The Security of Pass Keys: A Discussion with Twi Aad Kayat
In a recent conversation, Twi Aad Kayat from Riyadh, Saudi Arabia, shared his thoughts on the security of pass keys and their implementation. He began by asking whether it is more secure to have a pass key per device locked into that device's TPM (Trusted Platform Module) or equivalent facility, rather than backing up pass keys on additional devices. According to Aad Kayat, this approach provides an added layer of security, as the pass key is only accessible to the specific device it is stored on.
Aad Kayat also highlighted the challenges of convincing sites to support multiple pass keys per user, which is a crucial aspect of cross-platform compatibility. He noted that while it may be more feasible to convince users and third-party password managers like OnePassword or Bitwarden to adopt this approach, convincing major platforms such as Google, Apple, and Microsoft to support pass key portability is a much more daunting task. These platforms have historically maintained their own synchronization methods for pass words, which can make it difficult for sites to improve their pass key implementations.
One of the significant issues with the current state of pass keys is that there is no universal standard or way to determine which sites support multiple pass keys and which do not. This makes it challenging for users to associate another pass key with a site from a different device, as the device may deny access due to an existing pass key being in use on a different device.
Aad Kayat pointed out that the pass key specification states that sites supporting multiple pass keys should provide many-to-one pass key mappings, but this promise is not universally implemented. This can lead to breakdowns in the promised functionality, as users may find that they cannot add another device to a site that does not support it. Moreover, when users encounter a site that doesn't support multiple pass keys, they are unable to add another device to their account.
In light of these challenges, Aad Kayat advocates for using third-party password managers like OnePassword or Bitwarden, which can provide cross-platform compatibility and allow users to manage their pass keys more effectively. These services offer a user-friendly interface where users can see all the pass keys currently registered on their account, administer them, and make decisions about which devices have access to specific pass keys.
Aad Kayat also noted that having major platforms like Apple, Google, and Microsoft perform their own cross-device synchronization of pass keys takes pressure off sites to improve their pass key implementations. However, this approach can also limit the potential for innovation and improvement in pass key security.
Overall, Aad Kayat's discussion highlights the importance of addressing the challenges associated with pass key implementation and ensuring that users have access to secure and compatible solutions. While there are no easy answers or universal standards yet, using third-party password managers like OnePassword or Bitwarden can provide a practical solution for managing pass keys across multiple devices.
---
Leo Laport's Introduction
Leo Laport, host of the Security Now podcast, introduced the conversation with Twi Aad Kayat from Riyadh, Saudi Arabia. He welcomed listeners to the show and encouraged them to tune in for the full discussion.
For those interested in hearing the complete conversation, Leo Laport provided a link to the website twit.tv/slsn, where they can access the entire episode of Security Now. Listeners can also subscribe to the podcast on their favorite platform or click on one of the links below to listen.
---
Conclusion
The discussion between Twi Aad Kayat and Leo Laport highlights the complexities and challenges associated with pass key implementation and security. While there are no easy answers or universal standards yet, using third-party password managers like OnePassword or Bitwarden can provide a practical solution for managing pass keys across multiple devices. As users continue to navigate the evolving landscape of pass key security, it is essential to address these challenges and advocate for improvements that prioritize user safety and convenience.
"WEBVTTKind: captionsLanguage: enthis is Twi aad kayat from Riad Saudi Arabia said hello Steve instead of synchronizing pass Keys isn't it more secure to have a pass key per device locked into that devices TPM or equivalent facility instead of backing up pass Keys have backup pass keys on additional devices moreover it's provably more feasible to convince I'm sorry probably more feasible to convince sites to support multiple pass Keys per user than to convince Google Apple and Microsoft to support Pass Key portability I completely agree with that lad the big problem here is that there's no way to know which sites support multiple pys and which don't you know you're you're just going to try to as to to associate another Pass key with a site from a different device and the device says sorry you already got one uh use that one but you can't because it's on a device you're not using right now the pass Keys spec states that pass Keys supporting sites should provide many to one pass keys to account mappings but as we know today not all do and it only takes one to ruin your lunch and running into a site that doesn't means that the user cannot add another device to that site which is a breakdown of the pass Keys promise hopefully this will eventually change but it's also true that having Apple Google and Microsoft performing their own cross device synchronization of pass Keys just as they all they've always done for pass words takes the pressure off of sites to improve their pass Keys implementations cuz right works for everybody using Apple Google and Microsoft what's wrong with you so for the time being the only practical solution is to either have that be your your complete and total solution remain within one of the closed ecosystems which is provided by the big three or use a third-party password manager such as one pass word or bit Warden both sponsors of the twit network which will provide the kind of crossplatform compatibility that pass Keys was intended to provide but doesn't yet universally and it and pasis was intended to provide it the right way by by having sites provide a many toone pass keys to account mapping then giving the user a user interface face where they could see all of the pass Keys which are currently registered on their account and administrate them you know say yes and no to various pass Keys you know like remove pass keys for devices they're no longer using or don't want or have given a device to a family member but they shouldn't have access to the family's banking site because you know they're not old enough yet and so forth anyway we don't have that unfortunately we can hope that we get that moving forward hey it's Leo leaport I hope you've enjoyed this little snippet from security now if you want the whole show you can get at our website twit.tv slsn of course you can subscribe to security now and your favorite podcast or just click one of the links belowthis is Twi aad kayat from Riad Saudi Arabia said hello Steve instead of synchronizing pass Keys isn't it more secure to have a pass key per device locked into that devices TPM or equivalent facility instead of backing up pass Keys have backup pass keys on additional devices moreover it's provably more feasible to convince I'm sorry probably more feasible to convince sites to support multiple pass Keys per user than to convince Google Apple and Microsoft to support Pass Key portability I completely agree with that lad the big problem here is that there's no way to know which sites support multiple pys and which don't you know you're you're just going to try to as to to associate another Pass key with a site from a different device and the device says sorry you already got one uh use that one but you can't because it's on a device you're not using right now the pass Keys spec states that pass Keys supporting sites should provide many to one pass keys to account mappings but as we know today not all do and it only takes one to ruin your lunch and running into a site that doesn't means that the user cannot add another device to that site which is a breakdown of the pass Keys promise hopefully this will eventually change but it's also true that having Apple Google and Microsoft performing their own cross device synchronization of pass Keys just as they all they've always done for pass words takes the pressure off of sites to improve their pass Keys implementations cuz right works for everybody using Apple Google and Microsoft what's wrong with you so for the time being the only practical solution is to either have that be your your complete and total solution remain within one of the closed ecosystems which is provided by the big three or use a third-party password manager such as one pass word or bit Warden both sponsors of the twit network which will provide the kind of crossplatform compatibility that pass Keys was intended to provide but doesn't yet universally and it and pasis was intended to provide it the right way by by having sites provide a many toone pass keys to account mapping then giving the user a user interface face where they could see all of the pass Keys which are currently registered on their account and administrate them you know say yes and no to various pass Keys you know like remove pass keys for devices they're no longer using or don't want or have given a device to a family member but they shouldn't have access to the family's banking site because you know they're not old enough yet and so forth anyway we don't have that unfortunately we can hope that we get that moving forward hey it's Leo leaport I hope you've enjoyed this little snippet from security now if you want the whole show you can get at our website twit.tv slsn of course you can subscribe to security now and your favorite podcast or just click one of the links below\n"
