The Problem of Passkeys

 The Problem of Passkeys

This is not a deep study of passkeys, I am interested in how useful and usable passkeys actually are.  In particular by trying them myself in a limited way.

I have many issues with passkeys.  Asymmetric encryption is hard, technical and not suitable or secure for most normal (ie non-technical) people.  But clearly it's possible to use it to make reasonably secure systems like Signal.

I had a brief look at passkeys a while ago.  When I found that I couldn't use passkeys on MacOS without having my passkeys (my secret keys) copied into the icloud, I decided to give that a miss.  I don't want my secret key on other people's servers.  Apple could have decided to allow passkeys to stay on a device, but no, apparently they wanted to make passkeys easier for people to use.  On all their Apple devices!  

Easy to use is the bane of IT security.

Anyway, since then there have been developments, so I decided to try again.  Apple still allows passkeys on its systems only if you allow it to copy your secret keys to the icloud.  But there are now alternatives.

Apparently Strongbox.app, two versions of which appear to be supplied with my MacOS Tahoe reads and stores password data in a standard Keepass database.  Strongbox appears to be integrated with the MacOS password systems.  Apparently Strongbox can store passkeys but the methods are complicated and oh, require a paid upgrade, that might even work!  Not really interested.  

I found that KeepassXC is yet another Keepass app that reads and writes Keepass format databases.  It also has binaries for MacOS, Windows, and Linux and is free and open source.  It doesn't have an Android or iPhone app yet, I think.  KeepassXC has some interesting new features.  For instance you can use it to generate passphrases.  KeepassXC can store passkeys and it has browser extensions for a number of browsers to autofill passkeys and other stuff. It has browser extensions for Firefox and Brave/Chrome and Edge.   Maybe more in the future? 

It's not exactly simple to get autofill working with KeepassXC.  You have to add the browser extensions to your browsers.  There are settings that need to be set.  I managed to get it to work on Firefox, but not Brave, even though Brave managed to use passkeys without it.

Oh yeah, did I mention: Brave browser can store passkeys internally.  Who knew?

I dislike password wallets that do autofill.  I'm sure that many people find it easy, but frankly easy in computers is the cause of many security vulnerabilities.  I guess you have to use autofill with passkeys.  We can't allow users to copy and paste or drag and drop or generally control their own secret keys.  Also I often need to use different browsers for different sites and to test stuff.  I don't necessarily want all of them to login as the same user or even to login at all.  I definitely don't want one overriding autofill system run by Apple or Microsoft with them deciding where to store my secret keys and personal info.  

After getting passkeys with KeepassXC to work in Firefox, on a test site, I tried it for a real site, ie google.  Somehow it just wouldn't work.  Some part of Firefox or MacOS decided I needed to store my passkey in Apple's icloud and since that was not enabled, no passkey.  The process appears to be controlled by the website and the operating system and is opaque to the user.  I tried another website and it worked.  Mysterious.

One of the problems with passkeys is that most systems appear to take all control away from users.  Websites apparently control how you create your passkeys, how you store them.  If you want to store your passkey in a browser and the browser allows it, you will only be able to use your passkey from that browser.  You may not be able to use other browsers, other devices.  It's hard to see your secret key, hard to move it around or not.  One solution of the problem of moving your passkeys around for yourself to other browsers, other apps, other devices is to put them in a cloud.  Apple's solution and maybe Google's too and possibly Microsoft's.  A cloud is other people's computers.  The big corporates, social media desperately want you to save your secret keys on their cloud, so they can get access to copies of your secret keys. And access to when and how you use your secret keys.  Bonus for them.

It would have been simple for the designers to allow more than one passkey per account.  This would have solved some of those problems.  They could have used just one secret key for all your accounts.  This could have solved some of those problems too.  Having just one secret key is not the same sort of security issue that having the same password is.  I mean, if someone gets your secret key, they can access all your accounts, but if you have all your secret keys on your cloud and they get that, they also have access to all your accounts.

Why can't any of these systems allow users themselves to move their own passkeys between systems?  Of course they might stuff it up.  Of course a compromised system would mean your passkeys would be compromised, but that would be the case if they were stored in a cloud.  

Is it possible for a site to allow log in only with passkeys?  I don't think we are anywhere near to that.  How would we revoke a key then?

I just don't think passkeys are either ready nor has the design been thought through enough for the benefit of what we say in Australia: us mug punters.  Maybe it's almost OK for big companies.  Passkeys are great for a corporate network where the company controls everything.  Is that what we want for us ordinary people?  I think not.