Passkeys are an emerging authentication method that promises to replace passwords with something both much more secure, and easier to use as well. They are built from the earlier FIDO2 and WebAuthn standards, but with a lot of polish around the user experience to make them suitable for widespread adoption. They are being heavily pushed by Apple, Google and Microsoft, and are already (or will soon be in the case of Windows) deployed.
There are two major changes over older FIDO methods that make passkeys easier to use: platform authenticators and syncing.
The first way passkeys are easier is by the use of platform authenticators. Instead of needing to go and buy a Yubikey or similar hardware token, you can use your device directly. This is typically backed by the TPM or similar hardware security modules, but could in principle be done in software.
The other major improvement is that the private keys behind passkeys are synced between devices with the user’s platform account (ICloud, Google, Microsoft, etc). This solves a major pain point of FIDO security tokens/TOTP codes in that you will always have the key needed on all your devices. It also removes the worry about what happens if you lose/break your device, as the passkeys can be retrieved again simply by signing back in on a new device.
While both of these things are wins for the user experience they do require support from the platform itself. For platform authentication there needs to be APIs in place for applications (like browsers) wanting to use an authenticator, and also some program to act as that authenticator. I could see gnome-keyring making a nice authenticator.
Linux doesn’t have a central account for syncing, but in my mind the biggest drawback of passkeys is that they are only synced per ecosystem. This could be resolved by using a separate cross platform application with its own syncing mechanism (similar to most password managers today) as the authenticator. However, this depends on operating systems exposing an API to link authenticators and applications wanting to use passkeys. I foresee an extension to the Secret Service API fitting nicely here.
I’d love to see passkeys gaining greater adoption going forward, in a platform independent way. I would be interested the hear other peoples thoughts on how they should be supported, and the where to go to make it so.