Comment What's wrong with Bluetooth security again? (Score 1) 195
I used to do Bluetooth snooping as part of my job (debugging Bluetooth firmware on an embedded device). All communications are encrypted (or should be, even if unencrypted comms are possible); the only time the connection is vulnerable is during pairing. You don't do that very often normally, but the "sniffer" that I used had to observe the pairing process in order to get the keys. It also needed the Bluetooth PIN (at that time, almost every device required one during pairing, but almost every device used something trivial). So if you can use a custom PIN, don't have your devices "discoverable" except when you need to do pairing, and do your pairing away from untrusted people and devices, I thought it's pretty secure, unless there are new exploits since then that I haven't kept up with.
I assume this passkey thing should be a public/private key scheme: the private key should be generated on the device and never disclosed, the communications are just transactions involving the key, and thus it would be hard to crack even if they were in the clear. Hopefully?
To get multi-device support, maybe that's kindof like gpg encryption with multiple public keys, so that the message can be decrypted by multiple receivers, each with their own undisclosed private keys. Or maybe not even that... if a user simply has a separate key pair for each device in use, and all the public keys are public, then any of the user's devices could do signing transactions that could be verified with the appropriate public key. Not sure if that's enough, and I haven't dug very deep into how the existing FIDO standards work.
AFAIK FIDO has been doing OK. But I do think it would be best if the "something you have" factor was a hardware key, not the same device that you are using to open a web site. I've gotten used to my yubikey, it works fine for several purposes, but there are just not enough web sites that support it yet. So my main use case is to decrypt passwords stored with the pass utility, so that I can have unique random user/password combinations for each web site that needs one. (And those I sync with syncthing. Except on the iphone... the lack of file sharing between apps really bites there. On Android it worked fine.) I also use the yubikey a lot for ssh and git push. Very rarely, I can use it to log into a web site. In theory, the NFC feature should make it possible on my phone, too. So I carry it on my keyring so that it's always available, and it has survived several years in my pockets that way, so far. This feels safer than relying on some inscrutable "pay no attention to what's behind the curtain" cloud service that automatically synchronizes passkeys, with the user expectation being that when (s)he uses a new device the keys will already be there... as the whitepaper says. That's the part I'd worry about, more than bluetooth.