Identity Is Who You Are
This is a compilation of a series of discussions I had with Dirk Balfanz. It is also based on things I learned from Dick Hardt.
TL;DR; Identity Verification is not Authentication. Passkeys are great. Use the former for Sign-Up and the later for Sign-In.
For the last couple of years, I get asked a variation of "Sam, what's your opinion on passkeys?" in relationship to OpenID/SAML and FedCM.
My answer has been consistently "I think it is a wonderful authentication mechanism, but it is not an identity mechanism".
Who am I?
I am ____:
- A husband, a parent and an engineer -- in that order
- A 40yo
- A Brazilian
- An engineer at Google
Part of who I am is self-asserted (things I say about myself), part of who I am is issued (things that others say about me).
For example, Brazil asserts that I'm brazilian, Google asserts that I'm their employee and my City of birth that I'm 40yo.
The part that of who I am that is issued is also verifiable.
The great thing about who I am is that it is fairly durable: it doesn't change very often.
Because my issued identity is both durable and verifiable, it means that it works really well for me to create (and recover) accounts online, to sign-up.
My issued identity, however, is not very easy to carry around and present.
So, it is often useful to exchange my identity into something that is more portable, so that I don't have to carry my issued identity all of the time with me.
Cookies are the quintessential example of something that is very portable and ephemeral: they get carried on every HTTP request without any extra user gesture, and they expire at some point. Much easier than presenting my issued credentials everytime.
I think there is a similar relationship with passkeys: they are great (dare I say, better) for signing-in, but there is no amount of passkeys that you can throw at the problem of verifying who you are, your identity.
- Because I am a stanford student I can access a paper on nature.com
- Because I am a google employee I can access corporate directories on figma.com
- Because I am a twitter blue subscriber I can read the nytimes.com
Obviously, your identity is not always necessary to use websites, so there are many occasions where you can and want to sign-up with passkeys alone and operate anonymously on the web.
So, to sum up, I believe that WebAuthn and FedCM (and Cookies, obviously) complement themselves very nicely:
- Use federation for signin-up (and account recovery) rarely and
- Use passkeys for signing-in (and Cookies even more frequently) frequently.
It is the tension between durability with portability and the exchange between affordances at different ends of the spectrum.