By "secure" understand "from the user escaping big corpos", and one that the most used open source project was already rejected from because open source is just not compatible with it.
Open source isn’t compatible if it isn’t running in a secure attestation environment, because 1) people will modify it to be more convenient and less secure; and then 2) they’ll transfer keys from their HSM into plaintext. I’ve watched extremely competent developers spend months figuring out how to bypass second-device factors in order to have a more convenient workflow with their auth key stored in cleartext in a dot file. I know without a shadow of a doubt that if unattested open source was allowed to interop with passkeys, they’d abuse that just as readily in order to be free of the restrictions that HSM-mandatory storage carries.
Whatever the “most used open source project” you’re referring to is, all they need to do* is issue a 100%-reproducible binary that they then sign with their usual signing key. Once they submit that build for an independent audit and have it verified as not secretly backdoored, then the other password managers can trust it when secure boot attestation chains all the way down to their signature. This maintains the key benefits of open source — inspectability, pull requests, and so on — while adhering the specifications of PassKeys that protect them against expert users.
The password manager, whoever they are, would have likely figured this opportunity out on their own and then rejected it. I can’t be sure, though. Perhaps they didn’t realize it was possible! Or perhaps they opted out of participating.
Whatever the case, that’s not any fault of open source. It’s the fault of signatures: no binary is going to be permitted to exchange PassKeys unless it's signed by a trusted party adhering to the PassKeys ‘HSM only’ agreements. Whether their signed binary is reproducible open source or pure binary closed source is irrelevant in an attested environment.
No user-modifiable solution will ever be acceptable? Unless reproducible builds and audited modifications. But that’s not an open source problem. I have extensive Ghidra experience and source code is certainly no significant obstacle to extracting passwords. Source code is irrelevant to the problem; signatures, attestation, and secure boot are the key.
It would be perfectly reasonable for a consortium of no-cost, no-profit, open source password managers to jointly accept each other’s PassKeys for transfer under attested conditions — and if they did so genuinely without it being backdoored, then that would be a convincing argument both as an alternative to the ‘corporate’ passkeys system, as well as a convincing argument for W3C and the corporations to accept interop with their signed binaries under attested conditions rather than see the PassKeys ecosystem splinter. Certainly the W3C would pressure for their acceptance if their intentions were genuine :)
A useful analogy is blackhat badges. Whether the badge is open source or not has no impact on that blackhat requires an attestation from someone other than you that you’re welcome at the conference. Having source code is like having a badge schematic in this analogy: there are lots of good outcomes from it, but gatecrashing without agreeing to their rules isn’t welcome.
* Assuming that they want to pass at all, as opposed to taking some sort of hard stance against the core precept of PassKeys: i.e. “the user can’t be trusted, even if they’re an expert”. But, again, that’s nothing to do with open source.
But this is exactly the problem: Passkeys as a core principle require that there is a third party that manages access between the user and a service. That's the entire idea.
In the absolute best-case scenario, the user gets to choose which third party to trust and could even switch to a different one later - but the general dependence on a third party will always stay.
Yes, precisely! That’s what I’m hoping to raise awareness of here. It’s DRM for passwords, that effectively blocks malicious attackers from exporting credentials, basically without exception.
Is killing off password theft worth the tradeoff of restricting the legitimate user’s rights, or is this a step too far towards authoritarian overreach, no matter how significant the harm done to humanity by password theft?
Societal-level ethics are incredibly interesting to me, so I’m glad that the broader tech community is catching on to the ethical dilemma and engaging with it. PassKeys are a ‘good first bug’ for evaluating large-scale ethical tradeoffs of technology: the benefit and tradeoff are clear and obvious to everyone once explained, unlike so many other ethical dilemmas in tech.
I think passkeys are packaging up two different "innovations" into one system:
1: Replace passwords with classic public key auth. The benefits of that are uncontroversial and the tech has been successfully in use for decades (e.g. with SSH keys).
