this post was submitted on 15 Oct 2024
175 points (92.3% liked)

Technology

58691 readers
3916 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
175
The War on Passwords Is One Step Closer to Being Over (www.wired.com)
submitted 1 day ago by [email protected] to c/[email protected]
121 comments fedilink hide all child comments
 

“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] -1 points 1 day ago* (last edited 1 day ago) (1 children)

I'm not in software but from what I read the importer sends a request and that request is used by the exporter and importer to encrypt and decrypt, so I think there's a way to tweak the whole process a little and instead have both the exporter and importer ask Netflix or whoever to provide a key as opposed to using the request. Could be wrong tho

[–] [email protected] 8 points 1 day ago* (last edited 1 day ago) (2 children)

That's not how Passkey, and the underlying WebAuthn works.

(Highly simplifies but still a bit technical) During registration, your key and the service provider website interacts. Your key generated a private key locally that don't get sent out, and it is the password you hold. The service provider instead get a puclic key which can be used to verifiy you hold the private key. When you login in, instead of sending the private key like passwords, the website sent something to your key, which needs to be signed with the private key, and they can verify the signature with the public key.

The CXP allows you export the private key from a keystore to another securely. Service providers (Netflix) can't do anything to stop that as it doesn't hold anything meaningful, let alone a key (what key?), to stop the exchange.

[–] [email protected] 1 points 14 hours ago

Thanks for this, from a non techie

[–] [email protected] 3 points 1 day ago (1 children)

So basically cert exchange when you want to ssh without passwords?

[–] [email protected] 4 points 1 day ago

Pretty much, yeah.