Support passkeys

hanche

Well, the only browser I know of that has included this is safari, and that feature is merely days old, unless you count in the beta versions. But passkeys is such a big step forward I cannot imaging any browser team not trying to support it ASAP.

I think a good place to start is the WWDC 2022 session on it, here:

https://developer.apple.com/videos/play/wwdc2022/10092/

The video is 33 minutes long, and should provide a good introduction. But more importantly, scroll down to the Resources heading below the video. I believe all the required documentation is to be found there, along with code samples.

jackg

Another helpful url to a overview is here!

Vlad

Still waiting for guidance from @gp 🙂

gp

As it stands right now, passkeys are an implementation of Webauthn with discoverable (AKA resident) keys - this is a mode of operation in Webauthn where, on a hardware USB token, you actually store the key on the token (rather than offloading an encrypted wrapped form of the key to the server). When you try to login to a site, the user is prompted (via browser or keychain UI) for which credential to use, and a standard webauthn "passwordless" login occurs.

There's 2 types of passkeys (a good FAQ from Yubico) - copyable/synced, and single-device, non-copyable.

Apple's implementation of passkeys (today) uses iCloud Keychain sync, and lets you sync and share passkeys between your devices.

The questions here are

1) whether Apple will make an API to allow other browsers to "use" passkeys via their own keychain; and

2) whether Apple will enable APIs so other password managers/keychains can "provide" passkeys.

On Android, Google has said they will look at developing APIs so other apps can become passkey "providers" - popular password managers are all looking at this space eagerly.

The options for Orion appear to me to be:

a) implement your own support for Passkey protocols (webauthn is already done - add support for sync via cloud keychain the information required to support passkeys across multiple devices), that happens within Orion only.

b) wait and see if Apple adds support for other browsers to access Safari/system passkeys (which I imagine will be slow, or not forthcoming easily, due to the security implications of this)

c) wait and see how commercial/open source password managers implement passkeys themselves - at least Bitwarden have already said they're looking at doing something in this space, and I think all the others are doing so too - as browsers and other systems are likely to introduce APIs (like webextension APIs) to enable the integration required here.

One of the hard parts about passkeys is that, if not done right, users can end up "locked in" to an ecosystem. It appears that Apple and Google are aiming to become "your source of identity", via your cloud-synced account - if you get locked out of your Apple ID or Google account, in future it sounds like people reliant on their passkey systems might end up "locked out". While "copyable/synced" passkeys can be ported to other devices via the cloud account, it can be hard to leave the walled garden unless the walled garden operator allows you to.

Apple's "porting" approach is to let you scan a QR code on the screen via your iPhone from what I understand, and approve the passkey request from the iPhone. This has to be done for every site, so the UX of porting is going to be a bit messy.

Vlad

gp What would you recommend Orion do?

gp

I would recommend either:

Do nothing, retain support webauthn today for "MFA" (but not passwordless), and wait to see what happens with passkeys in a few months' time in terms of platform support - do third party password managers "take off" in this space, or not? Does Google announcing plans to open their side up push Apple's hand?
Decide to "go all-in", and implement support for custom Orion passkeys (like how you have webauthn today in Orion for Mac, using your own method on the system) - use end to end encrypted sync via iCloud using CloudKit, so that an Orion user can access Orion-generated passkeys from any device running Orion. The blocker to this today is I am not sure you can implement your own passkeys on a third-party iOS browser, so this needs research.

Google is suggesting they have passkey support via iCloud keychain on iOS - https://developers.google.com/identity/passkeys/supported-environments. This appears to only be a potential route for only iOS (not Mac), and seems to be integated with the Apple passkeys from Safari and the OS ecosystem.

I am not sure how this will end up in the longer term -- will it be possible to serve up your own passkeys on iOS? Today I do not think it is, hence Chrome is using the iOS/Safari ones.

Either you need to be able to use "custom" passkeys on iOS, or you need to be able to access "system/Safari" passkeys on MacOS. Without one of these, "doing nothing" might be the safest option (albeit not ideal).

Vlad

gp Thank you as always for your wisdom

ericafterdark

Another vote. This is really interesting technology.

Jdf3

Today Google announced that you can now log into your Google account with passkeys on all major platforms, including MacOS/Safari. Here is the announcement. I opened up Safari and went through the process to create a passkey and it worked immediately and was incredibly easy to do.

I view this as a sea-change moment in the deployment of passkeys, and suggest that Orion implement support for passkeys in its password manager. More and more orgs will start to implement passkeys now that Google has done so.

No more passwords is amazing!

Vlad

Jdf3 Passkeys also lock you into the browser as thy are not transferable?

rhyxalia

Vlad Not the browser, but the ecosystem. Passkeys on Apple devices are stored on iCloud Keychain, and on Android when you transfer your apps/data to a new phone, passkeys go along with it.

Unfortunately, passkey migration hasn't been implemented though it's being looked at.

Jdf3

You just create multiple passkeys, held in each "bucket". I could have multiple passkeys for my google account stored in iCloud keychain, 1Password (when they implement it), and my Orion keychain (when/if implemented). Passkeys are an industry standard that are coming.

Vlad

Jdf3 Yes I do not worry about you, I worry about average browser user who will never create multiple passkeys.

While it may sound like a good idea to 'lock' users into sticking with Orion it is not something we would like to do.

alicerunsonfedora

I should note that, from a discussion by Ricky Mondello, there are some plans for interoperability and import/export, which should alleviate the vendor lock-in factor:

https://hachyderm.io/@rmondello/110329118270492669

Vlad

Adding this link for discussion https://news.ycombinator.com/item?id=35854216

Jtm

I have an Apple passkey set up with GitHub...

In Safari it's directly integrated, while in other browsers (even other operating systems) I get the option to display a QR code and approve the sign-in on my iPhone. Here's what that looks like in Arc:

In Orion I do not get the QR-code option at all.

As I don't have a physical security key to insert, I'm unable to sign in to GitHub at all from Orion, even though it works fine from Chrome, Edge, Firefox, Vivaldi, Brave, and Arc.

It would be really nice if Orion supported this to the extent all other non-Safari browsers seem to.

Vlad

Jtm Can you record a video of what this look like in chrome/firefox and what it looks like in Orion?

Jtm

Vlad

My mistake, it does not in fact work with Firefox. It does, however, work with every Chromium-based browser I've tried.