No, I don't want to be tied to a single browser for my passkey, what happens if I want to log into a site on my phone using safari or chrome? I also don't want it tied to my apple keychain. What if I want to share my passkey with my partner?
I really like the browser, but still doesn't work with Apple Keychain so using it is not an option here. Guess I'm too lazy but it would take weeks to migrate over, and then I'd need to store the passwords in dual locations, which seems like a bad idea.
Here’s the major flaw. With iCloud Keychain Or Chrome it assumes that platform as central to everything you do. All it takes is one exception to be really annoying. For example I don’t use chrome on my iPhone. I don’t use safari on my work laptop. Etc.
If you can get access, the access outside the core platforms are afterthoughts. Such as iCloud keychains chrome plugin.
Apps like 1password don’t favor one platform over another. There isn’t a conflict of interest for which platforms will be supported.
I share the view that I'm not going to trust Google or Apple with my passkeys, not for any ideological/trust/privacy reason but just not putting all my eggs in one basket.
I assume I'll use 1Password's implementation they're building, which should meet all my needs, provided they provide a mechanism to export (which I expect).
And I also assume a similar open-source solution will arise.
So I'm not worried about a loss of user control at all. As long as iOS, Chrome, Safari, and Android all allow integration with third-party passkey managers. And I don't see how that wouldn't happen.
Sadly, Apple has just completely cut off 3rd parties from Keychain for website passwords (they can use the Keychain for their own isolated items, but can't touch any shared password data). All non-Safari browsers are affected.
Firefox on iOS a loophole for this, because it's forced to use Safari's WebView, so it gets Safari's keychain, but it can also then prompt to save in its own password sync. Far from ideal, but at least a way to escape Apple lock-in.
1) How can I share the fingerprint keys between chrome and safari?
You don't need to. That's not how it works. Chrome and Safari and every device will have a different key for the same service (see video)
2) How do I share keys between different types of devices? (mac, ios, android, windows)
You don't. You authenticate and a new key is created on each device, possibly on each piece of software (Firefox, Chrome, Safari, App). To be more clear, when and if you decide to use a service from a new device or new browser you'll be asked if you want to login via passkey. If you have a passkey on another device you can (see video) use that to login from the other device (similar to how google asks viat the gmail app of you were trying to log into some other device or Apple asks across your device). After you authenticate you can then create a new passkey for this device/software you're using. This new passkey is separate from the previous passkey. You effectively have 2 passkeys now, one to login with one device/software, one to with a different device/sofware. (See video)
3) What happens if my devices are gone?
You follow whatever recovery procedures the service has.
4) What happens if I want to change my login (email to a new email for example)?
Unrelated. Your email is not shared with passkey. So login and set a new email
5) Is account recovery handled simply by a reset-email?
That's up to the site/service just like it is without passkey
6) It seems a validation step of the email is missing?
That's up to the service as well. They could require an email but that's unrelated to passkey
Other browsers could use Keychain if they wanted to; it’s a public api; there’s even a command line tool.
Other browsers have their own features for syncing passwords, extensions, etc.
There’s no reason why a future install process for Firefox, Chrome, Brave, etc. couldn’t offer to import Safari’s Passkeys just like they do bookmarks.
Why would you use a passkey manager that required a phone and BT? that's nuts.. 1password and Safari both handle syncing passkeys between all your devices - no device swapping needed.
The big question I have is are the keys device/browser specific?
Seems to me I need to be able to log in with a password from any place (my phone, my machine, my office, my wifes phone, her laptop, my friends laptop, etc.).
I mean, who knows when I'll want or need to get into Something.
Also, my wife and I share accounts (such as Amazon). So, it needs to work seamlessly across all of her devices.
Then there's always the "F-with it factor" that I loathe. At least I understand passwords. Can (mostly) always recover a password (I recall trying to recover my Apple ID password -- they bluntly said "ok, but you have to come back in 2 weeks", so I was locked out for 2 weeks).
And, of course the level of patience my wife has with Technology is less than zero.
I rely on my Safari auto fill, when I use another browser, I just copy the pw from Safari.
And I don't use any of the cloud services. I have an iPhone, but don't use iCloud.
Sure, I already do that, but why shouldn't there be a choice in on-device passkey implementations just like there is for password and HOTP/TOTP authenticators?
