I’m sure passkeys will be the way to go, but I am wary at the moment.
After all, Microsoft, Apple, Google, Amazon, Oracle et al. have always had the customers best interest as their top concern. I’m sure they will not take advantage of of the average user’s lack of knowledge to lock the user into the corporation’s own ecosystem while locking out other providers
When it comes to passkeys I am one of those average users. I need a proper explanation, preferably with nice little drawings of Alice and Bob, a client PC and a server.
Who generates the passkey?
Is the there a third party involved in the generation and authentication? The equivalent of a CA.
Where is the passkey stored? Is it similar to the Public/Private key model?
Is it time sensitive? Will logins fail if the PC time is incorrect?
Are there known inter-working issues. Will there be some sites where I will not be able to use BW to store the passkey.
What is the recovery strategy for for sites using passkeys. In the future, am I going to be maintaining hundreds of text files containing recovery codes.
I have probably forgotten a few points, but the you can see why I am not keen to be an early adopter of passkeys.
AFAIK, Google already has a mechanism in place to allow the storage of passkeys in third-party password managers like Bitwarden. It requires Android 15+(?) to get the full capability. Microsoft is doing the same, and in fact, Bitwarden is rolling out the feature that allows it to act as a passkey authenticator for Windows 11 platforms.
You can check out FIDO2 documentations to get the full details. According to this page, the user’s passkey authenticator (password manager, security key) does. It happens locally.
This is from the same document as the previous question. “The browser, operating system, and the password manager (or security key) work together to make this a seamless experience.”
Also, the browser/OS ensures that you are talking to the right server, making the authentication phish-proof (as long as the participating components aren’t compromised) and relying on the existing HTTPS certificate infrastructure.
The server has the public key. Only the authenticator (password manager, security key) has the private key. Yes, passkey authentication is based on public-private key model.
The primary method used right now is your existing password/2FA. This works mostly because few sites are completely getting rid of passwords. You can ditch your Microsoft password, but you will use their recovery method to regain account access. I haven’t had a single passkey account that provides passkey-specific recovery codes, although this is obviously not out of the question for the future.
P.S.: I split your post into its own separate thread to give it its own discussion space.
I was hoping that somebody else would address the other two questions you have, but here we are. AFAIK:
Since the protocol relies on public/root key certificates, the certificate expirations will impact your experiences if your device time is wildly off. Otherwise, the authentication is based on a public-private key challenge-response mechanism that doesn’t rely on time.
Yes, because the relying party (the service) can demand certain attestations (capabilities of the authenticator), some types of authenticators may not work on a website. Although FIDO2 generally doesn’t recommend this due to privacy concerns, they designed in “high-security” applications that may only want you to use a security key, for example.
