I just got the update on my phone on Google play, Firefox now supports 3rd party password managers for passkeys (on android 14+). Just tried it, and I got prompted with my 3rd party password manager, so it works!

  • Moonrise2473@feddit.it
    link
    fedilink
    arrow-up
    6
    arrow-down
    1
    ·
    4 months ago

    main issue for me is that i didn’t see any way to invalidate old passkeys. I tried them in a few websites like ebay but it looks like they are valid forever so if my device is compromised, the attacker has access to my account in perpetuity even if i change the password

    • Bitrot@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      9
      ·
      4 months ago

      You delete it from your account, that makes it invalid. Just like removing an entry from authorized_keys. If the site does this after changing the password or not is up to them.

      • Moonrise2473@feddit.it
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        I mean, suppose that i save a passkey in my password manager, then because of my bad opsec someone else gets hold of it - if I delete it from my account, the attacker still has a copy and I have no way to invalidate it

        I checked again on eBay, there’s no “list of passkeys” even if I created 4 of them (one for each browser on each of my computer + one synced via password manager)

        • Bitrot@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          6
          ·
          4 months ago

          eBay has implemented their passkey support poorly. “Turn off” will invalidate them. Most sites have a list of passkeys and you just delete the one you don’t want working anymore. At that point it doesn’t matter who has it, it’s useless.