Concerns about passkeys

🌈 Abstract

The article discusses concerns about the implementation and implications of passkeys, a new authentication technology. It highlights issues around the lack of user control and migration options, the potential for discrimination against certain passkey apps, and the centralization of power that passkeys could enable.

🙋 Q&A

[01] Concerns about Passkeys

1. What are the key concerns the author has about passkeys?

• Passkeys cannot be exported or migrated between different applications, locking users into the app that originally created them.
• Apple is enabling passkeys by default in new versions of iOS and macOS, without the ability for users to migrate away from Apple as the passkey provider.
• The passkey specification allows websites to discriminate against certain passkey apps, such as the open-source KeePassXC app, by blocking them if they don't implement the specification in a way the website deems acceptable.
• The centralization of power around passkeys, with standards bodies and identity providers having more leverage over users, is a concern.

2. What is the author's view on the potential impact of these issues?

• The author believes that passkeys should not have been shipped to users without the ability to migrate between passkey providers first.
• The author is concerned that the current implementation of passkeys is "asking for trouble" and could lead to negative consequences for user agency and control.

[02] Discrimination Against Passkey Apps

1. What examples does the article provide of discrimination against passkey apps?

• The article discusses issues raised by a senior architect at Okta regarding the open-source KeePassXC app's implementation of passkeys, which was deemed non-compliant with the specification.
• The architect threatened that KeePassXC's non-compliant behavior could lead to the app being blocked by "relying parties" (websites that use passkeys).
• The article also mentions that websites can block passkey apps for allowing certain actions, such as exporting passkeys in clear text, even if the app warns the user about the risks.

2. How does the author view this potential discrimination against passkey apps?

• The author acknowledges the perspective of websites wanting to protect themselves from liabilities associated with insecure credentials.
• However, the author believes it is "bad for society" if only vetted and authorized entities can build passkey apps, and "bad for users" if they can't choose to use a particular passkey app.

[03] Centralization of Power with Passkeys

1. How does the article describe the shift in power dynamics with the introduction of passkeys?

• The article notes that passwords are inherently decentralized, with users having control over their own passwords.
• In contrast, passkeys introduce a standards body and the ability for websites to discriminate between passkey apps, giving identity providers and the standards body more leverage over users.
• The author is concerned that this could lead to the standards body and websites pressuring users to do things like reauthenticate more frequently, or blocking apps that don't implement the standard in a way the websites deem acceptable.

2. What is the author's recommendation regarding this centralization of power?

• The author believes that the passkey standards body should create cultural norms that "counteract" this centralization of power and "err on the side of user agency."
• The author is concerned that the issues observed with the KeePassXC app indicate that this is not happening enough.