{"id":2781,"date":"2025-12-04T19:31:46","date_gmt":"2025-12-05T03:31:46","guid":{"rendered":"https:\/\/self-issued.info\/?p=2781"},"modified":"2025-12-04T19:35:09","modified_gmt":"2025-12-05T03:35:09","slug":"my-unplanned-multi-platform-passkey-adventure","status":"publish","type":"post","link":"https:\/\/self-issued.info\/?p=2781","title":{"rendered":"My Unplanned Multi-Platform Passkey Adventure"},"content":{"rendered":"<p><span class=\"plain\"><a href=\"https:\/\/fidoalliance.org\/\"><img loading=\"lazy\" decoding=\"async\" width=\"136\" height=\"100\" align=\"right\" alt=\"FIDO logo\" src=\"https:\/\/self-issued.info\/images\/fido_logo.png\"><\/a><\/span>I am my wife Becky\u2019s password manager.  I keep all of her passwords (and mine) in an encrypted Excel spreadsheet \u2013 something I\u2019ve done since before password manager applications existed.<\/p>\n<p>Yesterday I had reason to log into her Amazon account to help her place an order for puppy food and encountered a surprise.  The password I\u2019d diligently saved in my spreadsheet (and which Firefox had also helpfully saved for me) didn\u2019t work.  Instead, Amazon told me the password was invalid and suggested that I log in with a passkey.<\/p>\n<p>So I asked Becky if she\u2019d created a passkey for Amazon.  She didn\u2019t know.  She looked in the passwords application on her iPhone, and sure enough, she had a passkey saved for amazon.com.<\/p>\n<p>I knew it <b>should<\/b> be possible to use the passkey on her iPhone from Firefox on Windows 11 to sign into amazon.com, but I\u2019d never actually tried it myself.  I work on this stuff after all, so I thought I\u2019d give it a go.  Here was my experience, to the best of my recollection\u2026<\/p>\n<ol>\n<li>When trying to sign into Becky\u2019s Amazon account in Firefox on Windows 11 \u2013 something I\u2019d done many times before, amazon.com told me that the password for Becky\u2019s account was invalid.  (It was the same password she\u2019d always had and she hadn\u2019t changed it.)  It then asked if I wanted to sign in with a passkey.<\/li>\n<li>Having confirmed with Becky that she had a passkey for amazon.com on her iPhone, I clicked the \u201cSign in with a passkey\u201d button.<\/li>\n<li>I was asked whether my passkey was in Windows Hello or on an iPhone or iPad or Android device.  I clicked the \u201ciPhone or iPad or Android device\u201d button.<\/li>\n<li>I was told to scan a QR code that Windows presented.  We scanned it with Becky\u2019s iPhone.  The iPhone asked a confirmation question about whether we wanted to release the passkey to another device (the details of which I can\u2019t recall).  I said \u201cYes\u201d.<\/li>\n<li>Apple (or maybe Amazon?) sent her iPhone a text message with a 6-digit code that we had to enter to confirm that we wanted to release the passkey.  We did that.<\/li>\n<li>Sometime during this process, Windows brought up dialog box that told me my Bluetooth was off and asked me if I wanted to turn it on.  I said \u201cYes\u201d and it helpfully took me to another dialog that let me turn it on.  I\u2019ll note that <b>it didn\u2019t explain why<\/b> I would want to turn Bluetooth on.  (I knew, because I worked on the FIDO Hybrid flow, but that makes me highly unusual.)  I suspect that to most people, that would be a mystery and probably a non sequitur.  Many might have said \u201cNo\u201d.<\/li>\n<li>Soon after that, Windows (or maybe Amazon?) asked me if wanted to duplicate the passkey to this device.  I said \u201cYes\u201d.<\/li>\n<li>And <i>voila<\/i>, I was logged into Becky\u2019s Amazon account in Firefox on Widows 11!<\/li>\n<li>At this point I decided to go for broke.  I logged out of Amazon.  And tried to log back in.<\/li>\n<li>After entering her e-mail address as the username, Amazon prompted me to log in with a passkey.  I did that, only this time no QR code was presented, we didn\u2019t use her phone at all, and I was apparently logged in using a passkey saved in Windows Hello.<\/li>\n<li>So I was once again back to a state where I could log into Amazon as Becky on my Windows machine in Firefox, just like I previously could with a password.<\/li>\n<li>This user experience left me with a question:  Was the passkey on her iPhone truly duplicated to Windows or did Amazon create a different passkey?  (I suspected the latter.)  Visiting the Your Account \/ Login &#038; Security \/ Passkey page at Amazon (which required entering another 6-digit code) gave me the answer:<\/li>\n<\/ol>\n<p><img decoding=\"async\" src=\"https:\/\/self-issued.info\/images\/Amazon_Passkeys.png\" alt=\"Amazon Passkeys\" \/><\/p>\n<p><b>Observations and Conclusions<\/b><\/p>\n<ul>\n<li><b>It all worked.<\/b>  I didn\u2019t know that it would \u2013 especially since it involved four vendors:  Amazon, Microsoft, Mozilla, and Apple.  That, in and of itself, was impressive.<\/li>\n<li><b>There were a lot of steps to navigate<\/b>, some of them unexplained.  I knew the right answers to make it work.  I wasn\u2019t deterred when I was told the password was wrong.  I turned Bluetooth on when prompted. I scanned the QR code.  I agreed to release the passkey to another device.  I agreed to duplicate the passkey to this device.  <b>Others might not have achieved the same outcomes.<\/b>  (I\u2019d love to see the results of a user study among a representative population trying to do the same thing.  Can anyone point me to something like that?)<\/li>\n<li><b>Congratulations to all the engineers<\/b> at all these platforms who have put in the significant effort to make this all work together!  It\u2019s a testament both to the <b>interoperability made possible by the standards<\/b> and to your implementations of them.<\/li>\n<\/ul>\n<p>I\u2019d be interested in hearing about others\u2019 passkey adventures.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I am my wife Becky\u2019s password manager. I keep all of her passwords (and mine) in an encrypted Excel spreadsheet \u2013 something I\u2019ve done since before password manager applications existed. Yesterday I had reason to log into her Amazon account to help her place an order for puppy food and encountered a surprise. The password [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,13],"tags":[],"class_list":["post-2781","post","type-post","status-publish","format-standard","hentry","category-fido","category-people"],"_links":{"self":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/2781","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2781"}],"version-history":[{"count":6,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/2781\/revisions"}],"predecessor-version":[{"id":2787,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/2781\/revisions\/2787"}],"wp:attachment":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2781"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2781"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2781"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}