Concerns about Passkeys

I’m still not sold on passkeys, and I don’t like to see KeePassXC singled out like this.<p>As someone who uses Mac, Linux, iOS, Android and Windows, I want something that lets me sync my authentication methods across all of them, and the KeePass ecosystem (even with 2-3 different apps) is the only game in town. I absolutely do not want to use a cloud-based or vendor-owned password manager, period.

These are valid concerns, and I can absolutely see situations where I would want to do both of those things that KeyPassXC is doing (skipping user verification and exporting private keys). But security isn&#x27;t a one-stop shop.<p>Doing user presence verification gets in the way of the user doing what they want to do. Not doing user verification lets an assertion be made in the background - possibly by a malicious script. Is that tradeoff worth it?<p>Letting the user export private keys is absolutely important for backup, and transferring between devices and services. But if you can easily export a private key then cloning it becomes significantly easier. Are trivially cloned keys a risk we&#x27;re willing to take?<p>The answers to these depend on the user, the provider the application and their combined threat model. Sometimes those risks are totally fine. Other times, they&#x27;re totally not. The standards could open up more options and let the user or sites negotiate what they can and can&#x27;t do. And the cost in that direction is that now the overall concept is more complicated, and we requires both site operators and users to learn what those tradeoffs involve - with an almost certainty that security will be weaker as a result.<p>This isn&#x27;t a cut and dried issue, with clear &#x27;right answers&#x27; and villains. Tradeoffs exist in every direction, and there just aren&#x27;t any security free lunches to be had here.

Everything old is new again: <a href="https:&#x2F;&#x2F;www.netrek.org&#x2F;about&#x2F;netrekFAQ.html#10" rel="nofollow">https:&#x2F;&#x2F;www.netrek.org&#x2F;about&#x2F;netrekFAQ.html#10</a><p>&quot;&quot;&quot; I compiled the client source, but every time I try to connect to a server it kicks me out or tells me to get a &#x27;blessed&#x27; binary. What gives?<p>It&#x27;s possible to modify the client source to do lots of tedious tasks (like aiming, dodging, that sort of thing) for you. Since this gives you a big advantage over a mere human, netrek has a way of knowing whether you have a client that was compiled by the netrek Gods or by you. If you compiled it, netrek will assume it&#x27;s a cyborg, and will kick you out if it&#x27;s not cyborg hours. &quot;&quot;&quot;

I can&#x27;t believe the thing that passkey defenders swore up and down wouldn&#x27;t happen is happening!

<a href="https:&#x2F;&#x2F;github.com&#x2F;keepassxreboot&#x2F;keepassxc&#x2F;issues&#x2F;10407#issuecomment-1994299617">https:&#x2F;&#x2F;github.com&#x2F;keepassxreboot&#x2F;keepassxc&#x2F;issues&#x2F;10407#iss...</a><p><i>&gt; You absolutely should be preventing users from being able to copy a private key!</i><p>Huh? This is dumb. Users should be able to do whatever they want with their private keys. Looks like the post in on point about the push to take away control from the user. This is an anti-feature that should not be sneakily accepted as a security feature.<p>When DRM-like stuff is shoved on the user in the name of security, it turns into the means to control the users by whoever makes those decisions for them. This should always be opposed.<p>Having requirements like &quot;users should not be allowed to do X&quot; stinks to extreme.

In general any one can make a passkey app. Keepass chooses to be out of spec. No one is gatekeeping them. If an nginx server receives bad data it spits out a 400 error instead of processing the request. One of the reasons browsers are still effed up is because they refused to be standards compliant and were still paying for quirks mode. I would like to see this article complain about an http server handling a bad actor.<p>Otherwise, create multiple passkeys. Create a passkey in your ios keychain and in your Keepass app. This walled garden has a gate, walk through it.

This article is very poorly informed, and is likely written by someone who has never had to secure a site or work in a large enterprise. The author seems to be upset that site owners also have some authority to make decisions. They’re users of the technology too, you know.<p>Based on this article, I assume the author is also raging about companies using “do not copy” physical keys, or dictating the use of a key card to enter.

Bitwarden also supports passkeys, and works on iOS, Android, Mac, Windows etc.<p>Mind, I’ve no idea how well it does so. Every so often, my passkeys fail in some incomprehensible way, so I’m not very comfortable with the concept.

Attestation is pure evil and is the only reason that passkeys aren&#x27;t great. It&#x27;s only useful for things like blocking authenticators that refuse to DRM the user, exactly as Okta is threatening to do to KeePassXC.<p>To be clear, the only thing KeePassXC is &quot;out of spec&quot; about is that where the spec says &quot;you must not let the user do X, Y, and Z with their own data&quot;, KeePassXC will let you do those things, after a warning.