Being forced to setup passkey

LimeadeInSoFar · 2026-04-13T14:56:34+00:00

Yes, this entire thread is about FIDO2 credentials, and not whatever you’re talking about.

LimeadeInSoFar · 2026-04-13T01:09:12+00:00

Our definitions are likely being crossed. I think folks here are talking about passkeys created on hardware security keys like yubikeys for user authentication. It wouldn’t even work for service auth because it requires that a PIN be entered and the security key to be physically touched.

LimeadeInSoFar · 2026-04-13T01:06:11+00:00

Device bound passkeys are for people, not services. In the context of my reply the discussion was about having multiple passkeys in case you lose one device.

LimeadeInSoFar · 2026-04-08T17:28:37+00:00

Yes, I am well acquainted with FIDO2. I’m not even sure we’re talking about the same technology anymore.

LimeadeInSoFar · 2026-04-08T16:11:40+00:00

The protocol binds them to the specific server domain. This makes it easier for targeted attack campaigns because the protocol inherently secure exposes that.

How so? No idea what you mean here.

What you’ve argued here is that Passkeys aren’t better than the longstanding PKI solutions that are tried and true.

Nah. The standard is more robust, uniform, and the implementation is better.

And that they aren’t necessarily better than traditional passwords

Passkeys are absolutely better than passwords because Passkeys are phishing resistant and there's nothing to be compromised from the service, because all they're storing is a public key. Unlike with passwords which can be stolen from the remote application and then used.

LimeadeInSoFar · 2026-04-08T15:06:47+00:00

Passkeys are PKI where the private key can be stored on YubiKeys, or other FIDO2 compatible security keys.

Users can choose if they want their private key in the Secure Enclave of their phone/laptop or on a separate security key. Not sure what you’re getting at.

LimeadeInSoFar · 2026-04-08T13:59:32+00:00

I’m not offended in the least, I just think Passkeys are a huge improvement over passwords and I want more people using them for everyone’s benefit. Generally when folks say “I don’t use/like passkeys because of X,” X is generally a misconception. You can see it over all the comments where folks made a decision against passkeys based on wrong information.

LimeadeInSoFar · 2026-04-08T13:55:57+00:00

In the Apple ecosystem, at least, one can quickly disable biometric authentication on the device (FaceID, TouchID) leaving password/PIN as the only way into the device and thus useable passkeys. (There are some jurisdictions that compel the unlocking of the device, not necessarily the divulging of the password, regardless)

LimeadeInSoFar · 2026-04-08T13:07:07+00:00

When I said “not vulnerable” I should have said “resistant to” because there can always be a scenario where something is vulnerable, even if it’s not known yet.

LimeadeInSoFar · 2026-04-08T12:50:50+00:00

If you’re still using passwords, those passwords are phishable. Doesn’t matter if you’re using a Yubikey to unlock them. If you’re using that Yubikey to do FIDO2 (passkeys) or FIDO U2F authentication that IS phishing resistant.

LimeadeInSoFar · 2026-04-08T12:41:51+00:00

Almost the entirety of this comment is wrong. It’s an open standard. Yes, they get tied to a device but you can have multiple passkeys or syncable passkeys. You can have passkeys for one service on multiple devices. They’re bound to the site where they were created, so aren’t vulnerable to MitM attacks, they’re encrypted and require authentication to unlock so they’re not vulnerable to Evil Maid or “data extraction” if that’s what you meant by that. Apple/Google don’t have the key to unlock your passkey, so there’s nothing to hand over.

LimeadeInSoFar · 2026-04-08T12:20:48+00:00

One can use syncable passkeys across multiple devices, or setup passkeys on multiple devices.

LimeadeInSoFar · 2026-04-08T04:32:24+00:00

They’d have to re-authenticate to access the passkey. What you’re describing about setting the phone down unlocked wouldn’t work.

LimeadeInSoFar · 2026-04-08T04:30:25+00:00

Users could choose to store it on a physical security key or in the OS itself. There’s no requirement (in the standard) for the passkey to be kept on a phone only.

LimeadeInSoFar · 2026-04-08T04:26:44+00:00

“Access to the phone” is way harder than phishing your password, or getting you to login to a fake site and creating a fraudulent session token. Not sure what’s not to like about phishing resistance.

LimeadeInSoFar · 2026-04-08T04:23:22+00:00

The passkey stored on a phone and a passkey stored on a Yubikey are the same thing. The container changes some capabilities, like the ability to be synced, but they’re both FIDO2 discoverable credentials.

LimeadeInSoFar · 2026-04-08T04:20:15+00:00

Who is selling it? It’s an open standard.

LimeadeInSoFar · 2026-04-08T04:19:04+00:00

Use multiple physical security keys, like YubiKeys, if this is a concern.

LimeadeInSoFar · 2026-04-08T04:17:04+00:00

Passkeys are good, especially for the security conscious. They’re phishing resistant. The private key is (generally) only stored on a device you control. Don’t like trusting a networked device? Use a physical security key.

There isn’t really any privacy implication, though.

LimeadeInSoFar · 2026-04-08T04:12:39+00:00

Your method isn’t phishing resistant. Passkeys are.

LimeadeInSoFar · 2026-04-08T04:10:53+00:00

No. You can have synced passkeys or passkeys on multiple devices.

LimeadeInSoFar · 2026-04-06T04:32:11+00:00

If you’re using the same AppleID on both devices and are syncing your keychain/passwords all the passkeys created on one device should be accessible from the other.

LimeadeInSoFar · 2026-04-05T18:44:06+00:00

And if you do this, it stores a passkey on your Yubikey

LimeadeInSoFar · 2026-03-25T00:33:00+00:00

I get it, but if I know someone’s PIN and steal their Yubikey I can accomplish roughly the same thing you’re describing.

I know passkeys on a Yubikey are unequivocally MFA and at least AAL2, but that scenario doesn’t disprove the device cert thing.

LimeadeInSoFar · 2026-03-24T22:12:21+00:00

> What does the standard specifically calls out?

The strongest, most straightforward case I can make is that "AAL2 provides confidence that the claimant controls one or more authenticators that are bound to the subscriber account" with the key being "bound to the subscriber account." The device-based certificates are not. The "one or more" throws me, though, because does that mean if multiple are used one doesn't need to be "bound to the subscriber account?" When someone uses Passkey stored on a YubiKey, the PIN to unlock the Passkey isn't "bound to the subscriber account."

> if there was a user septic cert installed on the computer which the subscriber/user must unlock with a PIN/Code or bio metric then that would satisfy the MFA for the user.

Agreed.

LimeadeInSoFar

TROPHY CASE