Most active commenters
  • scherlock(3)
  • lisper(3)

←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 11 comments | 15 Oct 24 12:18 UTC | HN request time: 0s | source | bottom
Show context
jakub_g ◴[16 Oct 24 21:02 UTC] No.41863841[source]
Something that is not clear to me about passkeys and makes me uneasy to start using them:

Are passkeys replacing passwords, 2FA, or both?

What if I created a passkey on some device, lost that device, and my passkeys aren't cloud-backed-up? Would I be able to recover my account, or it's doomed? Or does it depend on how a given website implemented it?

replies(6): >>41863858 #>>41864360 #>>41865277 #>>41866433 #>>41866779 #>>41866793 #
lisper ◴[17 Oct 24 00:32 UTC] No.41865277[source]
> Are passkeys replacing passwords, 2FA, or both?

They are advertised as a replacement for passwords, but the truth is that they are orthogonal to both passwords and 2FA. They are a completely different kind of authentication.

Both passwords and passkeys work by proving that you know a secret. The difference is that with a password, the way you prove that you know the secret is by revealing it, which leaves you open to phishing. The other problem with passwords is that the secret is generally one that you are expected to type and remember, which limits how long and random it can be.

With passkeys, the secret is a public key (EDIT: in the sense of public-key encryption. The secret is actually the secret part of a public-private keypair), that is, a long string of random bits that a normal human could not remember even if they wanted to, and the way you prove that you know it is using that key to produce a digital signature for a random challenge. You never reveal your key during normal operation, and that makes it more resistant against phishing.

> What if I created a passkey on some device, lost that device, and my passkeys aren't cloud-backed-up? Would I be able to recover my account, or it's doomed? Or does it depend on how a given website implemented it?

It depends on how a web site implements it, but keep in mind that everything that makes it easier to recover from a lost key also makes your account more vulnerable to attack. So having backups of your passkey keys is a really good idea. But those backups don't have to be in the cloud. You could keep local copies on your own devices, or even print the key on a sheet of paper and keep that in a safe.

replies(4): >>41865612 #>>41865632 #>>41865683 #>>41865684 #
1. scherlock ◴[17 Oct 24 01:35 UTC] No.41865612[source]
I don't see how passkeys do anything to prevent phishing.
replies(4): >>41865645 #>>41865646 #>>41865662 #>>41866844 #
2. bastawhiz ◴[17 Oct 24 01:42 UTC] No.41865645[source]
How exactly do you get someone to give their passkey private key to a bad actor?
replies(1): >>41866054 #
3. lisper ◴[17 Oct 24 01:42 UTC] No.41865646[source]
Two main ways: first, as I said in my original comment, you don't reveal the key when you use a passkey. So at worst a phisher might be able to get you to sign a challenge that they are facing to get into your account once, but they would not be able to re-use your credentials to get in again or to get into another site. And second, in a proper implementation you would have a separate key for every site you want to authenticate to, so a phisher would not have to merely phish you, they would have to mount an MITM attack on an HTTPS session (or find some other way to impersonate the site they are trying to phish your credentials for). That's not impossible, but it's orders of magnitude harder than impersonating a site through a typosquatting attack.
replies(1): >>41866169 #
4. sitharus ◴[17 Oct 24 01:45 UTC] No.41865662[source]
Phishing relies on visual confusion to get people to enter their passwords on a site that isn't the one they think it is.

WebAuthn credentials are bound to the issuing domain, so the user agent will not supply a passkey to a domain other than the one it should go to.

5. scherlock ◴[17 Oct 24 03:04 UTC] No.41866054[source]
"Hi, this is Bob from blah support, we need to confirm your account is a correct. When prompted please confirm to give us access". if someone is dumb enough to hand out a password, they are dumb enough to click approve. Phishing is a social attack, not a technical attack.
replies(2): >>41866566 #>>41869995 #
6. scherlock ◴[17 Oct 24 03:30 UTC] No.41866169[source]
So, it really doesn’t prevent phishing. If you can get someone to give you their password, you can probably get them to click approve. The real benefit is to the service provider, not having to worry about leaking a secret if they get compromised.
replies(2): >>41866925 #>>41866976 #
7. tadfisher ◴[17 Oct 24 05:03 UTC] No.41866566{3}[source]
Your passkey provider will simply refuse to show that it has a credential for Bob's phishing convincing phishing site. RP challenges are bound to a domain for this purpose.
8. gre345t34 ◴[17 Oct 24 06:04 UTC] No.41866844[source]
If you got tricked into logging into goggle.com or something the FIDO2 auth would fail because a) the URL would not match the credential metadata and b) the resulting assertion, a signature over data which includes the URL, would not be valid (google.com would not accept it).
9. lisper ◴[17 Oct 24 06:22 UTC] No.41866925{3}[source]
> you can probably get them to click approve

It depends on the type of attack being mounted, but a typical phishing attack is mounted as a MITM attack. With passkeys, a MITM cannot get the client to even ask the user to approve the transaction because the attacker cannot authenticate as the relying party.

You can attack passkeys by, say, compromising the user's machine, but that's not phishing.

10. Ferret7446 ◴[17 Oct 24 06:34 UTC] No.41866976{3}[source]
They would have to get you to install a malicious version of your web browser and/or passkey manager, as all legitimate implementations enforce having the correct TLS domain, which is significantly harder than getting you to visit a random URL.
11. bastawhiz ◴[17 Oct 24 14:25 UTC] No.41869995{3}[source]
Your browser won't auth you with a key meant for a site you're not on. There's no mechanism for what you're describing.