Email or username:

Password:

Forgot your password?
✧✦✶✷Catherine✷✶✦✧

passkeys are great i love having an authentication mechanism that doesn't support Linux unless you have an Android phone with a recent version of Android and a Google account tied to it

13 comments
l'empathie mécanique

@whitequark Apparently they already do this for quite some time.

Site Reliability Enby🏳️‍⚧️🏁🔦📈🐺👗

@whitequark What are passkeys in this context? Is this *yet another* embrace/extend/extinguish from google?

Edit: Yup, of course it is...

Pierre Bourdon

@SiteRelEnby @whitequark it's an Apple/Microsoft/Google joint effort to use device-bound (which usually means TPM / enclave-bound) asymmetric credentials as authenticator.

It's also a FIDO standard: fidoalliance.org/passkeys/

I don't think Google are pushing for it any more than the other implementers?

Pierre Bourdon

@SiteRelEnby @whitequark double checking the relevant standards: Google definitely contributed, but they're far from the only names on there, and they don't seem overrepresented either?

w3.org/TR/webauthn/
fidoalliance.org/specs/fido-v2

✧✦✶✷Catherine✷✶✦✧

@delroth @SiteRelEnby (I am upset about Google as the browser vendor specifically. FIDO is fine, passkeys are fine technologically probably)

Pierre Bourdon

@whitequark @SiteRelEnby yeah... I suspect that Chrome insists on hardware backing or system level credentials management to store the passkeys, and Linux doesn't really have a working API for either.

Could DBUS to GNOME Keyring :P

avi

@delroth there is a general API (org.freedesktop.secrets) that will work with both GNOME Keyring and KDE Wallet, but I’m not sure whether that supports storing passkeys.

Nina "Erina" Satragno 💫

@Raqbit @delroth @whitequark @SiteRelEnby

Linux doesn't have a first class authenticator API yeah. If you want to, you can buy a security key and get passkeys that don't sync. I wouldn't recommend that to most people since you have to do your own backup management but if you're a linux user maybe they're less of a footgun.

There's nothing stopping vendors from implementing their own passkey syncing solutions for linux (dashlane and 1password have implementations, maybe more out there?)

Site Reliability Enby🏳️‍⚧️🏁🔦📈🐺👗

@whitequark @delroth Why the fuck don't sites just let me give them the public half of an ECDSA key? No need for random potentially-trojanised standards...

avi

@whitequark Passkeys/WebAuthn does work on external FIDO2 compliant keys with a PIN code set. Firefox 114 explicitly added support for this on Linux (mozilla.org/en-US/firefox/114.).

I think the issue is that there is no standard place yet to store passkeys besides that. On Windows, Windows Hello is used while iCloud Keychain is used on macOS. There are techically some external solutions like Bitwarden or 1Password, although I’m not sure how well they work yet.

Go Up