[Linux-aus] ART FOI review - myGov Code Generator app source code

[Russell Stuart]

On 7/12/25 13:36, Jonathan Woithe via linux-aus wrote:
> Unfortunately, at least as I understand it[1], passkeys are inextricably
> linked to the browser they were set up in and the key store applicable to
> the OS used.

My understanding is web sites that say they accept Passkeys should 
really say they accept FIDO2. A passkey is just a FIDO2 key that is 
stored in a particular way. The web site on the other end doesn't 
typically care (or know) what storage method is used - a passkey, 
hardware token, or something else. They just talk to a browser, and the 
browser talks to the backend store using the CTAP protocol, which runs 
over USB, Bluetooth, NFC, and some internal software API for passkeys. 
The storage layer is pretty well hidden (attestation notwithstanding).

If you ignore the "where is it stored" issue, FIDO2 keys are near 
perfect. They are stronger than any practical password, can't be 
phished, can't be forged, are near impossible to steal, and they can't 
be tracked (meaning two web sites can't tell you are the same person 
merely because you used the same FIDO2 key to log in).

All forms of FIDO2 storage I know of have their issues which have made 
me avoid them until now, but I am tempted by this:

  
https://www.token2.com/shop/product/token2-pin-bio3-fido2-security-key-with-biometric-authentication

The firmware is open source and isn't upgradeable (meaning it's immune 
to Australia's Assistance and Access Bill, 2018), has a fingerprint 
reader so someone else can't just pick it up and use it, has both USB-A 
and USB-C, and stores other credentials besides FIDO2 keys such as 
OpenGPG keys and TOPT keys. You can't actually buy it but I guess that 
will change (the first run which went on sale in June sold out very 
quickly). You can use it with Firefox running on Android and a Linux 
Desktop, and I'm guessing every other platform that supports passkeys.

On the downside, if you lose a hardware FIDO2 key like this, you've lost 
all your web logins. The recommended "workaround" is to buy two, keep 
one in a place where it shall not be lost (like a safe deposit box), but 
nonetheless register both keys on every website you visit. That's 
totally impractical, of course, but that's your fault, not a fault of 
the FIDO2 standard. Apparently.

Passkeys solve that by storing a digital copy of the FIDO2 key that can 
be copied around, so for example if you lost your phone you haven't lost 
the passkeys it stores or the identities associated with it. The catch 
is you are not allowed to know the FIDO2 secrets stored in a passkey. 
Only big corporations like Google, Apple, and Microsoft are trusted with 
that information, and you can only store the passkeys on devices they 
approve of, which in practice means devices they control. For Apple, 
that's an iPhone, but not an Android phone (naturally). Those 
corporations reserve the right to cut you off from your passkey if you 
say or do something they don't approve of. The standard did make 
provision for moving passkeys between providers, but none of these big 
USA corporations have implemented it.

This gives me three choices for my ID:

1.  Use the Government MyGovID app. Downsides are it only runs on
     devices controlled by Apple or Google, and the app has forgotten
     the id stored for me 3 times (so far).

2.  Use a passkey that is owned and controlled by a USA corporation,
     that can deprive me of it at any time, and can only be used in
     conjunction with hardware they totally control. That means they
     could and almost certainly would hand over your identity to any
     government or entity from who knows how many countries that
     demanded them.

3.  Use a hardware token that I own and is under my control (sigh of
     relief). The downside is if I lose the token I've lost all my
     identities, unless I follow some procedure that borders on
     completely impractical.

None of the above are very appealing, but the last one is looking like 
the least worst option.