[Linux-aus] ART FOI review - myGov Code Generator app source code
Jonathan Woithe
jwoithe at just42.net
Sun Dec 7 14:36:46 AEDT 2025
On Sun, Dec 07, 2025 at 11:28:13AM +1100, TMC via linux-aus wrote:
> "passkey" is a FIDO2 standard compliant (see
> https://fidoalliance.org/passkeys/ ) cryptographic based authentication
> method.
Yes, that.
Unfortunately, at least as I understand it[1], passkeys are inextricably
linked to the browser they were set up in and the key store applicable to
the OS used. This makes them awkward to back up with the same ease that
applies for ssh keys for example (which are vaguely similiar in operation I
believe). The workaround I've heard of for Linux (which doesn't have a
single standard trust store framework) is to set up an emulated hardware
token, but that seems way too complicated for a system (passkey) that is
meant to be simple. It's a bit like the hoops mentioned earlier that are
needed to obtain a mygov OTP key, which include the need to register with
the official app.
It really shouldn't be this hard.
If the mygov code generator source was available it would allow interested
parties to address the issues noted.
I do wonder how long the code generator will remain in use for, since mygov
is trying hard to shift people onto passkeys or myID (the latter which
suffers from exactly the same problems that beset the code generator).
Regards
jonathan
[1] I'm more than happy to be corrected if my understanding is not correct.
More information about the linux-aus
mailing list