this post was submitted on 11 Oct 2023
293 points (98.0% liked)

Technology

60008 readers
2525 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
 

Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won't work on another device.

Now I don't know if that key can be stolen or not, or if it's really more secure or not, as people have really unsecure pins.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 27 points 1 year ago* (last edited 1 year ago) (2 children)

I have a long list of questions about PassKeys and none of this articles explains them well enough.

  1. Does Android have it build in AOSP or Google Play Services?
  2. Would it be possible to actually see your private key on Android? Like export them to a file?
  3. Does they work without third party service? Can it be just me and the service I am logging in, or does it require my servers from PassKey provider (like Google, Bitwarden, 1Password) to work?
  4. Can it be used offline? For example, can an offline device create token that second online device could use for login? (Like TOTP codes).
  5. Does they work on other Internet services than the Web? In other words, does they work purely over HTTP and webviews or can they be in future used to login in for ex. SSH servers?
[–] [email protected] 13 points 1 year ago (2 children)
  1. Since passkeys are basically asymmetric keys, SSH technically had "passkeys" for years.
[–] [email protected] 13 points 1 year ago (1 children)

Yes, but that's missing the important part.

Passkeys is not primarily about asymmetric keys. It's about applying asymmetric keys to the Web as an open standard.

The W3C Web-Authn standard is what makes it important and revolutionary.

This is just as important as HTML, CSS and ActivityPub.

Finally we have an open standard that integrates in the web and offers a high level of security.

[–] [email protected] 2 points 1 year ago (1 children)

Is that like TLS client-side certificates?

[–] [email protected] 2 points 1 year ago (1 children)

It's actually quite similar, yes, in the sense that it uses a public/private key pair linked to your account.

But this works on the application layer and you don't use certificates.

Much easier to setup.

[–] [email protected] 1 points 1 year ago

Also it generates unique keys per site so it doesn't help anybody track you

[–] [email protected] 0 points 1 year ago

Just an example of protocol different than HTTP.

[–] [email protected] 4 points 1 year ago (2 children)

Nothing of that?

You don't need to export or know what is the key.

The key is different for each device.

https://youtu.be/6lBixL_qpro?si=wFFQwrfjQBKDHs5B

[–] [email protected] 7 points 1 year ago (3 children)

You don't need to export or know what is the key.

But is it possible in the implementation of Android/iOS?

Backups are a thing. With SSH keys I have different key for every device too, but as they are stored in an accessable file (as all computer data should be) they are backed up with the rest of the system.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

So first, no, all the files should not be accessible : There are special not "files", but keys, like the key used for this method. These keys pose a huge security risk of they are leaked somehow. The key can be something used to encrypt the device/disk, encrypt a connection, and other things associated with encryption.

And because of that security risk, they are often stored in a special chip or simulated chip (like the simulated tpm 2.0 on pc cpu), and not just "stored" so any malware or who knows what can access them just by reading the drive.

Second, the key is never transfered. When you connect to another device, that other device will get another key. Or maybe could it be backed up somehow in case of recovery on another phone? But that would defeat the entire purpose of this.

How Google can do to allow you to connect to another device if the first one is lost, not sure. But it would certainly either ask for a password and a 2fa method.

[–] [email protected] 0 points 1 year ago (1 children)

How Google can do to allow you to connect to another device if the first one is lost, not sure. But it would certainly either ask for a password and a 2fa method.

That's the key question. From what it seems, it would replace a password manager with different passwords for each website, but you give Google control of the master password.

[–] [email protected] 1 points 1 year ago

It is not for the password manager...

It's just to connect to the google account.

It is not a service to connect to other ones without passwords.

[–] [email protected] 1 points 1 year ago (1 children)

I just replaced my iPhone, and the few places I “sign in with Apple” still work in the new phone. Yes, you can back it up and restore to a different device. I assume you can also use it across devices but I haven’t tried that

[–] [email protected] 1 points 1 year ago

This is something different to PassKeys. "Sign in with Apple" is Apple telling online service "let him in", while PassKeys is storing your authentication data on your device.

[–] [email protected] 4 points 1 year ago (1 children)

i tested it on another device, it looks like it gets the passkey from the source device (not from cloud), i had to input the original device's unlock pattern for it to work

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

And it's expected as you still had that device. And it's not the same key, a new key has been created for that new device. Now if that device cannot be accessed?