Comment on Passkeys: One for all – or Microsoft against the rest?

Passkeys are a rare stroke of luck in IT security. They make something much more secure, namely logging on to Internet services. Unlike usual, however, this is not more complicated, but actually more convenient for the user. Ideally, all it takes is a fingerprint or a glance at the camera. And without handing over their biometric data to any data octopuses. It's like winning the lottery. In theory at least, but in practice the prize is smaller.

Ein Kommentar von Jürgen Schmidt

Jürgen Schmidt - aka ju - ist Leiter von heise Security und Senior Fellow Security des Heise-Verlags. Von Haus aus Diplom-Physiker, arbeitet er seit über 25 Jahren bei Heise und interessiert sich auch für die Bereiche Netzwerke, Linux und Open Source. Sein aktuelles Projekt ist heise Security Pro für Sicherheitsverantwortliche in Unternehmen und Organisationen.

• heise Security Pro

The biggest stumbling block on the way to the main prize so far is the vendor lock-in: Passkeys live in the ecosystems of the major providers Apple, Google and Microsoft. Within these ecosystems, they are also automatically synchronized across device boundaries: My passkey for service XYZ created on my iPhone also works almost immediately on my MacBook. I can log in there immediately with a fingerprint (which, by the way, is only used locally). But if I want to log in to XYZ on my Windows workstation, I'm left in the dark. This is simply not intended.

But there are signs of improvement: Apple is officially introducing functions for importing and exporting passkeys, which should make exactly that possible. This is also not a solo effort, but is embedded in an initiative of the FIDO Alliance, which has created the necessary standards for this with the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF). And Google is apparently also already building import/export functions for passkeys into Android. Even if there is no official timeline yet – that is a good sign.

Once again, the only thing missing is Microsoft. They have already lagged behind several times when it comes to passkeys – with the promise to only synchronize them end-to-end encrypted without a copy ending up at Microsoft. But in view of the fact that they also need integration with Android and iPhones, I don't think they'll be able to resist. Right, Microsoft? Or?

On our own behalf: c't on WhatsApp

You can also subscribe to c't on WhatsApp: Every weekday, we send you insights into current topics and the day-to-day work of the editorial team.

(ju)