After some research:
I see passkeys are meant to replace passwords; not be used as a second factor. This is obviously less secure than properly implemented password + second factor, but some services do not implement second factors properly, so this might end up being more secure because it enforces a strong password. In that case, I think hardware security keys should be treated as offering the same level of security and be allowed to be used in place of a password with more services.
https://developer.apple.com/passkeys/ - Apple syncs passkeys with the iCloud Keychain. If you aren't aware, you can't transfer the keychain to an Android or non-Apple device. It isn't clear whether you can extract keys from it easily, or at all. It also doesn't say whether it works offline. Also, this page doesn't explain how passkeys work at all.
https://developers.yubico.com/Passkeys/How_passkeys_work.html - Some observations:
- I'm not a fan of the terms 'registration ceremony' and 'authentication ceremony'. Authentication is not something to be celebrated. It should be treated professionally and seriously.
- Still not much detail...
- Some more detail on other pages but far too dense and not giving me any of the answers I'm looking for.
So why not try the standards page by FIDO? https://fidoalliance.org/passkeys/
What is a Passkey?
Passkeys that are managed by phone or computer operating systems are automatically synced between the user’s devices via a cloud service. The cloud service also stores an encrypted copy of the FIDO credential. Passkeys can also by design be available only from a single device from which they cannot be copied.
Since phone based passkeys sync across all of a user’s devices, the process of upgrading to a new mobile phone is a seamless transition.
I'm pretty sure Apple's implementation is not done this way, but I'm happy to be corrected.
Yes. There is no change to the local biometric processing that the user devices (mobile phones, computers, security keys) do today. Biometric information and processing continues to stay on the device and is never sent to any remote server — the server only sees an assurance that the biometric check was successful.
Okay, so no remote attestation? Or remote attestation, but not through biometric data? Hmm...
The FIDO alliance thinks OTP codes are insecure:
But unfortunately the most popular forms of second factors — such as one time passwords (OTPs) and phone approvals — are both inconvenient and insecure. They can be phished, and they are being phished at scale today.
I don't think passkeys are immune to fatigue attacks, either. Are passkeys not also approval-based..?
Device OS platforms are implementing a feature by which the passkeys on the device (for example, a mobile phone or laptop computer) are synced to the device cloud tied to the user’s platform account (eg, Apple ID for iOS/macOS, Google account for Android & ChromeOS, Microsoft account for Windows). Syncing of passkeys is end-to-end encrypted.
When a user creates a passkey on any of their devices, it gets synced to all the user’s other devices running the same OS platform which are also signed into the same user’s platform account. Thus passkeys created on one device become available on all devices.
It looks like they try to get around device syncing by saying it's okay if you have your other device nearby:
The user visits the RP website on the Windows computer. They then see a ‘sign-in’ button on the RP’s login web page and push that button. The user now sees the option to use another device to sign-in to the RP.
So it sounds like passkeys are bound to each 'ecosystem'. As long as you use all Google devices, all Apple devices, or all Microsoft devices, you can sync your passkeys around. If you mix-and-match, expect trouble.
Oh, they explain how to switch from one ecosystem to another; it seems mutually exclusive. You can either have an Android device with a passkey, or an iOS device with a passkey:
If the user is still in possession of their old device, the user can use the passkey on the old device (say, an Android device) to sign the user into their account on the new device (say, an iOS device). Once signed in, the user can create a passkey in the new platform account.
Okay, that sounds really annoying. Hardware security keys are already sounding far better. I don't have to get up, go across the room to get my phone, unlock it, approve the passkey notification, and go back to my computer. I can just pickup my security key and plug it in, then tap it.
So after all that, I still don't know if passkeys require remote attestation. Also, it sounds like they don't trust you at all with the Secret, which is why you need to create a new passkey when you move between 'ecosystems'. This is the same reason you shouldn't use Authy because it doesn't give you the Secrets. It doesn't let you back it up in case you really need access one day.
Passkeys sound like an absolute pain for people who aren't heavily invested in one of these ecosystems, don't use a phone all the time, and are interested in transparent access to their secrets. i.e. Me.
Happy to be proven wrong. Keep in mind this is just a result of all the research I've done in appropriate places, so I'd appreciate if the responsible parties explained things better if I'm getting things wrong.