Your argument sounds a bit like "Don't like Safari? Just use a different OS then" in the context of allowing browser choice on iOS. There is no technical reason a Passkey provider and OS/platform should be necessarily bundled.
It would encourage competition in both functionality and security, it reduces reliance on a single account your entire digital life, it allows niche products to address special requirements in all kinds of scenarios...
It's basically impossible to answer that hypothetical right now, because it depends entirely on the choice of client software. And that's still something that's evolving; it's just that Apple/Google/MS have the most prominent implementations here.
If you have an iPhone and a Mac? No, your iPhone will log in via iCloud keychain. You use touchid/faceid to auth as usual.
If you have an Android phone and a Chromebook/use Chrome? No, it will get sync'd implicitly. You use whatever the equivalent of touchid/faceid is to auth, as usual.
If you're using some third party, pure-software, syncing solution? No, probably not. For example, existing password managers will probably just store the key material, encrypt it, then sync across devices. Again, pure software solution. You use 1Password on Windows 11 and also on your iPhone? You'll probably be fine. (Note: this is hypothetical, because 1Pass doesn't support it yet, but this is probably how it will shake out.)
If you want to login with your Chromebook using a key it has generated and not export/sync the key, and you also have an iPhone at the same time you want to login with? Yes, you will need multiple keys, one for each device, and you will need to provision them.
Realistically this is also a change to login flows on the server as well, so there's work to be done for the UX. For example many server-side auth packages are still adopting Passkeys into their flow, they need to change their schemas and frontends. One change to explore e.x. is you can ask the user after registering with WebAuthn is to register other devices, if they have them. Whether or not that's a workable solution remains to be seen.
If you are in Apple world, your keys are synced between iOS and macOS (and saved in Secure Enclave, so you need TouchID/FaceID to complete flow.) In 'Google' world, you can use them between Android devices and Chrome browser.
However, if you access from unsupported app/device (e.g. use Apple Passkeys and want to access from browser on Linux machine), you can always just scan QR code with phone, and use it to log-in.
You can use 1Password or other password managers. At least 1password works like a charm on both mac and iPhone across browsers just as good as keychain.
Can you sync passwords between Firefox and Keychain? I’m essentially looking for that. I use iOS apps which leverage Keychain which can share passwords with both app and website. I’d ideally like to not have multiple password tools.
If you're using Safari there's password management builtin, though obviously that assumes you're Apple+iCloud+safari ecosystem only which is an infeasible restriction for many people.
The passkeys API is afaict actually a spec to handle hardware token based login which Safari uses the builtin SEP (or the SE? I can honestly never recall which is which) so it's more streamlined than digging around for a token. But then I don't know how it (either the specification or the safari implementation) handles multiple devices. But again it seems possible that you hit similar "are you a safari only user?" ecosystem issues.
Until there is a viable way to sync passkeys between all devices, all platforms, and all browsers, I will be happily sticking to my passwords. The security benefits provided by passkeys are not enough to offset the ecosystem lock-in that passkeys cause.
I agree with you, but I think a majority of users are fine with being on one ecosystem, as long as it is convenient. iCloud Keychain works on Windows and Chrome using an extension provided by Apple. It is possible to login using passkeys on another device outside of the ecosystem by using QR codes.
You can noodle around with it on https://webauthn.io/ . Keys will sync within ecosystems - so, if you login with safari on iOS, the same credentials show up on desktop Safari on a mac. That doesn't seem to work between Chrome and Safari, but you can scan a QR code to sign in on chrome using a passkey on your phone.
Right now I'm not sure if this stuff good enough to use instead of passwords. I'd want Firefox support, and preferably built in support in 1Password too. But it might be good enough to use alongside passwords. We need to collectively figure out how to do that. (Do you get a password and a passkey? Or just a passkey & reset via email? How should the user flows work? Any good examples?)
I have... doubts. Already webauthn isn't prompting for passkeys on Apple. Chrome wants a bluetooth connection out of the box, and firefox does its own internal auth path that doesn't involve the OS.
Chrome and Edge on Windows are the only ones that prompt me for passkeys today (Firefox tries to use Windows for auth, which throws up a scary prompt).
reply