Tech News
← Back to articles

Passkeys and Modern Authentication

2025-10-31 | original
read original related products more articles

Passkeys and Modern Authentication

There is an ongoing trend in the industry to move people away from username and password towards passkeys. The intentions here are good, and I would assume that this has a significant net benefit for the average consumer. At the same time, the underlying standard has some peculiarities. These enable behaviors by large corporations, employers, and governments that are worth thinking about.

Attestations

One potential source of problems here is the attestation system. It allows the authenticator to provide more information about what it is to the website that you’re authenticating with. In particular it is what tells a website if you have a Yubikey plugged in versus something like 1password. This is the mechanism by which the Austrian government, for instance, prevents you from using an Open Source or any other software-based authenticator to sign in to do your taxes, access medical records or do anything else that is protected by eID. Instead you have to buy a whitelisted hardware token.

Attestations themselves are not used by software authenticators today, or anything that syncs. Both Apple and Google do not expose attestation data in their own software authenticators (Keychain and Google Authenticator) for consumer passkeys. However, they will pass through attestation data from hardware tokens just fine. Both of them also, to the best of my knowledge, expose attestation data for enterprises through Mobile Device Management.

One could make the argument that it is unlikely that attestation data will be used at scale to create vendor lock-in. However, I’m not sufficiently convinced that this won’t create sub-ecosystems where we see exactly that happening. If for no other reason, this API exists and it has already been used to restrict keys for governmental sign-in systems.

Auth Lock-in

One slightly more concerning issue today is that there is effectively no way to export private keys between authentication password managers. You need to enroll all of your ecosystems individually into a password manager. An attempt by an open source password manager to provide export of private keys was ruled insecure and should not be supported.

This might be for good intentions, but it also creates problems. As someone recently trying to leave the Apple ecosystem step by step, I have noticed how many services are now bound to an iCloud-based passkey. Particularly when it comes to Apple, this fear is not entirely unwarranted. Sign-in with Apple using non-shared email addresses makes it very hard to migrate to Android unless you retain an iCloud subscription.

Obviously, one could pay for an authenticator like 1Password, which at least is ecosystem independent. However, not everybody is in a situation where they can afford to pay for basic services like password managers.

... continue reading

Related:
ChatGPT owner OpenAI signs $38bn cloud computing deal with Amazon
How to actually use AI in a small business: 10 lessons from the trenches
20+ Google Docs tricks you're not using enough (no extensions required)
Are premium Chromebooks worth it in 2025? This laptop was enough to convert this Windows fan
No Digital ID, No Life: How Identity, Money, and Messaging Are Being Wired Into One Control System

© 2025 GoKawiil