Far too complicated and mysterious

  • feisar

    (@feisar)


    1 year, 7 months ago

    I wanted to find a way to use Passkeys for WP Admin login, and found this.

    There’s far too many convoluted, mysterious (i.e. no idea what it’s doing) steps to setup, including registering for a developer account on their site, creating a ‘realm’ (whatever that is), creating an ‘app’ with loads of different options (none of which I’ve any clue what they do).

    Once set-up I found it doesn’t use the built-in macOS/iOS Keychain Passkey support or 1Password’s Passkey support I wanted, it redirects you to a Beyond Identity web-page to log-in through. At no point did the macOS or 1Password Passkey interfaces appear.

    I want to be 100% sure my Passkeys are stored securely on my devices and after 45 minutes of faffing about trying to work out what was going on, I gave up.

    I installed WP-WebAuthn plugin instead and had it setup in about a minute working exactly as I wanted with macOS/iOS and 1Password directly, and no third-party accounts or servers involved.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Anna Garcia

    (@annagarcia)

    1 year, 6 months ago

    Hi @feisar,

    Thanks for your feedback. I’m sorry you found this confusing. The passkeys we implement are called “Universal Passkeys” which are specific to Beyond Identity and have two benefits over vanilla FIDO2 passkeys:

    1. They never ever leave the device on which they are created. This makes them much more secure.

    2. They work everywhere. Some browsers (Firefox) do not support passkeys. Universal Passkeys work everywhere, even on Firefox.

    Soon we will enable vanilla FIDO2 passkeys so that you’ll be able to choose between the two flavors of passkey. Those FIDO2 passkeys will work with 1Password and the built in macOS/iOS Keychain.

    The application in the Beyond Identity console provides the configuration the OIDC server needs. You can view authentication events and even customize the logo and colors of the Beyond Identity page in your developer console.

    Would you be willing to hop on a feedback call? Our team would love to speak to you! Please email us at nikhil.khare@beyondidentity.com 

    Also, if you ever have any developer specific questions, we are happy to answer those in our Slack channel.

    Thread Starter feisar

    (@feisar)

    1 year, 6 months ago

    Hi @annagarcia

    Thanks for taking the time to respond to my comments.

    From my perspective it is misleading to label non-standard Passkeys that are unique to one provider as “universal”. Not leaving the device they are created on is a drawback for the end-user, not a benefit. The whole industry (including Firefox) is working together towards “multi-device FIDO credentials” that you’ll be able to use anywhere, on all your devices, with cross-browser, cross-platform, cross-password manager sharing coming in the future, and yet you’re creating different ones that are locked into just one company – that seems like a backwards step.

    I was looking for a simple, seamless solution using the system provided Passkey support (my only choice being whether to sync them between devices using iCloud or 1Password) that stores my Passkeys on my devices. With Beyond Identity I have no idea where my Passkeys are stored, but the fact I can ‘see’ them in your developer console, authentication happens on your servers, and you say they’re available ‘everywhere’ suggests they’re stored on your servers. That’s not what I want. Maybe your offering has benefits for large organisations/enterprise users but for my needs it is over-complicated and overkill I’m afraid.

    Plugin Author Anna Garcia

    (@annagarcia)

    1 year, 6 months ago

    Thanks again for sharing your perspective! This feedback and context is helpful for us in improving our product.

    Beyond Identity is a FIDO2 Board Member and our platform is FIDO2 certified. Our intention with this capability is to allow our users to extend FIDO2 to scenarios where security and visibility into the passkey is desired. What we’ve heard is many customers are concerned about the syncable nature of FIDO2 multi-device passkeys because it no longer provides the device bound guarantees passkeys can provide.

    We are excited to share we will be releasing an option to configure FIDO2 multi-device passkeys in the near future and would love for you to check it out.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Far too complicated and mysterious’ is closed to new replies.