Influence of Passkeys on this project

[lmarschall]

Not exactely an issue,
but I was wondering how we can benefit from this new effort of Apple, Google etc and if there are changes which have to be made to support this new feature.

As far as I know, these passkeys get synced on the device side and there should be no additional steps needed to make this work with the current implementation of this project.

But what kind of benefits could we get out of this? I was mainly thinking about the user device lost and new account workflows. Anything I‘m missing?

[MasterKale]

Hey @lmarschall, thank you for asking this. First off I converted it from an Issue to a Discussion topic, I think this'll be a better format for having this discussion.

As far as I know, these passkeys get synced on the device side and there should be no additional steps needed to make this work with the current implementation of this project.

Passkeys by and large have no huge impact on the use or functionality of libraries like SimpleWebAuthn. The cloud synchronization, sharing with others, and other such new capabilities introduced by passkeys are platform-specific implementation details that are completely compliant with the WebAuthn spec. I'll continue to adapt the library to support new WebAuthn API functionality as it gets added to the spec, and try to simplify leveraging things like conditional UI in service to the mission I've created for myself when I created this library.

But what kind of benefits could we get out of this? I was mainly thinking about the user device lost and new account workflows.

The primary benefits of passkeys are that users are way less likely to get locked out of their accounts. Before passkeys users trading in their phones would see them get locked out of everything they'd used the phone to authenticate into. Now, though, signing into an iCloud account on a new device is sufficient to regain access. It's an incredible solution to consumer account recovery story that WebAuthn historically lacked.

To your point about "new account workflows", the FIDO Alliance presented a demo during RSA showing cross-device auth paired with a subsequent prompt to enroll the local platform authenticator. Imagine this subsequent enrollment prompt as a kind of "trust this device?" prompt that we often see when logging in. From that point on the idea is that the local platform authenticator gets used for subsequent authentications. Within the same ecosystem, a passkey gets synced across devices almost instantly so subsequent authentications simply use the local biometric authenticator directly. We'll see websites experiment with the best way to coordinate a user's journey through these UX flows, and eventually start to see sites settle on a couple common patterns.

Anything I‘m missing?

One thing that caught a lot of people off guard was the announcement of the ability to share passkeys to people in your contacts list. The big question out of that is now, how can Relying Parties (read: back ends) best leverage passkeys for auth if there's now no guarantee of a passkey being tied 1:1 to a specific device, nor to a specific user?

[lmarschall]

Hey @MasterKale, thank you for taking your time to give me such a detailed answer!
I'm really looking forward to the new capabilities of passkeys, but I think it will take quite some time to fully replace password workflows.
The sharing of passkeys is really a need feature in the one hand, but on the other hand something a creator would want to exclude sometimes from the workflow. Looks like there is still a lot of effort needed, till the normal day user will accept this new authentication methods.

[MasterKale]

Yeah, passkeys won't replace passwords overnight, largely because it requires back end changes to support generating options and validating responses, let alone storing things in a database for later authentication. The next thing for the community is creating integrations with popular back end frameworks to make it as easy as possible for others to make these changes and expose that functionality. It's a long road ahead, but I remain optimistic.