[meta] Implement support for synced application credentials (passkeys)
Categories
(Core :: DOM: Web Authentication, task)
Tracking
()
People
(Reporter: djc, Unassigned)
References
(Depends on 3 open bugs, Blocks 2 open bugs)
Details
(Keywords: meta, webcompat:platform-bug)
I suppose this might be part of WebAuthentication level 3? While I'm aware that passkeys is the Apple marketing name, I was unable to find an existing issue in the tracker referring to this feature.
|
Reporter | |
Updated•3 years ago
|
|
||
Comment 1•3 years ago
|
||
Google appears to be using the passkey terminology as well: https://android-developers.googleblog.com/2022/10/bringing-passkeys-to-android-and-chrome.html
|
||
Updated•3 years ago
|
|
||
Comment 2•3 years ago
|
||
There is some useful info and further links at https://fidoalliance.org/passkeys/
|
||
Comment 3•3 years ago
|
||
There's a passkeys test application here for convenience: https://www.passkeys.io/
|
||
Updated•3 years ago
|
| Comment hidden (advocacy) |
|
||
Comment 5•3 years ago
|
||
Synchronization from one Firefox to another on a different platform through Firefox Accounts?
Create a passkey on Firefox Android and use it with Firefox on Windows?
|
||
Comment 6•2 years ago
|
||
For macOS specifically, Apple has a restricted entitlement that grants full access to the system AuthenticationServices framework, which includes both physical security keys and passkeys via iCloud Keychain. There's some information and a link to apply for the entitlement at https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_web-browser_public-key-credential.
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•1 year ago
|
|
||
Comment 7•1 year ago
|
||
It seems Firefox implemented passkeys for Windows and MacOS but lack support for Linux as shown in https://www.passkeys.io/compatible-devices
I don't quite understand what is so platform specific. Of course, integration in the native platform password manager is nice but not mandatory. Firefox already stores its passwords and can sync them with Firefox Sync. What's so different with passkeys and what's the status of this feature?
As a web developer if I can provide passkeys as the primary login method, this would be a great step forward, but it'd be better to have full browser compatibility.
|
||
Comment 8•1 year ago
|
||
(In reply to Mildred Ki'Lya from comment #7)
It seems Firefox implemented passkeys for Windows and MacOS but lack support for Linux as shown in https://www.passkeys.io/compatible-devices
I don't quite understand what is so platform specific. Of course, integration in the native platform password manager is nice but not mandatory. Firefox already stores its passwords and can sync them with Firefox Sync. What's so different with passkeys and what's the status of this feature?
As a web developer if I can provide passkeys as the primary login method, this would be a great step forward, but it'd be better to have full browser compatibility.
PassKeys.io is really saying there is a workaround when they write "Phone passkeys (QR code flow) and physical security keys only". The private part of the passkey should never leave the device it was created on, so by design, it should not sync anywhere else. However, if you have a passkey on your cellphone or YubiKey but want to authenticate on your Linux desktop, then Bluetooth ( or a USB cable) connected to your desktop should offer a workaround. It worked for me before but not sure which Linux PC and which web browser on which Linux machine. If your Linux desktop has supported TPM hardware, then i do not see why it would not work. US DOD does it.
|
||
Comment 9•1 year ago
|
||
The private part of the passkey should never leave the device it was created on, so by design, it should not sync anywhere else.
That's an interesting statement. Sounds plausible at first. But when that key is my entrance, how should I use my account from another device? Will I have to create a new account? If PassKeys are meant to be the primary authentication method, I'll still have to identify from the new device somehow. I don't understand how that should work without copying the key to other devices. Let alone non-technical people who are already overwhelmed by PassKeys. They'll probably not use it like that.
|
|
||
Comment 10•1 year ago
|
||
The short answer is the analogy falls down a little here because these are master keys. Imagine you have one automobile - a . You do not have a single Chevy key, but you do have keys for a 78 Mazda GLC, a BMW, and your house. None of those would work! But you try them and it is like magic, all three of these master keys unlock the 1957 Chevy Bel Air.
|
|
||
Comment 11•1 year ago
|
||
(In reply to Robert Townley from comment #10)
The short answer is the analogy falls down a little here because these are master keys. Imagine you have one automobile - a . You do not have a single Chevy key, but you do have keys for a 78 Mazda GLC, a BMW, and your house. None of those would work! But you try them and it is like magic, all three of these master keys unlock the 1957 Chevy Bel Air.
Cross-Device Authentication (CDA) allows your iPhone to vouch for your logon attempt on your Desktop because it is cabled to it or within BlueTooth range.
About the time the pandemic arrived in the US, almost all Credit Cards had these chips on them. The contactless nature of these credit cards meant germs were not spread as much. The chip stores a private key. Effectively, TPM hardware in your desktop or laptop or iPhone has one of these credit card chips. The public key can travel all over the internet, but the private key should never ever leave the device it was created on.
|
||
Comment 12•1 year ago
|
||
So, is in the works or is it planned to ever add support for this? Scanning a QR code?
|
||
Updated•1 year ago
|
|
||
Comment 13•1 year ago
|
||
So what happens when you lose the device that has your master key?
|
||
Comment 15•4 months ago
|
||
Is it possible to decouple the "sync" aspect of this feature request from the "store passkeys in the native password manager" aspect?
I don't sync my passwordsβI only use local storage. I don't need and wouldn't use cross-device synchronization for passkeys, either. From my perspective, it would be a shame if the passkey implementation were blocked on implementing cross-device synchronization.
|
||
Comment 16•4 months ago
|
||
(In reply to Brandon Jewett-Hall from comment #15)
... it would be a shame if the passkey implementation were blocked on implementing cross-device synchronization.
I'd disagree. Cross-device synchronization of passkeys is crucial. Otherwise one would have to create a passkey for each device running Thunderbird, and store it locally. That could be e.g. desktop computer, laptop, mobile phone, etc. It would get confusing pretty quickly, with no way to backup all those passkeys needed.
There is no need for implementing cross-device synchronization in Thunderbird though, meaning that Thunderbird itself would not have to handle the sync. All that's needed for Thunderbird is to inter-work with a password manager which can store passkeys, e.g. Bitwarden.
Firefox already does this, and it just works fine. So Thunderbird could possibly use what Firefox already offers today.
Description
•