I think passkeys are packaging up two different "innovations" into one system:
1: Replace passwords with classic public key auth. The benefits of that are uncontroversial and the tech has been successfully in use for decades (e.g. with SSH keys).
2: Lock away the private key in a HSM and introduce some complicated set of rules and protocols to ensure that no one, not even the user, ever gets to see it.
Seems to me, most of the security benefit comes from the first part (no confidential data is sent, no password guessing, etc) while most of the problems come with the second part.
So why not unbundle the two parts and add public-key crypto to the web that allows the user to store their private key themselves?
Again, this is how it's done for SSH for decades, and so far I haven't heard of any large-scale SSH phishing campaigns, even though there would be enough attractive targets.
The one benefit that's advertised everywhere is "bullet proof phishing protection", because each key is tied to a domain and the HSM can refuse to sign anything with the key that's not from this domain.
But you could implement an 80% version of that with accessible private keys as well: Just add the domain (or a hash of the domain's TLS cert) to the key's metadata and have the browser refuse to use the key if it doesn't match. A user could spend some effort and change the metadata, but the bar is MUCH higher than just typing in your password somewhere.
A phisher could also try and make the user run some tool that automatically switches the metadata (or just sends off the key directly). But at that point, the phisher would be forced to trip some classic red flags like getting the user to download a tool. Also, if the user did install the tool, they'd have a huge problem even with HSM keys: The tool couldn't access the keys directly, but it could impersonate the user and use the keys.
So I don't see why we have to go from plain passwords to "opaque walled garden" with no step in between.
> ensure that no one, not even the user, ever gets to see it
One small correction: this should read, “especially not the user”, reflecting the research and evidence collected over decades showing that authorized users are an apex threat to their own security.
The problem solved by passkeys is not addressed by #1, or else it would just be S/MIME-like certificates in password managers as we had for twenty years already in browsers only with better UI. If the user has the ability to access to private key underlying the public certificate, then an attacker can convince the user to extract and upload the private key and password, and an expert user can remove the password altogether. Passkeys takes the view that social engineering and malware attacks cannot be prevented so long as the secret is retrievable from the HSM into an unmanaged file, clipboard, etc.
The only way to close the social engineering attack vector is to design a system where users cannot upload a key even if they’re conned, which is why passkeys implement both #1 (to stop transmitting the secret) and #2 (to deny all human beings the footgun). And the only way that we know of in tech today, to technically deny humans their footgun when they have physical access to the device, is to build the OS around an HSM with secure boot and attestation so that the user can’t naively or expertly bypass the footgun safety by installing software.
So, today, we have to choose as an industry between denying users the right to extract private keys from the HSM, and allowing attackers to exploit users to extract private keys from the HSM. There is no known middle ground. Should we prioritize liberty over safety, or safety over liberty? That is the core contention of Passkeys, and ultimately of attestation.
> Passkeys takes the view that social engineering and malware attacks cannot be prevented so long as the secret is retrievable from the HSM into an unmanaged file, clipboard, etc.
Yeah, I know that Passkeys takes that view. I'm questioning that view.
We have precedent in form of SSH, PGP, S/MIME, TLS client certificates (or actually even just regular TLS certificates) and all kinds of crypto wallets. Have there been any actual studies how many private keys in those systems were sucessfully exfiltrated through phishing?
Because this justification sounds an awful lot like an excuse for lock-in and control creep - like the mandatory auto-updates that were also promoted in the name of security and now are frequently used to push through anti-features that go against the interests of the users.
Crypto wallet malware is widespread, SSH and AWS key theft is a regular and successful target of Python module malware, etc.
https://news.ycombinator.com/item?id=44791058 is the most recent post (yesterday) I can find, suggesting 200,000 impacted in a single malware instance. On average there are hundreds to thousands a year, but I don’t know their theft volume.
How many need to be impacted before the interests of user security should be given precedence over the interests of user liberties? Is there a hard line amount or is it fuzzy? Is it in the thousands, millions, or billions?
You’re definitely asking an excellent line of questioning, in my view. IS all of this Passkeys crap worth it? Will it make a significant and meaningful difference? That has to be a set of questions that the W3C has presumably studied, and if you’re lacking for sources to begin research, I would check their drafts and discussions first.
I’m not the right person to look for studies pro/con to your viewpoint, though: this topic, as with most social morality topics, is essentially academic to me — which is one of the great joys of being asocial, as I love that academia, but also means that I can’t construct a working theory of mind to support someone else’s viewpoint, pro or con, without it being uncanny valley broken and weird. I see a lot of people upset about this topic and it’s transparent enough for me to lay it out plainly, and I care about people en masse and I want to see these discussions progress beyond “this sucks” reflexive disregard and towards - for examples - “is there any better way technically”, “what led to the sacrifice of liberty deemed acceptable”, and “is it appropriate to be so cynical about human beings when they’re their own biggest enemy”.
1: Replace passwords with classic public key auth. The benefits of that are uncontroversial and the tech has been successfully in use for decades (e.g. with SSH keys).
2: Lock away the private key in a HSM and introduce some complicated set of rules and protocols to ensure that no one, not even the user, ever gets to see it.
Seems to me, most of the security benefit comes from the first part (no confidential data is sent, no password guessing, etc) while most of the problems come with the second part.
So why not unbundle the two parts and add public-key crypto to the web that allows the user to store their private key themselves?
Again, this is how it's done for SSH for decades, and so far I haven't heard of any large-scale SSH phishing campaigns, even though there would be enough attractive targets.
The one benefit that's advertised everywhere is "bullet proof phishing protection", because each key is tied to a domain and the HSM can refuse to sign anything with the key that's not from this domain.
But you could implement an 80% version of that with accessible private keys as well: Just add the domain (or a hash of the domain's TLS cert) to the key's metadata and have the browser refuse to use the key if it doesn't match. A user could spend some effort and change the metadata, but the bar is MUCH higher than just typing in your password somewhere.
A phisher could also try and make the user run some tool that automatically switches the metadata (or just sends off the key directly). But at that point, the phisher would be forced to trip some classic red flags like getting the user to download a tool. Also, if the user did install the tool, they'd have a huge problem even with HSM keys: The tool couldn't access the keys directly, but it could impersonate the user and use the keys.
So I don't see why we have to go from plain passwords to "opaque walled garden" with no step in between.