2: Lock away the private key in a HSM and introduce some complicated set of rules and protocols to ensure that no one, not even the user, ever gets to see it.
Seems to me, most of the security benefit comes from the first part (no confidential data is sent, no password guessing, etc) while most of the problems come with the second part.
So why not unbundle the two parts and add public-key crypto to the web that allows the user to store their private key themselves?
Again, this is how it's done for SSH for decades, and so far I haven't heard of any large-scale SSH phishing campaigns, even though there would be enough attractive targets.
The one benefit that's advertised everywhere is "bullet proof phishing protection", because each key is tied to a domain and the HSM can refuse to sign anything with the key that's not from this domain.
But you could implement an 80% version of that with accessible private keys as well: Just add the domain (or a hash of the domain's TLS cert) to the key's metadata and have the browser refuse to use the key if it doesn't match. A user could spend some effort and change the metadata, but the bar is MUCH higher than just typing in your password somewhere.
A phisher could also try and make the user run some tool that automatically switches the metadata (or just sends off the key directly). But at that point, the phisher would be forced to trip some classic red flags like getting the user to download a tool. Also, if the user did install the tool, they'd have a huge problem even with HSM keys: The tool couldn't access the keys directly, but it could impersonate the user and use the keys.
So I don't see why we have to go from plain passwords to "opaque walled garden" with no step in between.
> ensure that no one, not even the user, ever gets to see it
One small correction: this should read, “especially not the user”, reflecting the research and evidence collected over decades showing that authorized users are an apex threat to their own security.
The problem solved by passkeys is not addressed by #1, or else it would just be S/MIME-like certificates in password managers as we had for twenty years already in browsers only with better UI. If the user has the ability to access to private key underlying the public certificate, then an attacker can convince the user to extract and upload the private key and password, and an expert user can remove the password altogether. Passkeys takes the view that social engineering and malware attacks cannot be prevented so long as the secret is retrievable from the HSM into an unmanaged file, clipboard, etc.
The only way to close the social engineering attack vector is to design a system where users cannot upload a key even if they’re conned, which is why passkeys implement both #1 (to stop transmitting the secret) and #2 (to deny all human beings the footgun). And the only way that we know of in tech today, to technically deny humans their footgun when they have physical access to the device, is to build the OS around an HSM with secure boot and attestation so that the user can’t naively or expertly bypass the footgun safety by installing software.
So, today, we have to choose as an industry between denying users the right to extract private keys from the HSM, and allowing attackers to exploit users to extract private keys from the HSM. There is no known middle ground. Should we prioritize liberty over safety, or safety over liberty? That is the core contention of Passkeys, and ultimately of attestation.
> Passkeys takes the view that social engineering and malware attacks cannot be prevented so long as the secret is retrievable from the HSM into an unmanaged file, clipboard, etc.
Yeah, I know that Passkeys takes that view. I'm questioning that view.
We have precedent in form of SSH, PGP, S/MIME, TLS client certificates (or actually even just regular TLS certificates) and all kinds of crypto wallets. Have there been any actual studies how many private keys in those systems were sucessfully exfiltrated through phishing?
Because this justification sounds an awful lot like an excuse for lock-in and control creep - like the mandatory auto-updates that were also promoted in the name of security and now are frequently used to push through anti-features that go against the interests of the users.
Crypto wallet malware is widespread, SSH and AWS key theft is a regular and successful target of Python module malware, etc.
https://news.ycombinator.com/item?id=44791058 is the most recent post (yesterday) I can find, suggesting 200,000 impacted in a single malware instance. On average there are hundreds to thousands a year, but I don’t know their theft volume.
How many need to be impacted before the interests of user security should be given precedence over the interests of user liberties? Is there a hard line amount or is it fuzzy? Is it in the thousands, millions, or billions?
You’re definitely asking an excellent line of questioning, in my view. IS all of this Passkeys crap worth it? Will it make a significant and meaningful difference? That has to be a set of questions that the W3C has presumably studied, and if you’re lacking for sources to begin research, I would check their drafts and discussions first.
