←back to thread

FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)
225 points Terretta | 5 comments | 15 Oct 24 12:18 UTC | HN request time: 0.203s | source
1. zigzag312 ◴[17 Oct 24 08:56 UTC] No.41867684[source]
Password vs. Passkey:

- Password is a single key, while passkey is a key-pair (private key & public key).

- Password can be weak, while passkey is always strong.

Password can be strong, if autogenerated.

- When authenticating, password can be send to the server (depending on the authentication protocol; SCRAM or PAKE based protocols never send password to the server). With passkey, private key is not send to the server for authentication purposes.

- Password manager can sync/backup your password and your passkey's "private" key.

- For a single service, same password is used from all devices. Passkey can be different for each device, but I'm not sure how this works (if it works) with sync/backup.

- Quantum-Safety: Key-derivation functions used with passwords are quantum-safe. Most (all?) asymmetric key algorithms, currently in commercial use (passkeys included), are not quantum-safe.

I'm not an expert on the topic. That's just a summary of my current understanding of passkeys, if it helps anyone. Note that mistakes are possible.

replies(3): >>41872311 #>>41874195 #>>41881161 #
2. geoelectric ◴[17 Oct 24 18:29 UTC] No.41872311[source]
Re you not being sure how sync would work with multi-device passkeys, you can share a passkey between devices with 1Password, Apple’s Keychain, etc, and use it to log in from any of them. I typically do this rather than manage them per-machine.

Per-machine passkeys would ostensibly be better hygiene, but only if I somehow kept them unsynced (easier said than done if you’re using Keychain). Having to manage that process would probably be more mistake-prone than just using the single passkey from my encrypted 1Password store.

replies(1): >>41873236 #
3. zigzag312 ◴[17 Oct 24 20:06 UTC] No.41873236[source]
Yeah, multi-device passkeys are easy to sync. Per-machine passkeys sync would be interesting, as it could not just copy the private key (as then it wouldn't be per-machine anymore), but would need to generate a new passkey for each synced device.

For example, if user has two devices with same password manager. To sync per-machine passkey from 1st to 2nd device, the password manager would have to initiate authentication with the service on the 2nd device and confirm it from the 1st device. I guess this process could be fully automated.

The advantage is that this enables disabling passkey for a specific device. If a device is stolen, a password/passkey manager could be used to disable all passkeys tied to that device.

Another advantage is that a private key doesn't need to be shared with a third-party. A cloud service provider doesn't need to ever see your private key, unless you also want to have a cloud based backup. But the passkey backed on the cloud would need to be an unique keypair and maybe even have a different authorization policy (e.g. requiring another authentication factor when using it).

4. VoodooJuJu ◴[17 Oct 24 21:53 UTC] No.41874195[source]
It's also not a one or the other kind of thing.

The ideal auth system makes use of both, with the passkey or hardware token as the MFA component and a strong passphrase as the traditional password component. In this way, you are protected from phishing, which is the final weak point that MFA methods like TOTP do not address.

Unfortunately, globocorps are pushing for passkeys as the sole means of authentication, rather than just the MFA component. Being cynical, I'm guessing they're doing this to facilitate some kind of vendor lock-in or fingerprinting.

5. ◴[18 Oct 24 16:47 UTC] No.41881161[source]