this post was submitted on 26 Apr 2024
83 points (90.3% liked)

Technology

34988 readers
103 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.


Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.


Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 20 points 7 months ago (2 children)

I admit that passkeys have never made sense to me. You still have a username and password, but you’ve added a middleman who manages the password. Why not just use a password manager (without MFA, another useless annoyance)?

[–] [email protected] 30 points 7 months ago (2 children)

Passkeys are not passwords. When you authenticate using passkeys you will proof that you have the secret (passkey), but you will never reveal that secret to the service you are authentication against.

So even if someone is able to steal that package containing the answer, that answer will not be valid a second time.

[–] [email protected] 1 points 7 months ago (1 children)

So it’s like a credit card chip?

[–] [email protected] 2 points 7 months ago

Its like the key in the Chip. But yes fundamentally it is like that. Now the Key needs to be stored somewhere safe like in your Phones secure enclave or in the case of your credit card a so called smart card (or sim card etc.)

[–] [email protected] 7 points 7 months ago (1 children)

Passkeys are. more similar to TOTP codes than passwords. Everything about passkeys is autogenerated. Browser negotiates with website to generate a key pair that will establish your identity on that site. Every time you "login" they exchange unique autogenerated keys to prove to each other who they are. That's it. You never have to remember anything again and it's impervious to many attacks that affect passwords and 2fa codes.

Where they fucked up is allowing big tech to call the shots so now instead of simply having passkeys in your browser you have to go to a higher authority to have them validated. And goes who that is — Google, Microsoft, Apple. So it's basically gatekeep and you can't touch them without depending on them.

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago) (1 children)

How is that different from mutual TLS authentication?

Edit: It seems like OPAQUE just initiates mutual TLS authentication after the TLS session has already been negotiated with PKI. So it basically just allows websites to design their own login page instead of the one designed by the web browser.

[–] [email protected] 1 points 7 months ago

It's like the initial authentication, where server and clientnexchange a symmetrical key with their asymmetrical keys. The difference is that in that exchange the server and the client meet for the first time whereas the point of pass keys is that once when you were already authenticated, you validated the device or whatever will hold the private key as a valid source, so then when the authentication code gets exchanged, both ends can verify that the other end is who they tell is, and both can verify the other end as valid, and thus that exchange authenticates you because you, in the past, while authenticated, trusted that device as valid.

Technically, yeah, it's an asymmetrical key exchange. Iirc the server sends you a signed certificate and you need to unencrypt itnwithbtheir public key and sign it with your private key, so they can the getnit back and ensure that it was you who signed it, using your public key to check the validity of whatever was sent.

I don't know enough to be 100% corrextbon the details, but the idea is that it's an interaction between asymmetrical keys.

Soporta like how we use keysbto authenticate through github through SSL, but with an extra level of security where the server validates a key in a single endpoint, not wherever that private key would be held (like with SSL)