FIDO Alliance Is Working on Making Passkeys Portable Across Platforms
Tim Hardwick, reporting for MacRumors:
The FIDO Alliance is developing new specifications to enable
secure transfer of passkeys between different password managers
and platforms. Announced on Monday, the initiative is the result
of collaboration among members of the FIDO Alliance’s Credential
Provider Special Interest Group, including Apple, Google,
Microsoft, 1Password, Bitwarden, Dashlane, and others.
Passkeys are an industry standard developed by the FIDO Alliance
and the World Wide Web Consortium, and were integrated into
Apple’s ecosystem with iOS 16, iPadOS 16.1, and macOS Ventura.
They offer a more secure and convenient alternative to traditional
passwords, allowing users to sign in to apps and websites in the
same way they unlock their devices: With a fingerprint, a face
scan, or a passcode. Passkeys are also resistant to online attacks
like phishing, making them more secure than things like SMS
one-time codes.
The draft specifications, called Credential Exchange Protocol
(CXP) and Credential Exchange Format (CXF), will standardize the
secure transfer of credentials across different providers. This
addresses a current limitation where passkeys are often tied to
specific ecosystems or password managers.
This initiative would address one of David Heinemeier Hansson’s primary complaints about passkeys, in a post I linked to earlier today.
Hardwick mentions un-phishability as an advantage of passkeys, and that’s very true. In fact, I think that was one of the primary selling points Apple emphasized when they introduced passkey support at WWDC two years ago. A scammer who gets a victim on the phone can’t trick them into revealing a passkey like they can with passwords or one-time numeric codes. But that use case is optimized for non-technical users.
A friend texted me with another argument for passkeys: it’s somewhat common for websites to break password autofill. Maybe it’s deliberate, in the name of fighting bots? But whether deliberate or not, with passkeys, they have to work with your browser’s connected password manager. So maybe passkeys are a net win for convenience, even for technically-knowledgeable users who are unlikely to fall for phishing scams.
★
Tim Hardwick, reporting for MacRumors:
The FIDO Alliance is developing new specifications to enable
secure transfer of passkeys between different password managers
and platforms. Announced on Monday, the initiative is the result
of collaboration among members of the FIDO Alliance’s Credential
Provider Special Interest Group, including Apple, Google,
Microsoft, 1Password, Bitwarden, Dashlane, and others.
Passkeys are an industry standard developed by the FIDO Alliance
and the World Wide Web Consortium, and were integrated into
Apple’s ecosystem with iOS 16, iPadOS 16.1, and macOS Ventura.
They offer a more secure and convenient alternative to traditional
passwords, allowing users to sign in to apps and websites in the
same way they unlock their devices: With a fingerprint, a face
scan, or a passcode. Passkeys are also resistant to online attacks
like phishing, making them more secure than things like SMS
one-time codes.
The draft specifications, called Credential Exchange Protocol
(CXP) and Credential Exchange Format (CXF), will standardize the
secure transfer of credentials across different providers. This
addresses a current limitation where passkeys are often tied to
specific ecosystems or password managers.
This initiative would address one of David Heinemeier Hansson’s primary complaints about passkeys, in a post I linked to earlier today.
Hardwick mentions un-phishability as an advantage of passkeys, and that’s very true. In fact, I think that was one of the primary selling points Apple emphasized when they introduced passkey support at WWDC two years ago. A scammer who gets a victim on the phone can’t trick them into revealing a passkey like they can with passwords or one-time numeric codes. But that use case is optimized for non-technical users.
A friend texted me with another argument for passkeys: it’s somewhat common for websites to break password autofill. Maybe it’s deliberate, in the name of fighting bots? But whether deliberate or not, with passkeys, they have to work with your browser’s connected password manager. So maybe passkeys are a net win for convenience, even for technically-knowledgeable users who are unlikely to fall for phishing scams.