User presence tests are an anti-malware feature. The point is that a machine can be compromised without letting bad guys log into your accounts willy-nilly. Is it a super useful feature? No. The bad guys can steal the tokens for accounts you're actively logged into anyway. But that's why the test exists.
The whole back and forth about plaintext keys is pretty much people talking past each other. Approximately nobody thinks users shouldn't be able to access their keys in the general case. FIDO just wasn't originally designed for the general case (see Operation Aurora). Now it's playing catch-up.
KeePassXC is not "being threatened with being banned via attestation". Attestation requirements are set by the service you're logging into, and KeePassXC is already locked out where those requirements exist (pretty much exclusive to a small number of corporate and government orgs). A random guy from Okta is not threatening to ban KeePassXC.
Citation needed. To me it seems to be the quiet part that they aren't saying out loud. If it's just a consequence of the spec being unfinished, then they shouldn't threaten to ban KeepassXC for this. The purpose of a system is what it does, and commercial passkey implementations lock users out of their credentials and uses it to strengthen vendor lock-in.
> Is it a super useful feature? No
It's security theater and a way for websites to annoy users unnecessarily.
> KeePassXC is not "being threatened with being banned via attestation".
https://github.com/keepassxreboot/keepassxc/issues/10406#iss...
It's a thinly veiled threat. Making a certification process and refusing to certify KeepassXC is exactly the same as banning it.
This was my impression, and it explains why the original announcement involved companies that would benefit the most from keeping their users on a leash.
Passwords are easy to understand, transparent and portable, and when used with good hygiene (always using password manager and generating unique & strong passwords for everything) there isn’t yet a strong case for anything else.
That said, I had a much easier time getting my kids onboard with a FIDO2 security key than I would have a password manager.
Enter your email and touch this is easy to understand.
This also means sites can allow you to sign up without collecting any more info than registering a passkey, but of course they want to siphon all that data.
Tech journalists should ask the FIDO Alliance if they’re just Google+Apple+Microsoft in a trenchcoat. Definitely not very open!
Look, the spec says you can't export the keys to a file! Too bad, go re-register your 120 websites if you want to stop using iCloud/Google!
It's DRM, and it will go down exactly the same anti-user and anti-competitive route as every other DRM. Fight it with fervor.
Edit: Reading one of those issues it sounds like they want the keys stored in an encrypted way, is that too much to ask for? I dont care about viewing it but it shouldnt be stored in a plain easy to open JSON.
Well, they are encrypted but the issue is talking about exports. The maintainer of KeepassXC already mentions the issue with that: portability. A backup of such sensitive data (a password manager) is going to be stored somewhere secure (to the user) already. Why would you encrypt the contents and add another layer of complexity that other tools may not be able to handle? I want to be able to rely on those backups in the future and copy paste them around manually if needed. It's user choice, put simply.
A specification committee should never be deciding what a user does with their data, period. The security maximalist is always going to advocate for the most secure thing but most of the time that's not practical or friendly to humans.
They are proposing an attestation scheme. I'm not sure the details are out yet, but the authenticator would presumably use one of the hardware security mechanisms (like a TPM bound key) to "certify" its own authenticity along with the challenge.
This will effectively ban all open-source implementations, and end user freedom if widely adopted. Fortunately for us it seems like Apple isn't cooperating here for now, and without Apple signing on, it wouldn't get anywhere.
Attestation is incompatible with having the authority conferred upon upstream automatically inherited by all forks thereof.
If you want your fork to have the same authority as upstream, you have to apply for that authority to be recognized and make your case that it deserves that. This is the problem with attestation: that it reintroduces human reputation authorities into the Wild West of computing.
If you’re going to argue successfully against attestation, you’ll need to focus on the actual problem rather than the distraction of source code licensing. The same attestation would be necessary whether the app you’re modding is closed source, open source, or a PICO-8 cartridge image: when attestation is in play, everyone knows you’re running a modded version, and they may choose to deny you service over that. That’s the problem attestation poses, and why arguments against passkeys fail so spectacularly to gain traction, by focusing on “open source” (irrelevant) rather than e.g. “right to be modify without being refused service”.
You can check my comment history to see the arguments I have against attestation. That's exactly what I argue. It's not an open source problem, it's a user freedom problem, and this is exactly why corporate interests like "open source", but not "free software". Open source is freedom-agnostic: you can use it to hurt users just fine. The current iterations of remote attestation is especially egregious, because most of it is the government itself or an entity the government forces you to deal with (banks).
In general I believe remote attestation is actually fine, so long as it does not transcend ownership boundaries. A company can use it to ensure its own colo servers aren't tampered with, for example. But an external authority shouldn't be able to exert control over something I own. In particular there should be no expectation that my device is "trustworthy" in any way at all. Anything else ends privacy and freedom as we know it.
- because I like backing up my data, especially credentials
- because I like looking at how things work in practice - you are on a website called hacker news after all
That's the key difference. If it mattered, they would make it part of the spec, not threaten a ban. That's even more concerning, there is a central group of people who get to decide who can and cannot use Passkeys.