https://futureofcoding.org/ logo
#devlog-together
Title
# devlog-together
g

guitarvydas

12/19/2023, 11:45 AM
aside: The whole issue of passwords and permissions is a huge UX issue that deserves a long discussion on of-end-user-programming. Users should be allowed to just use a device without being forced to answer a bunch of questions about technical issues and needing to keep a bowl full of anti-anxiety meds nearby. Imagine if my refrigerator required me to perform some ritual before allowing me to put my recently-bought lettuce into the crisper.
i

Ivan Reese

12/19/2023, 4:50 PM
Have you seen the work being done on Passkeys?
(Addresses passwords, doesn't address permissions)
k

Kartik Agaram

12/19/2023, 11:42 PM
I don't really understand them. Like, where do they lie on the spectrum between something you know and something you have?
a

abeyer

12/20/2023, 2:04 AM
Imagine if my refrigerator required me to perform some ritual before allowing me to put my recently-bought lettuce into the crisper.
haven't lived w/ a roommate? I recall those days, and would have killed for a password to keep my food mine 😛
i

Ivan Reese

12/20/2023, 2:06 AM
@Kartik Agaram purely something you have
a

abeyer

12/20/2023, 2:11 AM
Except isn't it also tied to your provider's account you control in most realistic scenarios too? Having some level of access to an account substitutes for having an actual physical thing. (this isn't strictly necessary, but seems to be how every consumer facing provider of them is keeping their grips on their customers)
i

Ivan Reese

12/20/2023, 2:16 AM
Oh yeah! Right. So yeah, you know your device password, and you have your device.
a

abeyer

12/20/2023, 2:23 AM
or you know someone else's account password and can activate your device on it! 😱
(that's a scenario I've seen people try to set up as soon as they got access to passkeys -- you can debate whether such sharing is a good idea or not, but you're not going to stop people from trying to)
So, for most people it reduces to "whatever level of security you have on your (Apple|Google) account, but no more"
k

Kartik Agaram

12/23/2023, 12:52 AM
Follow-up question: under what scenarios are passkeys better than oauth?
I think I understand. Oauth is a way to delegate user accounts to say google. Passkeys are a way to delegate auth to google independent of where the user account lives.
a

abeyer

12/23/2023, 12:56 AM
Not necessarily... passkeys aren't meant to or required to specifically provide delegation at all
But realistically 99% of users are going to get them and use them via the default support in android or iOS, which then ties to that account
In an ideal world a passkey could be tied permanently to a single hardware device, and backup/recovery be strictly out of band.. but that's not a feasible solution for the unwashed masses, so Apple and Google's implementations tie it to the service account so that you can migrate it to a new device
(at least that's my understanding of what they've announced... I don't have an iOS device at all and haven't specifically experimented with passkey on Android)
k

Kartik Agaram

12/23/2023, 1:19 AM
Now I'm thinking about this insight I had from a few months ago, which seems relevant: https://merveilles.town/@akkartik/109485586724177657 In general I'd trust Apple as a provider for this, but not Google.
a

abeyer

12/23/2023, 1:21 AM
One advantage here is that just using a passkey linked to a Google account doesn't necessarily have to grant any access to that account... The passkey itself is sufficient, and the account is just used to backup/restore/replicate it
Again I'm not familiar with the specific implementation, but I would expect that Google is totally out of the actual authentication loop and has no linkage either way with a third party service that just happens to use the key
k

Kartik Agaram

12/23/2023, 1:23 AM
That's a good point. Decouples authorization from authentication, as Ivan pointed out up top.
My toot is still relevant in a narrow way: there's always some chance of Google cancelling your account for opaque reasons with zero accountability. So to trust your passkey with them you'd have to really trust the backup/recovery flows. And that's always a challenge. Testing backup/recovery scenarios is annoying and time consuming. In general my prejudiced opinion here is that passkeys are another vector to keep us hooked on our big tech accounts. Which, I don't use anything Apple but I'd trust Apple with. But Google or something lesser like Github, forget about it. Just my opinion of course, as I'm trying to think about passkeys.
a

abeyer

12/23/2023, 1:30 AM
they don't have to be that way... the system was designed so it wasn't necessary to do that, but I agree that's absolutely how they're going to handle it from what I've seen
I really wish proper hardware fido/webauthn keys were just a little bit easier to manage yourself
...but that backup scenario that the tech giants can make easy is exactly the pain point in doing that.
2 Views