Found this on the passkeys.dev site, an official site from the FIDO alliance. Most password managers don’t seem to implement passkeys correctly, including Proton Pass and Bitwarden. They apparently don’t properly support User Verification in a compliant way. Pretty disappointing to see, I hope they can fix this ASAP.
2 Likes
i feel a part of the non-compliance maybe a deliberate decision to keep the user experience intuitive and not have the user authenticate multiple times.
(Note - these are just my personal views and not based on any actual sources/facts)
I have been using passkeys using password managers and i think sometimes it doesn’t makes sense to do “UV” each time if i am doing it on my personal device and vault is already unlocked.
Though i do think they should strictly comply with the official spec for uniform behaviour.
2 Likes
Good theory. Kinda what I was thinking too.
1 Like
I would agree this is a neccesary step. In the age of AI agents taking over, generally reauthentication becomes much more important. Applications should really really ask for user verification on senstive actions. Things like deleting a database or making a (large) payment should always require a user to confirm in similar way.
3 Likes
Weird position here.
I agree with you.
I hope you would also agree to what may likely happen if UV is asked always and by the book and always, it will become more inconvenient to the point of pushing people using passkeys to likely stop using it. Adoption may take a hit because the user experience will take a hit. Don’t you think so?
2 Likes
I’m not really sure exactly how it’s supposed to work, if there’s like a timeout or something, I didn’t read the spec to see. But if you’re going to claim to support passkeys you should make every effort to be spec compliant and especially avoid actively lying apparently by saying you performed uv when you actually didn’t.
Plus generally you don’t constantly log in over and over in a short period of time, you usually stay logged in for a long time, so verifying with biometrics or your PIN isn’t very inconvenient anyway.
I think just scanning your face or thumb is a very simple action to proceed.
1 Like
What about systems that don’t support biometric authentication?
User verification can take various forms, such as password, PIN, fingerprint, face scan, etc. The point is for the user to not only prove physical possession of the device, but ownership of it. A similar mental model is a PIN that is used on a debit or credit card.
Doesn’t have to be biometrics.
2 Likes
That and you could think of verifying via a device that does, like scanning those QR codes for passkeys.
I am aware, that user verification in this context does not strictly require biometrics.
My question was more directed at @ph00lt0 as to his statement that:
in response to @DigitalAutonomy ‘s question of whether
and I was mostly interested to hear if @ph00lt0 had any thoughts on if Passkey adoption could take a hit on systems that do not provide convenient biometric authentication paths.
@fria tried to answer exactly that. It does allow for PIN codes too or doing it via a second device.
1 Like