https://www.smokingonabike.com/2025/01/04/passkey-marketing-is-lying-to-you/
Did anyone deeply study the benefits of Passkey? Are they real? If so, for cross-device auth, can we swap the "Big Tech Magic" with Nostr?
The thing about passkey is the private key is meant to be un-extractable. It can be passed to keychain or google's alternative, but it can't be pulled out from either (or from the device enclave itself).
That's seen as one of the biggest benefits of passkeys for a lot of applications. But for Nostr you can't really do that, even if you wanted to create an un-extractable nsec to mimic passkeys. One reason is the iOS device enclave doesn't support generating keys with the k curve.
Thanks for the details.
I meant to use Nostr just to do the cross-device stuff, I wasn't think how to generate and store the key in the first place. Maybe something like nostr:npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6's FROST bunker can help.
But I'm not really sure that passkey's advantages are so strong that it is worthwhile. I should look into it further.
Ah yeah, beyond the un-extractable private key thing and the wide support, there's nothing really special about passkeys.
For cross-device stuff, IMO decentralised TEE cloud is the way to go, over FROST bunkers. Much much better UX. It's like nitro enclaves but decentralised.
We use https://phala.com/dstack for some related things and it's good. The problem there is that many people here will get upset that it uses a blockchain that's not Bitcoin. Even though you need a blockchain to orchestrate the TEEs, and Bitcoin doesn't have the functionality, and nostr clients would only ever interact with the TEEs and not the chain, etc etc.
nostr:npub1l3cgtsurhfchg4cyhhqudm70074sr96srhje330xc5m6czej5n9s9q6vs2 has some ideas of how to use passkeys in a smooth cross-app syncing flow. I don't know all the details and I'm not 100% sure it works, but it may work pretty well for some users.
Aside from that (which in my understanding is basically a way to abuse Google and Apple syncing mechanisms, not really the "passkey" technology), yes, I agree with DHH and I think passkeys are a dystopic solution created by a cabal of evil corporations with the intention of locking up users and they don't actually solve anything as for most traditional apps they cannot ever replace passwords fully and they still rely on other authentication methods for recovery (i.e. an email address, preferably hosted at @gmail and tied to a phone number) so it's just making things worse in all fronts and I hope they die soon.
Yes, I'm gonna use passkeys to help simplify nostr key management when accessing nostr apps. The nsecs will be importable/exportable. All the pieces are almost in place to put it online for everyone to test. I just need to go back to drinking coffee or someone to whip my back.
Passkeys have become better with time. We don't need Apple/Google/MS/some-linux-distro-support anymore. E.g. Bitwarden (can be self-hosted) has a browser extension and native apps, supports passkeys and syncs keys across devices no matter the OS.
Nice one.
Are the Bitwarden passkeys bound to one site/app, or usable across them all?
Are you using PRF derived keys like https://github.com/ocknamo/nosskey-sdk ?
That's interesting. We looked at the software-vault option for a related thing some time back (B2B use case, not Nostr keys) but the issue we hit is when any app requests the creation of a passkey on iOS, it's up to the user to decide where to store it, the app has no control over that, cannot force the user to a specific provider (I guess FIDO mandated). And pretty much every time user goes with hardware passkey and keychain.
Is there now some way to influence that choice besides simply telling the user what to set up and choose beforehand?
