where are we with this? I have several physical keys like the ones from Yubico, so can someone update me on the matter?
I think the main concerns voiced by a major development team member (Paulus) are related to people accidentally locking themselves out of their Home Assistant installation. If that concern could be addressed, maybe then they would add it.
I would love to read them because that makes absolutely no sense. Itâs an authentication mechanism that uses tokens that are locked to what they authenticate so you canât reuse them incorrectly.
There are no more concerns imho than a good password. If weâre concerned about lockouts with fidontokens we should be concerned about passwords. Too. (and im not)
3 Likes
I Agreed. We need FIDO2 like yesterday. If someone cant manage the hardware key what stops them from forgetting their password. Is pretty much the same, just must more secure!
2 Likes
This would be great, as long as it doesnât only work with the closed Apple/Google/Microsoft implementations but also Yubikeys which have full webauthn support, and open passkeys implementations like Bitwarden. It should also support enrolling multiple keys for backup purposes.
Just saying this because itâs often forgotten, many web services like Paypal block full Webauthn if youâre not using the closed Apple or Google implementation, they only allow it as 2FA then.
I use Bitwarden and have the token for PayPal stored in my Bitwarden Vault, and I can get full sign in without any issues.
The Webauthn process is considered an industry standard as it was developed by the World Wide Web Consortium (W3C) which includes Google, Apple and Microsoft amongst itâs members. Ever since Internet Explorer rode off into the sunset, the industry has strived to be compliant with the W3C standards - and any type of proprietary or vendor-lock hooks are not permitted in the exchange (but the way those tokens are handled and stored within the browser or plug-in is up to each developer).
So if the HA devs get around to supporting Webathn and the FIDO2 tokens, it will be on that open industry standard, so there shouldnât be anything to worry about.
1 Like
Are you using a older yubikey(pre-fido2)?
I had a neo where a few sites where like this, but work with a 5(because it has FIDO2 which is what webauthn passkeys need)
edit: NVM, paypal is doing webcompat bad and is blocking firefox(and browsers based on it) from using passkeys
1 Like
+1 to âIdeally this should be offered as an alternative to a password, instead of as an MFA method.â
Passkeys arenât inherently MFA. Security relies on the password manager implementation â thereâs no current web standard requiring hardware-backed storage or even that passkeys be multi-factor. OTP and other 2FA methods remain valuable. I recommend following Amazonâs approach: allow passkeys plus MFA, rather than GitHubâs attempt to use passkeys for both.
Passwords will likely remain necessary for the foreseeable future (in case you lose your phone with the passkey, etc.). Passkeys supplement passwords by providing a strong, easily-verifiable identity confirmation, effectively replacing the need to remember a long password and mitigating worry of phishing sites trying to steal your credentials. While secure hardware storage will be a great benefit eventually, password managers havenât yet achieved this on all platforms.
+1 on this. Even the HA community software (Discourse) supports Passkeys (aka WebAuthn)
Passkey is becoming a standard nowadays. We need it in HA.
+1 it is a must-have
Back in Nov 2024, @balloob rejected github pull request 122725, which would have added passkey support, stating that âmost users donât know what passkeys are.â
Even back then, passkeys were already widely used, not just by technical users, but regular users. In May 2024, Google revealed 400 million users had passkeys enabled in their Google accounts. And in Oct 2024, Amazon revealed they had 175 million users logging in with passkeys.
But over the last year, many more companies that serve the general public have enabled passkeys. The growing list including Walmart, Costco, TikTok, Snapchat, Playstation, Nintendo, the UK National Health Service, Albert Heijn, and SNCF (the french national railway).
In rejecting the pull request @balloob also said some of the âusers that do (know what passkeys are), might not know the implications. If you store your passkey in Chrome password manager, you can now not login if youâre on another browser. I feel like it would lead to more, not less, people getting locked out.â
I recognize that one of the differences between the many big companies listed above and a local Home Assistant installation is that if you lose access to your Amazon or TikTok passkey, the companies can always email you a magic link and restore your access to your account. A Home Assistant server canât do that. So perhaps thatâs a reason to not make it too easy for users to enable passkeys for admin accounts. But given how many other features are available for power users in Home Assistant, this seems like a strange place to draw a line, particularly when the overlap between users of Home Assistant and users of multi-device password managers is probably extremely high.
In short, it would be really great if the developers could reevaluate the decision from 2024 to reject this pull request. Passkeys are so much better than passwords, from both a security and usability standpoint.
2 Likes
I actually agree with some of the reasons @balloob gave for rejecting the pull request, and he is still correct that users in 2026 do not understand Passkeys, and, more importantly, the implications of handling Them. I have experienced this firsthand with friends and family, who set up passkeys, then deleted them, etc. Or didnât understand the portability of their passkeys. Itâs a fair point all around. However, I think it is a low-hanging fruit item for users who wish to use Passkeys - itâs more secure than sending passwords and cannot be phished. Iâm sure we can just include warnings, or ensure a Passkey cannot be set up without a regular password already configured?
Thanks!
Glad this discussion is still alive and well.
2 Likes