[upstream] wishlist: Passkeys should be supported

I suppose this might be part of WebAuthentication level 3? While I'm aware that passkeys is the Apple marketing name, I was unable to find an existing issue in the tracker referring to this feature.

Google appears to be using the passkey terminology as well: https://android-developers.googleblog.com/2022/10/bringing-passkeys-to-android-and-chrome.html

There is some useful info and further links at https://fidoalliance.org/passkeys/

There's a passkeys test application here for convenience: https://www.passkeys.io/

This would really improve my security on the internet. I hope it'll be delivered soon.

Synchronization from one Firefox to another on a different platform through Firefox Accounts?
Create a passkey on Firefox Android and use it with Firefox on Windows?

For macOS specifically, Apple has a restricted entitlement that grants full access to the system AuthenticationServices framework, which includes both physical security keys and passkeys via iCloud Keychain. There's some information and a link to apply for the entitlement at https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_web-browser_public-key-credential.

It seems Firefox implemented passkeys for Windows and MacOS but lack support for Linux as shown in https://www.passkeys.io/compatible-devices

I don't quite understand what is so platform specific. Of course, integration in the native platform password manager is nice but not mandatory. Firefox already stores its passwords and can sync them with Firefox Sync. What's so different with passkeys and what's the status of this feature?

As a web developer if I can provide passkeys as the primary login method, this would be a great step forward, but it'd be better to have full browser compatibility.

(In reply to Mildred Ki'Lya from comment #7)
> It seems Firefox implemented passkeys for Windows and MacOS but lack support for Linux as shown in https://www.passkeys.io/compatible-devices
>
> I don't quite understand what is so platform specific. Of course, integration in the native platform password manager is nice but not mandatory. Firefox already stores its passwords and can sync them with Firefox Sync. What's so different with passkeys and what's the status of this feature?
>
> As a web developer if I can provide passkeys as the primary login method, this would be a great step forward, but it'd be better to have full browser compatibility.

PassKeys.io is really saying there is a workaround when they write ["Phone passkeys (QR code flow) and physical security keys only"](https://www.passkeys.io/compatible-devices). The private part of the passkey should never leave the device it was created on, so by design, it should not sync anywhere else. However, if you have a passkey on your cellphone or YubiKey but want to authenticate on your Linux desktop, then Bluetooth ( or a USB cable) connected to your desktop should offer a workaround. It worked for me before but not sure which Linux PC and which web browser on which Linux machine. If your Linux desktop has supported TPM hardware, then i do not see why it would not work. US DOD does it.

> The private part of the passkey should never leave the device it was created on, so by design, it should not sync anywhere else.

That's an interesting statement. Sounds plausible at first. But when that key is my entrance, how should I use my account from another device? Will I have to create a new account? If PassKeys are meant to be the primary authentication method, I'll still have to identify from the new device somehow. I don't understand how that should work without copying the key to other devices. Let alone non-technical people who are already overwhelmed by PassKeys. They'll probably not use it like that.

The short answer is the analogy falls down a little here because these are master keys. Imagine you have one automobile - a . You do not have a single Chevy key, but you do have keys for a 78 Mazda GLC, a BMW, and your house. None of those would work! But you try them and it is like magic, all three of these master keys unlock the 1957 Chevy Bel Air.

(In reply to Robert Townley from comment #10)
> The short answer is the analogy falls down a little here because these are master keys. Imagine you have one automobile - a . You do not have a single Chevy key, but you do have keys for a 78 Mazda GLC, a BMW, and your house. None of those would work! But you try them and it is like magic, all three of these master keys unlock the 1957 Chevy Bel Air.

[Cross-Device Authentication (CDA)](https://passkeys.dev/docs/reference/terms/#cross-device-authentication-cda) allows your iPhone to vouch for your logon attempt on your Desktop because it is cabled to it or within BlueTooth range.

About the time the pandemic arrived in the US, almost all Credit Cards had these chips on them. The contactless nature of these credit cards meant germs were not spread as much. The chip stores a private key. Effectively, TPM hardware in your desktop or laptop or iPhone has one of these credit card chips. The public key can travel all over the internet, but the private key should never ever leave the device it was created on.

So, is in the works or is it planned to ever add support for this? Scanning a QR code?