Einige Tage nach der konkreten Ankündigung von passkeys für die verschiedenen Apple-Betriebssysteme, ersten Katastrophenszenarien (die allerdings auch für MFA-Systeme einschlägig sind) und widersprüchlichen Heilsversprechen trägt Michael Tsai die naheliegenden Fragen vollständig zusammen:
I don’t understand the slide at the end where it says that Passkey protects against device theft but a password manager (maybe) doesn’t.
Other questions:
- Can I get at my passkeys from Keychain Access?
- Is there a way to manually back them up or move them between devices (other than manual AirDropping one at a time)? It would be nice to have a backup in cold storage rather than rely on a small number of devices that are all in the same building and connected to the same cloud account.
- What happens if there’s a problem with the system or the site so that it doesn’t offer to auto-fill the passkey that I need? I’m thinking about cases where there are multiple or changing domains. It sounds like there’s no manual picker but that having one wouldn’t help because if it thinks the domain is wrong the passkey wouldn’t work, anyway.
- This requires iCloud Keychain, yet someone may not want to put all of their passwords in iCloud. Is it practical to use a local keychain for some stuff alongside iCloud Keychain?
- How well is this going to work in different browsers and across different platforms?
[...]
It sounds like anyone who can get into your Apple ID account and either see your phone notifications or redirect an SMS message can delete all your passkeys.
[...]
In what sense are passkeys locked to a device if they are syncing via iCloud Keychain? Is the idea that they must be on one of your devices because there is no way to export them?
Gegen aufkeimende Unsicherheit, ob passkeys wirklich die Antwort auf alle Authentifizierungsfragen sind, empfehle ich die wohltemperierte Prosa des einschlägigen Apple-Supportdokuments.
Der auf das Zusammenwirken von Apple und FIDO anspielende Titel dieses Blogposts hätte auch gut zur nostalgischen Hochstimmung rund um Clarus' Rückkehr gepasst, aber die Hundekuh und Druckdialoge im Allgemeinen interessieren mich deutlich weniger als Apples WebAuthn-Implementierung.