange Protocol (CXP) that will make passkeys portable between digital ecosystems, a feature that users have increasingly demanded.

      I.e. I can copy my key to my friends’ device.

      • @rickdg
        link
        English
        111 month ago

        I believe that’s Apple talking to Google, not anything local you can own.

        • @[email protected]
          link
          fedilink
          English
          81 month ago

          Read the article, it’s literally about replacing Import/Export CSV plaintext unencrypted files with something more secure.

          I.e. moving your passwords/passkeys between password managers. This is not about replacing stuff like OAuth where one service securely authorizes a user for another.

        • trevor
          link
          fedilink
          English
          51 month ago

          It’s gonna work with KeePass and Bitwarden once it’s finalized.

          • @rickdg
            link
            English
            21 month ago

            I’d love to see that.

      • @_bcron_
        link
        English
        -1
        edit-2
        1 month ago

        I’m not in software but from what I read the importer sends a request and that request is used by the exporter and importer to encrypt and decrypt, so I think there’s a way to tweak the whole process a little and instead have both the exporter and importer ask Netflix or whoever to provide a key as opposed to using the request. Could be wrong tho

        • umami_wasabi
          link
          fedilink
          English
          8
          edit-2
          1 month ago

          That’s not how Passkey, and the underlying WebAuthn works.

          (Highly simplifies but still a bit technical) During registration, your key and the service provider website interacts. Your key generated a private key locally that don’t get sent out, and it is the password you hold. The service provider instead get a puclic key which can be used to verifiy you hold the private key. When you login in, instead of sending the private key like passwords, the website sent something to your key, which needs to be signed with the private key, and they can verify the signature with the public key.

          The CXP allows you export the private key from a keystore to another securely. Service providers (Netflix) can’t do anything to stop that as it doesn’t hold anything meaningful, let alone a key (what key?), to stop the exchange.