Passkey Support Rolls Out To Chrome Stable (arstechnica.com) 19
An anonymous reader quotes a report from Ars Technica: Following Google's beta rollout of the feature in October, passkeys are now hitting Chrome stable M108. "Passkey" is built on industry standards and backed by all the big platform vendors -- Google, Apple, Microsoft -- along with the FIDO Alliance. Google's latest blog says: "With the latest version of Chrome, we're enabling passkeys on Windows 11, macOS, and Android." The Google Password Manager on Android is ready to sync all your passkeys to the cloud, and if you can meet all the hardware requirements and find a supporting service, you can now sign-in to something with a passkey. [...]
Now that this is actually up and running on Chrome 108 and a supported OS, you should be able to see the passkey screen under the "autofill" section of the Chrome settings (or try pasting chrome://settings/passkeys into the address bar). Next up we'll need more websites and services to actually support using a passkey instead of a password to sign in. Google Account support would be a good first step -- right now you can use a passkey for two-factor authentication with Google, but you can't replace your password yet. Everyone's go-to example of passkeys is the passkeys.io demo site, which we have a walkthrough of here.
Now that this is actually up and running on Chrome 108 and a supported OS, you should be able to see the passkey screen under the "autofill" section of the Chrome settings (or try pasting chrome://settings/passkeys into the address bar). Next up we'll need more websites and services to actually support using a passkey instead of a password to sign in. Google Account support would be a good first step -- right now you can use a passkey for two-factor authentication with Google, but you can't replace your password yet. Everyone's go-to example of passkeys is the passkeys.io demo site, which we have a walkthrough of here.
Thanks for no thanks (Score:5, Insightful)
I'd rather use password managers over biometrics for privacy reasons.
Re: Thanks for no thanks (Score:3)
You don't have to use biometrics. heck, you don't even need to use a phone. It's just that most people would be using a phone for as a FIDO2WebAuthn device and most people yes would be using biometrics for locking their phone. But you don't have to. Never mind that biometrics is local on both iOS and Android, this is a completely parallel discussion that has nothing to do with the subject.
Re: Thanks for no thanks (Score:2)
Re: Thanks for no thanks (Score:4, Insightful)
Also.. (US) Law enforcement can force you to put your finger on your phone or put your phone up to your face to unlock it without your consent but they can't force you to divulge a password
I'm a law abiding citizen, but the level of invasion of privacy of having some random cop/ border agent comb through my phone / make a backup etc.. or use it to unlock any other info/stuff of mine... just NOPE
This stuff is getting too close to the Identi-Ease card thanks.. no thanks
Why can they sync passkeys but I can't? (Score:2)
Certified Fido2 keys can't be cloned, you have to register separate keys. Now passkeys are held in escrow through a third party they suddenly can be cloned/synced?
Fuck you very much Fido alliance.
Re: (Score:1)
No the fido2 keys can't be synced. Each device has their own unique keys.
Only the keys to sign them are stored online so that sites authenticating you know your dozens or hundreds of unique keys are the same identity.
The only reason this doesn't work well now is that most sites won't let you upload multiple keys.
That and no one wants to generate one key per device per site per identity and manually keep track of which ones go to what and where.
Now if your computer has a thousand keys, your phone can auto g
Re: (Score:2)
It's all webauthn, nothing changed in that respect.
When you sync to iCloud you are cloning the virtual Fido2 key stored in Apple's secure domain, that's why it suddenly works ... cloning was necessary all along.
Re: (Score:2)
Why are you talking about iPhones and Androids? Obviously Apple won't allow cross ecosystem cloning, they can't guarantee the security for that. This is about iCloud backup for iPhones (and equivalent for Google and in the future Microsoft).
If you allow this, the valid iphone passkey authenticates you to the website and provides the android public key as a new valid key to be allowed
This is only theoretically possible, but not mandated, certainly not for non interactive use. No one in their right mind is going to do that for syncing inside a secure ecosystem ... the backup servers would have to cooperate with the device and potentially hundreds of w
"... backed by all the big platform vendors " - th (Score:2)
Ever more lock in and tracking soon to be required by all the big players, designed to further break a private internet built on open standards where anyone could succeed.
Re:"... backed by all the big platform vendors " - (Score:4, Informative)
What are you talking about? You can build everything on open source from small players, you have even the option to buy such hardware keys. Even plain old "open standard" e-mail is by now way, WAY more locked-in (or "broken" if you "DIY" it).
The issue is in reverse, that only these large players actually use it at all. And only the "main" players get it right, the ones with big businesses in IT, like Google, Microsoft/github, Cloudflare accounts. Others like Paypal/Ebay are a complete shitfest, you can't remove less secure ways to access your account - which is for the best anyway as WebAuthn support is half-assed, being able to just add one key and it doesn't work more than half of the time. The vast majority of banks never heard of this and I understand it isn't even meeting the PSD2 requirements to be used in the EU (but plain clear text, possibly over the air, SMSes and all kinds of weird apps apparently do!).
Sync all your passkeys to the cloud (Score:1)
Passkeys are a nail in the coffin for competition (Score:2)
On Apple Firefox will never get in the app store, ChromeOS doesn't even have an app store any more. So no native access to the keychains, only through cross device authentication with a mobile which sucks. That leaves only Windows where they could conceivably get access to Windows Hello, but that's the weakest keychain because Microsoft no longer has their own mobile.
Passkeys are an additional huge force for anti-competitive ecosystem lock-in. Consumer electronic ecosystems are the greatest monopoly in hist
Re: (Score:2)
It's already there...
https://www.mozilla.org/en-CA/... [mozilla.org]
A browser is more than a rendering engine. The rendering engine takes the HTML and lays it out on a page. The Javascript engine takes the javascript and uses it to manipulate the DOM. But there is more to a web browser than that - password managers, bookmark managers, extension managers, etc, are all elements that make up a browser, and there are enough hooks in WebKit to do all those things to keep integ
Re: (Score:2)
Very easy to manage non existing extensions.
Re: (Score:2)
The issue that you can't install this (or any) app on this or that OS doesn't have anything to do with this otherwise perfectly fine (albeit not that widespread both in supported client and server/services) authentication standard.
"huge force for anti-competitive ecosystem lock-in", what the heck you can use the same standard on Linux with (you distro standard, without any plugins or compile options or anything) openssh and if you prefer with open source hardware keys.
Also, in reverse, nobody is forcing any
Re: (Score:2)
A force doesn't have to be unresistable to be a force. Passkeys will push even more people to stay entirely inside ecosystem simply out of convenience.
I can resist that force, but I'm a crotchety old man fighting windmills who inconveniences himself out of spite. I'm not the sea of normies which actually make up most of the consumer base who will just follow the force and stay even more inside ecosystem.
Regulators will have to step in and force cross ecosystem syncing of passkeys, but they will probably be
Re: (Score:2)
PS. passkeys are the first password alternative which actually has good usability, as long as you stay inside a single ecosystem. It will have vastly greater uptake than all the trash in the past.