Add PassKey login

pixel

Hey all, I merged the created post with the existing one just to keep everything in the same place since we are tracking this specific feedback post internally.

I can say that this was not forgotten about, and we do plan to implement passkey support still.
It's just a big effort to implement with our limited team size & lack of libraries for our current backend language (Crystal).

I can't give any timelines or guarantees on when it will be coming, but I can say that we hear you 🙂

ivan_g

It would be nice to use USB security keys without using "passkeys" or anything else owned by Google, Microsoft, or Amazon. One of the reasons I switched to Kagi was to avoid dealing with corporate surveillance when I search for something on the Internet, and I think many people switched for the same reason. Unfortunately, the feedback thread about USB keys I started in April was merged with another thread about some "cloud" based authentication from Google, designed to track people across different sites...

Pictor

ivan_g passkeys aren't "owned" by Google or anything else. They are a technology which various companies (yes, including Google) have helped codify, and something they support. They can't track your passkey use for some other site.

Dustin

ivan_g https://fidoalliance.org/passkeys/

ivan_g

@Pictor @Dustin Sorry, I did not know Passkeys are based on FIDO standards.
Can it help enabling our existing hardware security keys, without having to buy new ones?
https://fy.blackhats.net.au/blog/2023-02-02-how-hype-will-turn-your-security-key-into-junk/

lord

ivan_g in my opinion it's not "hype". Sure, old keys don't support discoverable credentials (or don't allow to manage them) and Kagi should probably add an option to control it. But I find RK (aka residential keys or discoverable credentials) pretty useful -- it's the only way to provide fully usernameless (or emailless) flow. You just click "Sign-in using Passkey", enter PIN and that's it.

You cannot implement it without RK. In that case key can be used only for two scenarios:

2FA only as classic U2F token. Both username and password still required.
Using FIDO2/CTAP2.0, but without RK. In that case you will still need to provide username/email to identify you, but overall it will be "passwordless".

Preventing owners of newer keys from using the most convenient flow without even entering username/flow is dumb. It's not hype, it's technology that is improving and simplifying process even more.

Token2 sells FIDO2 Level 2 certified tokens for 22 euros with up to 300 passkeys (RK) storage. Which is insane. And you can manage them using standard tools like Chromium.

maurs

@Vlad have you considered attacking this (these) requests with an auth/sso provider? There seems to be a lot of clamor for scope-creep, which I would say is indicative of the problem space. Authentication is an industry unto itself and there are lot of solutions available.

maurs

@Vlad
Not sure where your knowledge level lies, so apologies for forum-splaining:

This is not an endorsement of this product, but have a thumb through the docs and maybe give a play.
https://docs.goauthentik.io/integrations/

Identity management providers do a "lot", but within this context - an authentication 'oracle' can do the heavy lifting when it comes to integration (and more importantly continued maintenance). Someone cries for microsoft id login? theres a plugin. Want support for (insert whatever passkey/yubi/totp/face-id/etc the news media has convinced your user base it needs)? Theres a supported plugin.

I say this as a hopeless and shameless over-engineer-er: punt THIS capability to a purpose driven platform. This thread will never end - the problem space is continuous and specialized.

Lazar

+1 While not a necessary feature, I find passkeys (and more specifically hardware/usb ones) to be super convenient.

maurs

Lazar

I'm not sure I agree. I kind of expect multifactor auth from all providers anymore, and issue extra points for good implementations.

Fria

Vlad
https://id.nfl.com actually implements passkey signup properly without requiring you to set a password. I might look for some more examples. Ideally the user should be able to completely ignore setting a password at all, as it’s more than likely going to be much weaker than the passkey.

More examples:
https://www.target.com
https://app.uninbox.com/
https://www.kayak.com/ This one is particularly good I think, a lot closer to the webauthn.io example.

Smst

This is essential! Here are some reasons I think so.

For something used as often as search and across devices, browsers, apps, and platforms, a way to login that is not cookie based or session based is crucial.

I understand that you have the magic login links but issues I see with that off the top of my head are

with cookies disabled no session gets established
OS, browsers, and other software presumably do more to protect passkeys than urls or browsing history
anything with search integration leveraging a devices default search setting would not require entering user/pass, a URL, or assume web session for cookie based auth is already established when popping an in app webview

Your own browser (Orion) supports passkeys, Your website should too! Plus you already have nonpasskey auth, so no one has to use it if it doesn't fit their use case. I love the token and magic URL approach too! But search is used so much in so many contexts, enabling a feature like this could be very powerful!

JuCos

I'd also love passkey support!

rghyhek

good one

Havok

Yes, please add passkey!

ten

Upvote for Passkey support 🙂

xx

This is a must considering Kagi Assistant exists and Kagi Mail is being worked on.

BeholdThePowerOfNod

It would be a nice feature to have.

Inkertus

I too would like to see Yubikey/passkey support so I can log in safely even if I'm on a less secure network setup.

« Previous Page