Support passkeys
- Edited
As it stands right now, passkeys are an implementation of Webauthn with discoverable (AKA resident) keys - this is a mode of operation in Webauthn where, on a hardware USB token, you actually store the key on the token (rather than offloading an encrypted wrapped form of the key to the server). When you try to login to a site, the user is prompted (via browser or keychain UI) for which credential to use, and a standard webauthn "passwordless" login occurs.
There's 2 types of passkeys (a good FAQ from Yubico) - copyable/synced, and single-device, non-copyable.
Apple's implementation of passkeys (today) uses iCloud Keychain sync, and lets you sync and share passkeys between your devices.
The questions here are
1) whether Apple will make an API to allow other browsers to "use" passkeys via their own keychain; and
2) whether Apple will enable APIs so other password managers/keychains can "provide" passkeys.
On Android, Google has said they will look at developing APIs so other apps can become passkey "providers" - popular password managers are all looking at this space eagerly.
The options for Orion appear to me to be:
a) implement your own support for Passkey protocols (webauthn is already done - add support for sync via cloud keychain the information required to support passkeys across multiple devices), that happens within Orion only.
b) wait and see if Apple adds support for other browsers to access Safari/system passkeys (which I imagine will be slow, or not forthcoming easily, due to the security implications of this)
c) wait and see how commercial/open source password managers implement passkeys themselves - at least Bitwarden have already said they're looking at doing something in this space, and I think all the others are doing so too - as browsers and other systems are likely to introduce APIs (like webextension APIs) to enable the integration required here.
One of the hard parts about passkeys is that, if not done right, users can end up "locked in" to an ecosystem. It appears that Apple and Google are aiming to become "your source of identity", via your cloud-synced account - if you get locked out of your Apple ID or Google account, in future it sounds like people reliant on their passkey systems might end up "locked out". While "copyable/synced" passkeys can be ported to other devices via the cloud account, it can be hard to leave the walled garden unless the walled garden operator allows you to.
Apple's "porting" approach is to let you scan a QR code on the screen via your iPhone from what I understand, and approve the passkey request from the iPhone. This has to be done for every site, so the UX of porting is going to be a bit messy.
I would recommend either:
Do nothing, retain support webauthn today for "MFA" (but not passwordless), and wait to see what happens with passkeys in a few months' time in terms of platform support - do third party password managers "take off" in this space, or not? Does Google announcing plans to open their side up push Apple's hand?
Decide to "go all-in", and implement support for custom Orion passkeys (like how you have webauthn today in Orion for Mac, using your own method on the system) - use end to end encrypted sync via iCloud using CloudKit, so that an Orion user can access Orion-generated passkeys from any device running Orion. The blocker to this today is I am not sure you can implement your own passkeys on a third-party iOS browser, so this needs research.
Google is suggesting they have passkey support via iCloud keychain on iOS - https://developers.google.com/identity/passkeys/supported-environments. This appears to only be a potential route for only iOS (not Mac), and seems to be integated with the Apple passkeys from Safari and the OS ecosystem.
I am not sure how this will end up in the longer term -- will it be possible to serve up your own passkeys on iOS? Today I do not think it is, hence Chrome is using the iOS/Safari ones.
Either you need to be able to use "custom" passkeys on iOS, or you need to be able to access "system/Safari" passkeys on MacOS. Without one of these, "doing nothing" might be the safest option (albeit not ideal).
- Edited
Another vote. This is really interesting technology.
Today Google announced that you can now log into your Google account with passkeys on all major platforms, including MacOS/Safari. Here is the announcement. I opened up Safari and went through the process to create a passkey and it worked immediately and was incredibly easy to do.
I view this as a sea-change moment in the deployment of passkeys, and suggest that Orion implement support for passkeys in its password manager. More and more orgs will start to implement passkeys now that Google has done so.
No more passwords is amazing!
You just create multiple passkeys, held in each "bucket". I could have multiple passkeys for my google account stored in iCloud keychain, 1Password (when they implement it), and my Orion keychain (when/if implemented). Passkeys are an industry standard that are coming.
I should note that, from a discussion by Ricky Mondello, there are some plans for interoperability and import/export, which should alleviate the vendor lock-in factor:
Adding this link for discussion https://news.ycombinator.com/item?id=35854216
I have an Apple passkey set up with GitHub...
In Safari it's directly integrated, while in other browsers (even other operating systems) I get the option to display a QR code and approve the sign-in on my iPhone. Here's what that looks like in Arc:
In Orion I do not get the QR-code option at all.
As I don't have a physical security key to insert, I'm unable to sign in to GitHub at all from Orion, even though it works fine from Chrome, Edge, Firefox, Vivaldi, Brave, and Arc.
It would be really nice if Orion supported this to the extent all other non-Safari browsers seem to.
I would like to see this rolled out too. I changed my Google account to use a passkey and would like to be able to use that key to sign in on Orion they same way I do in Safari.