I see Google and Apple really embracing passkeys lately and I’m trying to understand the hype, but it can be challenging. I also see that Bitwarden and 1Password are embracing them too. As far as I can tell, passkeys are just key pairs that behave like FIDO2 tokens (e.g. my yubikey) but are backed up to some cloud and usable from multiple synchronized trusted devices. Is this accurate? How would I go about implementing a self-hosted Linux equivalent? Use it with pam? Is this just a fancy ssh-agent for other protocols? What are you all doing in the eliminating passwords space?
This post featured on hackernews argues that users should be aware that this makes your google account only as secure as your weakest device security and thus isn’t ideal for the average user: https://lauren.vortex.com/2023/10/10/dont-use-google-passkeys-now
deleted by creator
I would be so much happier with this than relying on a third party like Google to provide access to my passkeys.
I’m not sure if there’s any self-hosted option right now. 1Password is the one cross-platform FIDO2 passkey implementor that doesn’t build its own operating systems that I know of, but that’s not self-hosted. I know Bitwarden is working on an implementation, but I don’t think it’s ready yet. Every month they’ve been pushing the release of their implementation further (was “this summer”, then “this September”, then “this October”) and I’m not sure if the self hosted version, free or paid, will even receive these features.
For proper passkey support on all websites, you also need WebAuthn some form of device attestation, and although TPMs do work fine on Linux, I don’t think they’ll work with any browser at the moment. That means that you can’t use cloud passkeys to authenticate with Nintendo’s login, for example, though that’s not limited to Linux; the same limitation is present (or should be present, if browsers follow the spec) on other operating systems.
As for browser support: Firefox is planning on releasing passkeys with Firefox around Firefox 120 from what I can find. Browsers on most platforms natively support passkeys… except on Linux where phone authentication is the only implemented feature.
You can get around this by buying something like a Yubikey, which should allow you to log in everywhere using the same mechanism as passkeys. You can also try Bulwark Passkey, a rather strange application that will use USBoIP to simulate a Yubikey-like device so you can log into most passkey/webauthn based websites. This is a lot less secure, of course.
Personally, I have used (and am foolishly still using) Krypton to do WebAuthn. It allows me to use the secure storage on my phone to do WebAuthn on desktops through an addon, although it’s not compatible with modern sites anymore. If you have an Android smart watch, you can also try WearAuthn, an implementation of the Bluetooth/NFC FIDO2 protocol for smart watches.
I have been incredibly happy with 1Password, and really don’t have any plans for switching away from it. I was exploring Bitwarden as a solution for someone else, as an introduction to the system, and it was both not nearly as intuitive, and not nearly as feature-rich
The biggest advantage of Bitwarden, in my opinion, is the ability to host it yourself. The freeform file/notes/fields storage is also quite useful. If you’re not interested in those, it’s just another password manager that may or may not work for you.
https://github.com/AlfioEmanueleFresta/xdg-credentials-portal is a WIP proposal for a spec to enable OS-level support for FIDO similar to how Windows and macOS do it. Not sure how far away from being approved it is, but that would then make implementations easier to build
https://www.enpass.io/blog/security/enpass-steps-into-the-passwordless-future-with-passkey-management-for-ios/ Apparently, you can use enpass and store your vault self hosted, and it supports passkeys. Was just my first quick google find, don’t know about enpass‘s reputation.
deleted by creator
That’s my understanding as well, a software fido2 key basically
Keys in the cloud can be gotten by governments and are always one zero day away from being leaked. Nooo thank you.
It’s my understanding that the passkeys are stored encrypted so this is not an issue.
Google deciding to disable your account for no reason is something to fear, though.
