These crop up every now and again but they never address my biggest concern, which how we can be sure that https://w3c.github.io/webauthn/#attestation-object will not create a situation where only approved devices are allowed to authenticate.
It's not hard to imagine Google and Apple and a few others finding ways to pressure authenticators into blocking access to users of devices that cannot prove that they're running firmware which bellyfeels ingsoc.
Device attestation is exactly what you want in a corporate (or government) environment, and exactly what you don't want for your own private devices.
In a sense though, we've already lost that fight: try ordering an uber (or anything else that has an app but not an equivalent website) without both your device and OS being from one of a small set of approved manufacturers. Firefox OS never had a chance.
It is a fair worry. On one side, there are sites with regulations that they are supposed to meet and it's hard to do so without knowing something about the passkey provider. If we want to try and replace SMS OTP, which is depressingly easy to compromise, we can't ignore such things.
On the other, we don't want to create a situation where it's impossible to start a new passkey provider because you'll never get 1000s of websites to put you on their allowlist.
So far, we haven't done attestation for passkey providers at all. There is only the AAGUID, which is a spoofable identifer should any sites try to filter based on it. There are legitimate cases where sites are required to know more, but we're trying to find a path that doesn't lead to the problems that you worry about and, so far, are erring on the side of openness.
> it's impossible to start a new passkey provider because you'll never get 1000s of websites to put you on their allowlist.
You ignore history. and human nature.
Everyone will just hardcode a big `if microsoft || google || apple` and call it a day. And over time local gov will require companies under their TLD also add gov.TLD and that will be status quo forever.
As other commenters mentioned, EU official login (which accepts SMS but not TOTP!!!) already works with passkeys with only weird approved devices (mostly android/ios apps which try very hard to detect non-stock roms)
> On one side, there are sites with regulations that they are supposed to meet
I find it rather hard to believe there are websites subject to regulations that are impossible to comply with today?
Are you sure you didn't hear this from someone creatively interpreting some unrelated regulation? Standards committees are always full of people trying to cram their employer's patents and products into the standards.
Disclaimer Corbado Co-Founder here: That passkeys (WebAuthn) as a standard can support different levels of security requirements in the future on a common ground is probably the best thing. Even with an unknown new passkey provider, that's still more secure for the average consumer on a broad scale with legitimate passkey providers being 99.9% of the market. For regulated entities, that's an important area of extension. But even for banks, passkeys can easily replace the first factor, as phishing there is the biggest concern. I would argue that Passkeys+SMS OTP for banking is probably far more secure than any other option currently available (even with the sad security of SMS OTP), just because consumers cannot give their First-Factor voluntary away to phishing... Well maybe not better that any option but a lot of them.
I want to self-host my account credentials. Or more accurately, I absolutely do not want Apple | Google | Microsoft to be able to lock my account, and thereby lock me out of every other account. Especially as two of them have already done so.
If I could act as a passkey provider for myself, similar to how I can do that with SSH, then that’d be great. I do not comprehend why it’s not allowed, apart from being part of a further grasp for power by those companies.
Well, you can store your passkeys in a password manager like KeePassXC. Open-source password/passkey manager actually means more or less self-hosting your credentials as a third-party provider.
You don't have to fear it. It's already here. I can't store my electronic government id on my Yubikey since it's not an approved device. So unless I buy a certain hardware token, my only option is to entrust my private key to a privately-owned certificate authority named A-Trust that forgot to renew their own root certificate once, taking out all government websites and services, and blamed an influx of users on a DDoS attack, in a regulatory environment where companies and even the government itself sue security researchers for disclosing security vulnerabilities responsibly, combined with tech illiterate journalists that buy whatever press statement they publish without verifying anything. Yeah uh, how about no? I trust my Yubikey more than you. I in fact lack so much trust in A-Trust that I assume my electronic government id is compromised, and that I among a few others call them A minus Trust, not A Trust.
Here in Austria authentication revolves around this A-Trust entity (which is anything but) that the GP mentioned.
The way it works is by SMS, which is very bad. They also have two absolutely appalling and confusing apps for authentication (and signing documents, but that never works), but they are useless from a security point of view as you can always revert back to SMS. And sometimes you need both the SMS and the app. Ugh. Also, if you are a non-Austrian citizen you need to register your phone with the police to be able to fully use most services.
I want to get rid of this SMS loophole, and my understanding is that they used to support smartcards[1], and now support FIDO2 keys. Smartcards are annoying so I am trying to use my Yubikey, but when I try to provision it, it fails with some generic error.
[1] Our health insurance cards used to be these smartcards, but I believe this system has been discontinued, although it's definitely still in use for medical services.
my point is that Australia, like the others i mentioned, are phasing out sms. and more importantly, already phased out TOTP. Because they want you to use a dumb app which collect data.
I don’t know anything about this. But let me guess: they also require you to use edge or chromium or some closed source and shitty sidecar application on your desktop?
FWIW Apple explicitly doesn't support attestation for consumer apple-IDs. Only for managed apple IDs. Exactly because they didn't like the implications of forcing authentication to pre-approved implementations.
You mean they don't support third party attestation for consumer apple-IDs. Between parts pairing and the degree they've locked they're app store down, Apple is the king of things that refuse to be useful unless they're running in an approved environment.
They're just ensuring that their right to mistreat users is an exclusive one. Handcuffs are handcuffs, even if Apple is the only one who has the key.
It's not hard to imagine Google and Apple and a few others finding ways to pressure authenticators into blocking access to users of devices that cannot prove that they're running firmware which bellyfeels ingsoc.