Using Multiple Passkeys

The Security of Pass Keys: A Discussion with Twi Aad Kayat

In a recent conversation, Twi Aad Kayat from Riyadh, Saudi Arabia, shared his thoughts on the security of pass keys and their implementation. He began by asking whether it is more secure to have a pass key per device locked into that device's TPM (Trusted Platform Module) or equivalent facility, rather than backing up pass keys on additional devices. According to Aad Kayat, this approach provides an added layer of security, as the pass key is only accessible to the specific device it is stored on.

Aad Kayat also highlighted the challenges of convincing sites to support multiple pass keys per user, which is a crucial aspect of cross-platform compatibility. He noted that while it may be more feasible to convince users and third-party password managers like OnePassword or Bitwarden to adopt this approach, convincing major platforms such as Google, Apple, and Microsoft to support pass key portability is a much more daunting task. These platforms have historically maintained their own synchronization methods for pass words, which can make it difficult for sites to improve their pass key implementations.

One of the significant issues with the current state of pass keys is that there is no universal standard or way to determine which sites support multiple pass keys and which do not. This makes it challenging for users to associate another pass key with a site from a different device, as the device may deny access due to an existing pass key being in use on a different device.

Aad Kayat pointed out that the pass key specification states that sites supporting multiple pass keys should provide many-to-one pass key mappings, but this promise is not universally implemented. This can lead to breakdowns in the promised functionality, as users may find that they cannot add another device to a site that does not support it. Moreover, when users encounter a site that doesn't support multiple pass keys, they are unable to add another device to their account.

In light of these challenges, Aad Kayat advocates for using third-party password managers like OnePassword or Bitwarden, which can provide cross-platform compatibility and allow users to manage their pass keys more effectively. These services offer a user-friendly interface where users can see all the pass keys currently registered on their account, administer them, and make decisions about which devices have access to specific pass keys.

Aad Kayat also noted that having major platforms like Apple, Google, and Microsoft perform their own cross-device synchronization of pass keys takes pressure off sites to improve their pass key implementations. However, this approach can also limit the potential for innovation and improvement in pass key security.

Overall, Aad Kayat's discussion highlights the importance of addressing the challenges associated with pass key implementation and ensuring that users have access to secure and compatible solutions. While there are no easy answers or universal standards yet, using third-party password managers like OnePassword or Bitwarden can provide a practical solution for managing pass keys across multiple devices.

---

Leo Laport's Introduction

Leo Laport, host of the Security Now podcast, introduced the conversation with Twi Aad Kayat from Riyadh, Saudi Arabia. He welcomed listeners to the show and encouraged them to tune in for the full discussion.

For those interested in hearing the complete conversation, Leo Laport provided a link to the website twit.tv/slsn, where they can access the entire episode of Security Now. Listeners can also subscribe to the podcast on their favorite platform or click on one of the links below to listen.

---

Conclusion

The discussion between Twi Aad Kayat and Leo Laport highlights the complexities and challenges associated with pass key implementation and security. While there are no easy answers or universal standards yet, using third-party password managers like OnePassword or Bitwarden can provide a practical solution for managing pass keys across multiple devices. As users continue to navigate the evolving landscape of pass key security, it is essential to address these challenges and advocate for improvements that prioritize user safety and convenience.