I went through the white paper, yet still don’t completely understand how it is supposed to work cross device, granted I’m new to Fido.

Let’s say I have the same key synched between my laptop, smartphone and tablet. When I wake up in the morning, will there be a ceremony of unlocking my phone (standard non Fido way I guess?) then unlock my tablet from my phone, then the laptop from one of unlocked devices ? With some more costly backup process in case I only physically have one of the device I guess ?

Sync in this situation means that the actual private key being used to sign in with the website is stored in a password manager as if it were a password, and the service vendor (iCloud Keychain[0] for example) is the one that syncs the key to other devices utilizing that password management service.

But this 'passwordless' trend is more about signing into websites - If they do implement singing into other devices, I don't think many people will do it (but it's possible - Windows Hello already allows you to sign in with a security key and disable signing in with the MSA password).

0: https://developer.apple.com/documentation/authenticationserv...

Thanks, it makes it a lot clearer.

I think the other reply here might be missing something because while I have not read the whitepaper, the announcement touts these two benefits of deeper FIDO commitment:

> 1. Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to re-enroll every account.

> 2. Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

Point number 2 directly invokes cross-device, cross-platform authentication. It sounds like "you can use your iPhone or Android to sign into a website on your Windows PC" to me. Whether passkeys might actually sync between iCloud keychain and whatever Microsoft offers seems unclear but much less likely

I get that but I think OIDC could be extended to cover that too whereas the Authenticator or iDP is the local face scanner kr other biometric and then the rest ie exchange of token etc stays the same. That way there won’t be two completely separate path and that will defeat the purpose of SSO ie OIDC websites will authenticate with google or Facebook but FIDO enabled websites will work with face recognition. And it looks like there are already some implementation of this OIDC enabled face recognition https://www.bioid.com/facial-recognition-app/

1. You can use OpenID Connect as a protocol to integrate (via federation) with a site that provides authenticator management. This is AFAIK how most deployments work today - even if that OpenID Provider winds up being something you run or you pay to be run for you (AKA a CIAM solution).

2. There is an upcoming specification, Self-Issued OpenID Providers v2, which provides a redirection flow to an agent such as a native app or PWA app. This does look a bit different from traditional OpenID Connect though, as each End-user is effectively its own issuer with its own public key pair.

Since the browser and platform will have integrated support for FIDO/WebAuthn tech, they may still provide a better experience for equivalent scenarios.

Isn't it better to have one key per device that never leaves the device?

"Security at the expense of usability comes at the expense of security."

Technically yeah, device-bound keys are "more secure", but not if that results in people continuing to just use passwords instead because updating your credentials on dozens of sites every time you get a new phone or security key is too difficult.

Synced WebAuthn credentials are at least as secure as a properly-used password manager, way more usable, and a lot more secure than passwords, which is what they're replacing. Besides, there's still the option of using separate device-bound keys for situations where even higher levels of security are required.

There really does need to be a standard way to update credentials that works on every site...