How do Apple PassKeys compare to SQRL?

[jpmh]

Apple is announcing PassKeys this week, coming to their platforms this year, and it looks to have some similar capabilities & features to SQRL. I hope someone following the developer news this week who also has deep knowledge of SQRL could compare & contrast them for the forums.

 

[PHolder]

PassKeys is part of an overall push for FIDO [2]. FIDO has its own benefits and challenges... losing a physical key is much easier than losing a software one... and needing more than one means every site needs to allow a user to have multiple. (Not that SQRL didn't face this challenge too, and invented an optional solution for those few sites and services that need it.) The biggest difference between the two is who is support what... SQRL is still challenged by not having garnered any support.

 

[Paul F (1)]

Coincidentally, in this week's Security Now!, Steve talks about this. You can watch or listen to the podcast on TWiT starting at 1:17:50:
https://twit.tv/shows/security-now/episodes/874
or read the basics from the show notes starting on page 9:
https://www.grc.com/sn/SN-874-Notes.pdf

 

[Dave]

Coincidentally, in this week's Security Now!, Steve talks about this. You can watch or listen to the podcast on TWiT starting at 1:17:50:
https://twit.tv/shows/security-now/episodes/874
or read the basics from the show notes starting on page 9:
https://www.grc.com/sn/SN-874-Notes.pdf

There is also the AI generated transcript and transcript (which does not say it is AI generated).

 

[PHolder]

which does not say it is AI generated

Definitely not AI. Her name is Elaine Farris (sp) and she manually transcribes each episode for Steve.

 

[Steve]

... And I talked about it again, this (#875) week.

I think that I finally made the differences between SQRL and FIDO2 (passkeys) much more clear: FIDO2 is a replacement (a very good replacement) for traditional username/password logon. With FIDO, rather than the user and a website needing to share and keep secrets, only the user needs to keep secrets. SQRL provides that as well, with a similar security level. But SQRL additionally goes much farther to address many other common needs, edge cases and recovery for practical remote account access.

 

[Spinn]

This is the part that give me hope:

But WebAuthn is the key. It provides a complete replacement for the insecure mess of usernames and passwords. And, interestingly, WebAuthn optionally supports SQRL’s chosen 25519 elliptic curve, with its special properties that allow for non-random deterministic private key synthesis. So it might be possible, someday in the future, to transparently run a modified SQRL solution to use SQRL-style deterministic passkeys on the server infrastructure that FIDO built.

 

[Jeffa]

... And I talked about it again, this (#875) week.

FWIW @Steve I certainly see a direct correlation between you mentioning SQRL in the podcast and activity here and in my little dev community.

You talking about SQRL with your audience really helps even if your focus is, rightly, elsewhere.

Even if you only find a few minutes to speak about SQRL now and again on the podcastI am sure it will help keep it in the minds of the right people.

 

[Steve]

FWIW @Steve I certainly see a direct correlation between you mentioning SQRL in the podcast and activity here and in my little dev community.

You talking about SQRL with your audience really helps even if your focus is, rightly, elsewhere.

Even if you only find a few minutes to speak about SQRL now and again on the podcastI am sure it will help keep it in the minds of the right people.

That's good to know and hear, Jeff! Yay!