HackerTrans
TopNewTrendsCommentsPastAskShowJobs

0x4e53

no profile record

comments

0x4e53
·3 years ago·discuss
For context, we run a YC-backed passwordless company, and have rolled passwordless out at major organizations. While I think passkeys will definitely be the answer for consumer passwordless, I'm not sure this is quite reflected in the enterprise yet.

Passkeys are wonderful for consumer use, because they're meant to enable your own ability to break glass, by backing up the credential to other devices. You can do this via iCloud (by default) or via things like Airdrop.

Technically, the devices you share this credential to, cannot provide "attestation" - attestation is the "proof" that the keypair was created by a specific device (like a Yubikey, Apple Machine, etc). Manufacturers (like Yubico) ship a keypair / certificate onboard your key, that can't be extracted. There are no external methods to interface with this keypair - granting admins high confidence this is a real Yubikey.

You can see where this starts to become a problem without attestation, and the ability to share the keys. Enterprises are not willing to inherit the risk of an airdroppable credential exposing access to a privileged employees' account. There is a non-risk of digital theft when it comes to a Yubikey.

Ultimately - passkeys can't even be used to unlock your machines, or servers. FIDO2 (more importantly, OS developers) have a long way to go before we're done with passwords for good.

Today, Yubikeys are filling this gap for most of the enterprise market, some of whom have spent multiple millions of dollars on hardware. Passkeys in their current state are going to be a hard sell.
0x4e53
·3 years ago·discuss
At least for the enterprise - this decision should be up to the company. (i.e, flip a switch on your identity provider to enable or disable support for "no attestation")

Some companies are comfortable with the idea of a two-factor method that can be airdropped to friends. Major organizations (AWS, among others) are not huge fans of passkeys for enterprise use. When passkeys released, our initial response at AWS was to give organization admins the ability to disallow passkeys.

Overall, I think there are fixes coming across the board from Apple and the FIDO Alliance to address some of the early shortfalls of passkeys.
0x4e53
·3 years ago·discuss
Realistically, I don't think this will completely replace Yubikeys, nor do I think that only "security nerds" use them.

In reality - the majority of leading organizations use Yubikeys to secure authentication across their company. While it's likely not as common for consumers, it is probably the most trusted solution in the enterprise today.