Final step is key escrow authority that will store your private key and produce it to you if you can proof your identity with government ID. It is not enough to store in cloud storage (which Google, Apple, or someone else could deny you access to), or your own device you could lose or destroy (which is why backup hardware tokens are always recommended for U2F MFA); you need the ability (but not a requirement) to bind cryptographic identity to IRL identity.
Of course, one doesn’t need to utilize this, but you’re SOL without a recovery mechanism of last resort (unless individual sites and services have their own recovery processes to re-provision a user who no longer has access to their cryptographic credentials).
FIDO credentials have some baked in assumptions about the cryptographic properties they were generated with, that an RP can use to reason about credential strength, and are designed so that unwrapped private keys are not handled outside of an authenticator device. These assumptions make it undesirable for sync fabric vendors to interoperate.
You are correct that a Passkey ecosystem has an inherent risk of being locked out of cloud storage / sync, and that a third party escrow system is a mitigation against that. But it's not sufficient. You'd end up with keys that could, at best, only be imported into authenticators of the same ecosystem you were denied access from which, as Sync Fabrics are not interoperable. This is presumably not the outcome you're looking for.
I believe some sort of mechanism to assert credential strength at presentation time rather than generation time, and/or some sort of mechanism for TPMs/Secure Elements/Secure Enclaves to establish trust and import trusted credentials from a different authenticator vendor would be needed. This would allow vendors that don't control the hardware (i.e. are not Apple/Google/Microsoft) to build something like a "1Passkey" without having to implement their authenticators in software (i.e. a Virtual Authenticator), and you could keep your wrapped passkey store in escrow with any third party of your choosing.
For the vast majority of services, there's no value or even negative value in binding my "identity" to some sort of government ID.
You accept Google and Apple might deny you access but then you just blithely assume the US Federal Government (for example) would never do so, which shouldn't pass the laugh test.
I can imagine it being valuable if my government wants to help get me back in to, say, my bank accounts if I somehow lost all my credentials (e.g. my home burned down suddenly but I somehow escaped with nothing). But I don't feel like my GitHub, Gmail, Patreon, etc. make sense in this context. If my friends can lose a phone every year or two and make a new god-damn account, I think "My home burned down and I have nothing" is a good enough reason.
Gitlab's attitude of (for unpaid accounts): Too bad, just make another one - seems appropriate for almost everything. If tialaramex never wrote another HN comment, and instead tlrmx or tialaramex2 or whatever began posting, who would even care ?
HN participants, for whatever reason, approach these challenges as “but this isn’t a problem I have.” You’re the builder (broad strokes and wild assumption), but there are far more citizens (hundreds of millions at least) who are simply consumers of these systems. They are your grandparents, your parents, your siblings, your children. Passkeys are rolling out internet wide to all sorts of critical services people rely on, and they’ll need a solution if they lose their cryptographic identity assertion, because you can’t always just create a new account when you lose access (either because data, finance, or authority is tied to that account). Loss of gitlab access is inconsequential compared to losing access to your email, your bank account, etc.
In the United States the US Postal Service would be a great fit for a job like this. They already have good infrastructure for identity verification and physical distribution.
I wouldn't want escrow of private keys, however. I'd rather the USPS just act as a certification authority that provides strong guarantees of identity verification.
Yes, definitely. USPS + Login.gov could act as trust anchors, with cryptographic keys reprovisioned upon proofing, versus storing them. I am open to whatever is the optimal balance between security and practicality.
> The Postal Service Reform Act of 2022 has recently expanded the Postal Service’s ability to provide identity verification to all levels of government. A window of opportunity is currently open for USPS to contribute to closing gaps in government identity verification processes.
Except that here in the US a non-trivial number of politicians of a particular persuasion[1] actually believe that government issued ID, of any kind, is the "mark of the beast". There's a reason that Real ID had a lot of push back. Having USPS, already a political bogey-man for that same crowd, become a holder of "identity" is probably going to face a lot of pushback.
I can assure you that a lot more constituencies than just the Christian coalittion are concerned about universal government-issued IDs as passports for online participation.
I think it's mostly because easily obtainable government ID will make it easy for Black and Latino people to register for vote, which means Republicans will never win any election ever again :)
because simple, easy-to-use ID lowers the barrier for demanding ID in more places and attacking anonymity. the easier we make it to demand id, the more people will demand it. wanna use a fake name/not divulge your identity? doing something politically sensitive where you may need some protection? just like your privacy? tough shit show your id or GTFO.
Shouldn't we instead solve the problem that you might "need some protection" because you're doing something political - instead of relying on security-through-obscurity which honestly doesn't even really work anymore, IDs or no IDs. There's so many other ways for governments to track people of interest these days.
i disagree with the assumption that it's a solvable problem. people remain fallible and the correct solution is to mitigate our downside by minimizing state power. not disagreeing with the idea that we also need to work on lots of other ways to reduce its power and ability to track people btw.
i don't want this because then more websites will start expecting strong identity verification. the last thing we need are more attacks on anonymity. at least with a private key i can say i'm joe biden or crazy horse or whoever. i may not be eligible for "government escrow" but who cares.
My bank is already regulated and required to have strong identity verification for some operations. They won't let use any sensible multi-factor authentication, however. Requiring they use such a government mandated authentication infrastructure would be a major "win" for my piece-of-mind.
Of course, one doesn’t need to utilize this, but you’re SOL without a recovery mechanism of last resort (unless individual sites and services have their own recovery processes to re-provision a user who no longer has access to their cryptographic credentials).