I'm sure there are flaws to the passkey only approach, and I know there are flaws to passkeys themselves (mostly the unintended vendor lock in of people using the keychain of their iPhones for example), but I love Pocket ID.
I use it across the majority of the services I self-host, and it makes authentication for my family a breeze. I love that I can set up a new service, and if it supports OIDC, my family don't even think about it, they just click 'Login with Pocket' and they're off to the raises.
Could we expand on the risks with, say, US law enforcement compelling us to use our passkeys? I seem to remember they can’t force you to utter your password, but if you have iPhone Touch ID then they can make you use your thumbs.
If someone can force you to perform biometric auth, they can use that to force you to auth to your password manager (which likely integrates with the device's biometric authentication system), and then copy the passwords out of there. Since this possibility exists with both passkeys and passwords when gated behind biometric authentication, passkeys do not introduce a new threat.
Or phrased another way: if your concern is "someone will force me to do biometric auth to get access to something gated behind it", then you should probably avoid anything gated behind biometric auth, or take steps to mitigate the risk from being forced to perform biometric auth.
Agreed. To add to that, passkeys are not directly tied to biometrics. First-party passkeys (iCloud Keychain on Apple devices and Google Password Manager on Android) use OS access controls, which may include biometrics but always include a device PIN. (Third-party credential managers, like Bitwarden and 1Password may also use the same OS access controls, or may implement their own.)
So you can use passkeys entirely without biometrics.
Pocket ID looks very appealing, but I don’t think it underwent any security audit yet (the main contributor depicts himself as “learning software engineering”…)
bugsmith | 22 hours ago
I'm sure there are flaws to the passkey only approach, and I know there are flaws to passkeys themselves (mostly the unintended vendor lock in of people using the keychain of their iPhones for example), but I love Pocket ID.
I use it across the majority of the services I self-host, and it makes authentication for my family a breeze. I love that I can set up a new service, and if it supports OIDC, my family don't even think about it, they just click 'Login with Pocket' and they're off to the raises.
Superb bit of kit.
ubernostrum | 21 hours ago
Reading the documentation, it's not a "passkey-only" approach, it's passkey with magic link as a backup/recovery option.
[OP] abnercoimbre | 21 hours ago
Could we expand on the risks with, say, US law enforcement compelling us to use our passkeys? I seem to remember they can’t force you to utter your password, but if you have iPhone Touch ID then they can make you use your thumbs.
ubernostrum | 21 hours ago
If someone can force you to perform biometric auth, they can use that to force you to auth to your password manager (which likely integrates with the device's biometric authentication system), and then copy the passwords out of there. Since this possibility exists with both passkeys and passwords when gated behind biometric authentication, passkeys do not introduce a new threat.
Or phrased another way: if your concern is "someone will force me to do biometric auth to get access to something gated behind it", then you should probably avoid anything gated behind biometric auth, or take steps to mitigate the risk from being forced to perform biometric auth.
iinuwa | 20 hours ago
Agreed. To add to that, passkeys are not directly tied to biometrics. First-party passkeys (iCloud Keychain on Apple devices and Google Password Manager on Android) use OS access controls, which may include biometrics but always include a device PIN. (Third-party credential managers, like Bitwarden and 1Password may also use the same OS access controls, or may implement their own.)
So you can use passkeys entirely without biometrics.
yawaramin | 17 hours ago
You don't need biometrics to use passkeys, you can use a PIN code too.
oliverpool | 15 hours ago
Pocket ID looks very appealing, but I don’t think it underwent any security audit yet (the main contributor depicts himself as “learning software engineering”…)
klingtnet | 8 hours ago
Very "brave" to do the initial Pocket ID setup after making the instance publicly available to the internet.