Reading List

FIDO Alliance Is Working on Making Passkeys Portable Across Platforms from Daring Fireball RSS feed.

FIDO Alliance Is Working on Making Passkeys Portable Across Platforms

Tim Hardwick, reporting for MacRumors:

The FIDO Alliance is developing new specifications to enable secure transfer of passkeys between different password managers and platforms. Announced on Monday, the initiative is the result of collaboration among members of the FIDO Alliance’s Credential Provider Special Interest Group, including Apple, Google, Microsoft, 1Password, Bitwarden, Dashlane, and others.

Passkeys are an industry standard developed by the FIDO Alliance and the World Wide Web Consortium, and were integrated into Apple’s ecosystem with iOS 16, iPadOS 16.1, and macOS Ventura. They offer a more secure and convenient alternative to traditional passwords, allowing users to sign in to apps and websites in the same way they unlock their devices: With a fingerprint, a face scan, or a passcode. Passkeys are also resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.

The draft specifications, called Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF), will standardize the secure transfer of credentials across different providers. This addresses a current limitation where passkeys are often tied to specific ecosystems or password managers.

This initiative would address one of David Heinemeier Hansson’s primary complaints about passkeys, in a post I linked to earlier today.

Hardwick mentions un-phishability as an advantage of passkeys, and that’s very true. In fact, I think that was one of the primary selling points Apple emphasized when they introduced passkey support at WWDC two years ago. A scammer who gets a victim on the phone can’t trick them into revealing a passkey like they can with passwords or one-time numeric codes. But that use case is optimized for non-technical users.

A friend texted me with another argument for passkeys: it’s somewhat common for websites to break password autofill. Maybe it’s deliberate, in the name of fighting bots? But whether deliberate or not, with passkeys, they have to work with your browser’s connected password manager. So maybe passkeys are a net win for convenience, even for technically-knowledgeable users who are unlikely to fall for phishing scams.