I’m not the right person to look for studies pro/con to your viewpoint, though: this topic, as with most social morality topics, is essentially academic to me — which is one of the great joys of being asocial, as I love that academia, but also means that I can’t construct a working theory of mind to support someone else’s viewpoint, pro or con, without it being uncanny valley broken and weird. I see a lot of people upset about this topic and it’s transparent enough for me to lay it out plainly, and I care about people en masse and I want to see these discussions progress beyond “this sucks” reflexive disregard and towards - for examples - “is there any better way technically”, “what led to the sacrifice of liberty deemed acceptable”, and “is it appropriate to be so cynical about human beings when they’re their own biggest enemy”.
This is one of the aspects of passkeys that make them unacceptable for me to use. They're just a nonstarter. If they're forced on us, it's just yet another thing that is making the web smaller and smaller for me.
> Is killing off password theft worth the tradeoff of restricting the legitimate user’s rights, or is this a step too far towards authoritarian overreach, no matter how significant the harm done to humanity by password theft?
If your government can order your password manager to lock you out of your passwords with no more trouble than locking you out of your bank account, then that lowers the cost of tyranny down to what the Chinese Communist Party enjoys.
I'm sorry, this is an absolute monstrous attitude towards user freedom in the name of security. There is no way I'm using passkeys if this is what they're about.
No need to apologize to me. Raising awareness is my mission goal for discussing attestation at HN. Not to promote it — there’s one specific use case for it that I think is firmly appropriate and PassKeys isn’t that! — but to ensure that people are informed about what’s going on so that it can be evaluated face-on.
The Windows 11 TPM push parallels macOS and the T2 chip, except years later. Once Win11 is in the majority, I imagine web attestation will start to go live in web banking, because they hate paying for fraud investigations.
But. The silent looming threat I predict that few others seem to see, is that Valve will guaranteed enable TPM w/ secure boot attestation in a future Steam Deck hardware update after everyone bails from Windows 10 to Valve Linux, giving it true standing as a console and overcoming today’s multiplayer lockouts by AAA games (unattested Linux is a godsend for software cheaters compared to Windows), while having captured that market on the pretense of tinkerability with full intentions to betray that unstated assumption in favor of regaining AAA multiplayer support in games.
Similarly, that’s why so many AMD gaming processors already ship with Microsoft’s secure attestation Proton chip from the Xbox inside: if Microsoft wants to end kernel-rootkit anticheat, they have to offer another solution, or else competitive PC multiplayer online gaming dies when Microsoft slams the door on Crowdstrike. Secure attestation, coming to a Steam instance near you. (And not to single out Valve — Epic will go there too!)
Console-grade attestation is coming to computers everywhere, because just as with password theft, it uniformly prevents virtually all software-based cheating. It won’t stop hardware-based cheating, but doi:10.1109/SERE-C.2012.43 and Apple mFI already demonstrated that peripheral attestation can arrive at any time — there just isn’t any point in doing so for Win/Lin gaming when most users aren’t using attestation. Yet.
Sometimes I feel like Chicken Little trying to convey the threat to repurposeability here, but, like, this is what’s coming, because after the Crowdstrike worldwide outage, kernel rootkits are on the way out - and the side effects are going to be devastating. This is why I don’t just say, as one comment below does, “fuck you” to attestation: that approach has no effect and it’s coming for everyone unless more people than I start confronting it and understanding it.
The walls really are closing in though. There's basically no way we can avoid this scenario.
So we don't use passkeys? OK, fine, in 2025 that's possible. But for how long? How many sites and services are going to start requiring this? Will they care if a few HN readers are blocked out?
The only way to prevent this nightmare is to convince tech illiterate people to also avoid passkeys, but good luck! This kind of convenience is too attractive and the downsides are too hard to communicate to them.
