Passkeys are supposed to be bound to one device and protected by that device’s OS’s secure enclave. If you have a second device you’re supposed to create a second passkey.
That’s why many sites will flat out refuse to let you create a passkey with a desktop browser since a PC-stored passkey doesn’t fit the security model.
Websites should not get to dictate my security model. I’ll accept annoying me about being less secure because I get that people are dumb, but you’ve gotta choose somehow! Also, any passkey is safer than a password, so that’s still BS.
The logic behind it is that a smartphone-bound passkey represents two factors of authentication: what you have (the phone) and who you are (the fingerprint used to unlock the phone’s passkey store).
Anything on a PC is easily copied and can only ever be safely assumed to represent one factor: what you know (the password to unlock your password manager). Thus the benefit of getting a two-factor authentication in one convenient step falls away.
Of course it’s still super annoying, especially if you don’t really trust your smartphone OS vendor and use a portable password manager already.
Yeah, that’s how I understood it to work, as well. I didn’t mention it because I’ve seen a bunch of different implementations that don’t seem to work that way. I didn’t want to speak too much on that specific point, since I don’t have a very thorough understanding of it.
Passkeys are supposed to be bound to one device and protected by that device’s OS’s secure enclave. If you have a second device you’re supposed to create a second passkey.
That’s why many sites will flat out refuse to let you create a passkey with a desktop browser since a PC-stored passkey doesn’t fit the security model.
Websites should not get to dictate my security model. I’ll accept annoying me about being less secure because I get that people are dumb, but you’ve gotta choose somehow! Also, any passkey is safer than a password, so that’s still BS.
The logic behind it is that a smartphone-bound passkey represents two factors of authentication: what you have (the phone) and who you are (the fingerprint used to unlock the phone’s passkey store).
Anything on a PC is easily copied and can only ever be safely assumed to represent one factor: what you know (the password to unlock your password manager). Thus the benefit of getting a two-factor authentication in one convenient step falls away.
Of course it’s still super annoying, especially if you don’t really trust your smartphone OS vendor and use a portable password manager already.
Yeah, that’s how I understood it to work, as well. I didn’t mention it because I’ve seen a bunch of different implementations that don’t seem to work that way. I didn’t want to speak too much on that specific point, since I don’t have a very thorough understanding of it.