It looks like there is some acknowledgement of the need to share passkeys.
Oh, that’s good to hear from a business perspective of needing to manage client’s accounts. AirDrop is a very inconvenient way of doing it, though, as they require your physical presence. It’s also not good to hear that Apple requires you to to use an Apple device to make use of it, but at this point, not surprising.
I believe the argument against stealing passkeys is that you’d have to authorize the remote attack
I just thought of this today. Yes, that would be the simplest approach and most phishing attempts would be thwarted by a properly-worded approval request. So in this respect, phishing is much harder
Also, passkeys are not a substitute for hardware FIDO2 keys, like YubiKey
That’s what I use and prefer. This page explains that Yubikeys also support passkeys.
The combination of these three technologies (processor, storage, and authentication) is referred to as a built-in platform authenticator in the FIDO documentation.
You seem to have a better grasp on it than me, because my head is spinning when I try to wrap my head around it all
The TPM serves as the secure coprocessor, right?
As you know, Linux is a volunteer project focused on transparency and freedom. Technologies like TPM and face unlock infringe on these core goals. So, no one ever contributed a built-in platform authenticator to Linux. Therefore, the underlying support for passkeys is not present on Linux.
(I assume the technologies required to support built-in platform authenticators needs to be implemented mainly in the kernel)
The Linux kernel is actually one of the largest corporate collaboration projects in existence. Probably the biggest, actually. Just look at this insane list of corporate members for the Linux Foundation: Members of the Linux Foundation
The amount of volunteers working on the Linux kernel is tiny compared to the amount of paid programmers. In reality, I don’t think the Linux Foundation (and Linux stewards by extension) have any compunction about implementing support for passkeys. The reality is they just don’t have any reason to do it because they view Linux as only being incorporated in server OSes (and AOSP, but that’s not mainlined yet). Red Hat is the most likely candidate to implement it, but they’ve been winding down their desktop projects over the past year.
That’s as it relates to the kernel. Of course, I would be interested to see the LF’s perspective, but all I could find was this post about a completely different passwordless protocol. You’re likely right about the issues with TPM and transparency for other developers/maintainers for core software that interacts with Linux. It’s not a discussion I’m equipped to have because I just don’t understand it! Even after spilling so much ink about passkeys, TPMs, and whatnot, I’m not ashamed to admit that haha.
By using your phone, the Linux desktop doesn’t need a built-in platform authenticator.
Ah, right. I wonder if GrapheneOS supports passkeys in the way websites require. It would have the required hardware and secure unlock method. This thread suggests it will not:
In time, I hope that support for FIDO2 will improve within open source software. As far as FIDO2 and the FIDO Alliance is concerned, the door is open. But, I don’t expect passkeys to be supported on Linux. And, without a big tech daddy, synchronizing and other conveniences will be fewer on open source platforms (back up your FIDO2 secrets).
Sigh. I noticed Bitwarden has routinely missed any chance to mention what the support will be like on Linux-based operating systems, but they’re planning to launch this month, so we’ll see. I am not looking forward to the passwordless future, approved by Google™, Apple™ and Microsoft™.