No they fucking won’t. You know that websites are going to be massive throbbing cocks about it.
“Due to security issues, passkeys for our service must be kept in <Company name>® Secure Passkey App™. Please install the app on your device to continue. This app requires Apple Notification or Google Play services to operate. Must have verified phone number to use.”
Passkeys don’t work on my rooted device - they seemingly set up correctly, but sites like GH claim your device passkey doesn’t exist when you try to actually login. When you go to the affected site’s account settings to add the device as a passkey again, an error of some kind claims the passkey already exists 🤷♂️
Deleting/re-adding has no effect. Using FF with device biometric passkey auth
I have to do anything passkey based on chrome on Android. No clue why. Had to recover my PSN account like 4 times before I figured out it was a Firefox problem.
Passkeys are an open standard. You need to install a Webauthn-compliant supplicant that talks to the browser. The supplicant can be anything, as long as it does the required protocol. The browser doesn’t care.
At the moment the browsers are the main problem. They need to open their APIs properly.
They work with companies to integrate TOTP into their system, but it’s a bastardized version of the open standard. You cannot use standard TOTP software with the Symantic integration.
They want you to use their proprietary app on your phone.
You can however, take symantics crazy code, go through a converter, and then use a standard TOTP app.
But this is a great example of enshitification of an open standard.
Problem is part of the standard allows the server to require attestation. So congratulations, they only bless their app, or maybe they only bless iphones.
If the service ignores that, then yes, it’s great. It’s as yet unpopular so it’s hard to know, but in adjacent industries I have seen them lock down the to the point it’s as asinine as “open your app to continue”
Not necessarily. I found out that bitwarden can generate a QR code that you just scan with your phone that allows your phone to act as a passkey, no browser support required. I was surprised when I discovered that. I had set up my phone as a passkey in Windows, and Windows can use phones as a passkey directly; on Linux that’s not supported so it just gave me a QR code that worked seamlessly. It’s not like a browser URL, but actually triggers the phone’s passkey authentication, kinda like QR codes for WiFi authentication. Pretty neat.
Passkeys gonna fix all this bullshit.
No they fucking won’t. You know that websites are going to be massive throbbing cocks about it.
“Due to security issues, passkeys for our service must be kept in <Company name>® Secure Passkey App™. Please install the app on your device to continue. This app requires Apple Notification or Google Play services to operate. Must have verified phone number to use.”
“Your device has been rooted and therefore cannot be supported.”
Unironically this…
Passkeys don’t work on my rooted device - they seemingly set up correctly, but sites like GH claim your device passkey doesn’t exist when you try to actually login. When you go to the affected site’s account settings to add the device as a passkey again, an error of some kind claims the passkey already exists 🤷♂️
Deleting/re-adding has no effect. Using FF with device biometric passkey auth
I have to do anything passkey based on chrome on Android. No clue why. Had to recover my PSN account like 4 times before I figured out it was a Firefox problem.
Fair enough!
Passkeys are an open standard. You need to install a Webauthn-compliant supplicant that talks to the browser. The supplicant can be anything, as long as it does the required protocol. The browser doesn’t care.
At the moment the browsers are the main problem. They need to open their APIs properly.
TOTP is an open standard but look at how bad companies have fucked that up.
Counter example Symantics TOTP. https://vip.symantec.com/
They work with companies to integrate TOTP into their system, but it’s a bastardized version of the open standard. You cannot use standard TOTP software with the Symantic integration.
They want you to use their proprietary app on your phone.
You can however, take symantics crazy code, go through a converter, and then use a standard TOTP app.
But this is a great example of enshitification of an open standard.
Ah yes the classic MS “embrace and extend”
Problem is part of the standard allows the server to require attestation. So congratulations, they only bless their app, or maybe they only bless iphones.
If the service ignores that, then yes, it’s great. It’s as yet unpopular so it’s hard to know, but in adjacent industries I have seen them lock down the to the point it’s as asinine as “open your app to continue”
Not necessarily. I found out that bitwarden can generate a QR code that you just scan with your phone that allows your phone to act as a passkey, no browser support required. I was surprised when I discovered that. I had set up my phone as a passkey in Windows, and Windows can use phones as a passkey directly; on Linux that’s not supported so it just gave me a QR code that worked seamlessly. It’s not like a browser URL, but actually triggers the phone’s passkey authentication, kinda like QR codes for WiFi authentication. Pretty neat.
Please make your device unsecure to give your account the illusion of security.