• SirEDCaLot@lemmy.fmhy.net
    link
    fedilink
    English
    arrow-up
    14
    arrow-down
    2
    ·
    1 year ago

    Last week or two I’ve been learning more about passkeys, and it makes threads like this seem ridiculously out of date. Given the choice between emojis and passwords and hard crypto, I’ll take the crypto.

    • Kusimulkku
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      I’m not sure what the passkey advantage over long unique password in a password database is.

      Well, KeepAssXC just got passkey support so I guess it doesn’t matter much

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        With passkeys, your browser and the website exchange a public-private key pair then make up long random one-time “passwords” every time you login but only use them to check they each still have the right key.

        • Kusimulkku
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          I guess I’m gonna need the answer spoonfed to me. I think I understand how the tech works but I don’t understand the advantage over a complex non-reused password. Maybe keyloggers, if it’s one-time thing?

          • coffinwood@feddit.de
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            The advantage - from my very incomplete understanding - is that your passkeys cannot be phished or stolen from you. So only you from your device can log-in to the site. Which leaves me with the question, how cross-device passkeys work.

            • ricecake@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              3
              ·
              1 year ago

              There are different ways.

              One way is to use an encryption module on the device that, rather than storing the keys just encrypts the keys and holds an encryption key that you can’t extract, and can do various crypto operations.
              Now you ask the module to do a secure key exchange algorithm with the new device, meditated by a party the module trusts, like apple or something.
              Now both devices share a secret key, and they trust that the other is owned by the same user because the owner verified with apple who then signed the exchange messages.
              Old device decrypts with the old key, and encrypts with the new key, never letting the data leave the secure module. Send the data to the new device which can do the reverse, and both devices forget the shared password.

              Overall, minor weaknesses like storing keys in the cloud encrypted by a key derived from a password that the cloud never sees, while objective weaknesses, are still significant net improvements to security over passwords.

              • coffinwood@feddit.de
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Thank you for explaining. That’s a thing most sites leave out: tell people how the keys cannot be stolen while still working on a different device.

                • ricecake@sh.itjust.works
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  Big reason for that is the spec for how this all works being around for a while, giving people a lot of time to write about the core of how it works, but the viable popular implementations are far newer, so articles still haven’t been updated, and doing the key transfers is still one of the newest parts that the big vendors don’t want to talk about yet, because they still have to get their patents fully approved and everything.

                  What I described above is one way to move data between two devices in a secure way with a trusted intermediary to verify identity, but I have no idea if it’s how any major vendor actually does it, because they haven’t made that data public. It’s just what’s obvious to a sufficiently informed subject matter expert.

            • Kusimulkku
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              That would be a really nice advantage but yeah, I wonder how cross-device passkeys or recovery passkeys would work

          • ricecake@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            Passkeys, under the hood, use a way of proving your identity that doesn’t require you to actually send your password, and also doesn’t require you to send your username either.
            Because of how it’s implemented, the system managing the passkeys also gets to authenticate that the website is who it says it is.

            So no private data actually gets sent anywhere, but you can prove your identity while also checking the identity of the site you’re talking to, like the SSL lock icon but automated. It’s often implemented such that the device that holds they keys can’t actually have them stolen from it, and it’s integrated with a biometric sensor.
            This means it’s possible to have a high degree of confidence that the person logging in is physically the same person who created the credential, and not just someone who had their password stolen.

            The final perk, is that if you’re using something like a phone with a fingerprint scanner, passkeys work as two factors of authentication, despite only feeling like one.
            Because the phone verifies your identity via fingerprint (something you are), it can then unlock the key that is uniquely available to the phone (something you have).

            Combine that with being generally easier to use, and it’s pretty clear why most security experts are pushing them. Security that users will use is better than security they won’t, and finally we have easier to use security that’s also better than the more difficult options.

          • lemmyvore@feddit.nl
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            There are lots of advantages:

            • No need to worry about password encoding, like this emoji debacle for example. Actually there’s no need to worry about passwords in general anymore, no more worries about lenghts, encoding, character space, remembering them etc.
            • It eliminates that scam where attackers set up a site on a domain that looks like the correct one, because the domain is part of the protocol.
            • It eliminates phishing for 2FA because login only works on your device anyway and there’s nothing you can be tricked into giving away to an attacker.
            • If attackers break into a site and steal the public keys they can’t use them for anything.
            • Since the whole process is automated between servers and browsers and also standardized, it can be upgraded seamlessly and continously, you can upgrade the protocol, the key lengths, the encryption cyphers etc. with zero impact for the user. New upgraded versions can be distributed to both servers and browsers and they’ll just use the highest version they both have.
            • 2FA is a core part of the protocol, but again in a way that eliminates phishing: it’s basically a way to unlock access temporarily to one specific key in your key vault. You can use a master password, or an USB key, or TOTP codes, or biometrics (fingerprint or face) etc., but NOT cellular texts (SMS) anymore because the vault stays on your devices, no need for another party to send you anything.
            • Syncing your vault online and over multiple devices, as well as backup, are also a core part of the approach and will eliminate the worry that you drop your phone and you’re screwed forever.

            The downside is that there’s been a whole bunch of tools and apps and services built around passwords for decades and converting all that mass to passkey tools will take a bit.

            There are some other tradeoffs like, right now for example I can reasonably print all my passwords and TOTP codes on a few sheets of paper and achieve an “offline” backup in case of untimely death and so on, it’s going to be a bit more cumbersome with passkeys. But I expect there will be ways to optimize that as the technology evolves.