Pass and Fail

30 Jun 2024

Passkeys seem like a good idea in practice, offering a potent combination of being both more usable and more secure than traditional authentication approaches. However, as has been pointed out many times elsewhere, current implementations fall short of this promise. For those of us who are already using robust authentication can make matters worse.

About five years ago, I decided to get a Yubikey as a way to improve the security of my online accounts, both personal and professional. At the time, I was mainly using a 2013 MacBook Pro, so went with a USB-A version. The first generation of Retina MacBooks Pro were great machines, and it served me well for a long time (allowing me to skip over the butterfly keyboard fiasco entirely), but eventually it came time to upgrade to something more modern. For the last few years, I’ve been using an M1 MacBook Pro (another great generation). I quickly switched most of my portable cables and accessories over to USB-C, but was still carrying around an adapter for the Yubikey. This week, I finally got round to getting a Yubikey 5C NFC.

My problem came when I came to add this to my AWS IAM accounts. The plural is significant; at work, I have seven distinct users across multiple AWS accounts1. 1Password and Firefox Multi-Account Containers make wrangling this manageable, and crucially the same hardware MFA token can be used for different users. Unfortunately, when I tried to add the new Yubikey to the user, there’s now a single option covering “hardware MFA token or Passkey”, and Firefox is very eager to steer you towards the latter.

Fair enough, I thought — as long as the functionality is the same, I don’t mind them using a more recent standard to provide it. However, as I went through the process, it became apparent that sharing Passkeys across multiple identities on the same website is not straightforward. One user would work, but the other would hang on the MFA screen when trying to log in. It seemed like there was some kind of persistent session confusing it, but it’s far from clear. It’s also not clear to what extent the issue is with macOS’s implementation of Passkeys, Firefox’s integration with it, or AWS’s use of them. Wherever the issue is, though, it breaks my day-to-day workflow.

After a bit of experimentation, I managed to work around the problem by going to about:config and setting security.webauthn.enable_macos_passkeys to false. This allowed me to add the new key as an old-fashioned MFA token, and everything works as it did before. Once the key is added, you can set that setting back to the default true, if you want to use Passkeys in other contexts.

To end on a positive note, another change that AWS has introduced in the years since I got my first Yubikey is the ability to add multiple MFA methods for a user. This is useful for backup, and also means I can leave my old key plugged into my desktop setup, and avoid fishing about in my pockets when I’m working at home. A device-based Passkey would be another good addition to this setup, as long as it actually did the job.

I remain pretty optimistic that Passkeys will ultimately be a step forward in an area that’s increasingly important. However, my experience over the last few days confirms what I’ve heard: it’s early days, and there’s a lot of work still to do.

  1. Our AWS setup predates more modern solutions like IAM Identity Center; at the time multiple, distinct accounts were best practice. At some point we’ll rationalise this, but the setup works for now. [back]

This site is maintained by me, Rob Hague. The opinions here are my own, and not those of my employer or anyone else. You can mail me at rob@rho.org.uk, and I'm @robhague@mas.to on Mastodon and robhague on Twitter. The site has a full-text RSS feed if you're so inclined.

Body text is set in Georgia or the nearest equivalent. Headings and other non-body text is set in Cooper Hewitt Light. The latter is © 2014 Cooper Hewitt Smithsonian Design Museum, and used under the SIL Open Font License.

All content © Rob Hague 2002-2024, except where otherwise noted.