It’s still possible to avoid this scenario. For example, imagine how conservative tech-hostile politicians would react if they understood how passkeys gives big tech authority over their money. Or when police discover that they no longer have the ability to extract passwords with a wrench. Or how parents won’t be able to access some accounts because the kid stored a passkey outside of iCloud and now it’s parent-proof. Massive outrage is due to tech over this, considering historical trends, but either no one realizes the benefits of them — or everyone doesn’t care because it’s worth not having their password stolen.
The standards body did a really excellent job solving the problem. Is outrage deserved? Is this better or worse than our freedom? I would watch that debate if someone posted a video of a panel discussing the contradictions! Because I’m not sure where I stand, either.
But I just cannot stand the obliviousness that everyone has over attestation. It’s not a done deal yet. I just haven’t seen tech suggest anything to do about it, and that continues to worry.
The key is to lie. Most tech illiterate people get their approximate knowledge from more tech literate people, who get their knowledge from the technical folk. Tech illiterate people don't know how passkeys work, if we start saying that it's just a way for scammy companies to steal your passwords, that'll eventually become truth.
A single per-user client certificate is a cleaner solution, without the vendor lock in problem, since there’s no need for real time synchronisation of an evolving set of passkeys.
I also think client certificates is a better solution. However, it does not have to be single per-user.
For example, a service that you register an account on can issue a certificate to you; you could use it directly or you could use that certificate to issue another certificate to yourself, with a different key, and storing the private key of the original certificate on a separate computer that is not connected to the internet, making it less likely to compromise (if the certificate actually used is compromised, it could be revoked and you can issue a new one to yourself).
If the service defines an extension for the authorization granted by the certificate, then you could issue a certificate to yourself that has an extension to restrict the authorization, therefore allowing partial delegation of authorization. (Some operation would be authorized only if all of the certificates in the chain authorize that operation.)
The partial delegation of authorization can also be used to issue certificates to others, perhaps for a limited time (by setting the expiry date). For example, if one service can access another service to do some operation on your behalf, you can issue a certificate to the first service (this is one case where a client issues a certificate to a server), with the limited authorization that is required, and then that first service will use that certificate to authenticate with the second service, to do the operation.
A service that wants someone to be able to use their account from another service to log in to their own one can also do so (although usually this should not be required, since someone might not want the other service).
The private keys can optionally be passworded for additional security, and the server doesn't know nor care about this. (Passworded private keys is probably not useful for server certificates, but it is useful for client certificates.)
The use of mutual TLS authentication has other security benefit as well.
Having a single certificate makes it trivial to implement cross-website tracking. FIDO2 (and by extension Passkeys) prevent this by having a unique key for every (origin, username) combination.
Also, having a single cert shared across multiple hardware tokens is a security risk, as it becomes impossible to distinguish the tokens or revoke only a single one of them.
The vast majority of users treat their set of passkeys as a unit anyway, so there’s no scenario when a single token would need to be revoked in isolation. A breach of one passkey can only occur from breaching the password manager itself, in which case all passkeys are exposed, so there’s no security benefit to having per site passkeys.
Users who truly need that ability can create multiple certificates, and synchronise them as appropriate.
perhaps this a good moment for you to engage in some reflection and consider that perhaps some people have put more thought in to "how do we replace passwords" than you did in making a single hacker news comment?
you:
> A single per-user client certificate is a cleaner solution, without the vendor lock in problem, since there’s no need for real time synchronisation of an evolving set of passkeys.
reply:
> Having a single certificate makes it trivial to implement cross-website tracking.
you:
> Users who truly need that ability can create multiple certificates, and synchronise them as appropriate.
well, indeed! perhaps designing a system to support multiple certificates with synchronisation, so that we're not forcing ever user to be trackable by every single website, would be a good idea.
some sort of keys to enable one's passage in to a website?
this is a cancer on this website, and certainly one I'm also suffering from, despite being quite aware of it - real life things are usually pretty complicated and just because I know enough to make a random guess at a solution, it doesn't mean people who have put way thought in to the problem have done a bad job or missed by brilliant insight.
