FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)

225 points Terretta | 2 comments | 15 Oct 24 12:18 UTC | HN request time: 0s | source

Show context

zigzag312 ◴[17 Oct 24 08:56 UTC] No.41867684[source]▶

>>41847787 (OP) #

Password vs. Passkey:

- Password is a single key, while passkey is a key-pair (private key & public key).

- Password can be weak, while passkey is always strong.

Password can be strong, if autogenerated.

- When authenticating, password can be send to the server (depending on the authentication protocol; SCRAM or PAKE based protocols never send password to the server). With passkey, private key is not send to the server for authentication purposes.

- Password manager can sync/backup your password and your passkey's "private" key.

- For a single service, same password is used from all devices. Passkey can be different for each device, but I'm not sure how this works (if it works) with sync/backup.

- Quantum-Safety: Key-derivation functions used with passwords are quantum-safe. Most (all?) asymmetric key algorithms, currently in commercial use (passkeys included), are not quantum-safe.

I'm not an expert on the topic. That's just a summary of my current understanding of passkeys, if it helps anyone. Note that mistakes are possible.

replies(3): >>41872311 #>>41874195 #>>41881161 #

1. geoelectric ◴[17 Oct 24 18:29 UTC] No.41872311[source]▶

>>41867684 #

Re you not being sure how sync would work with multi-device passkeys, you can share a passkey between devices with 1Password, Apple’s Keychain, etc, and use it to log in from any of them. I typically do this rather than manage them per-machine.

Per-machine passkeys would ostensibly be better hygiene, but only if I somehow kept them unsynced (easier said than done if you’re using Keychain). Having to manage that process would probably be more mistake-prone than just using the single passkey from my encrypted 1Password store.

replies(1): >>41873236 #

2. zigzag312 ◴[17 Oct 24 20:06 UTC] No.41873236[source]▶

>>41872311 (TP) #

Yeah, multi-device passkeys are easy to sync. Per-machine passkeys sync would be interesting, as it could not just copy the private key (as then it wouldn't be per-machine anymore), but would need to generate a new passkey for each synced device.

For example, if user has two devices with same password manager. To sync per-machine passkey from 1st to 2nd device, the password manager would have to initiate authentication with the service on the 2nd device and confirm it from the 1st device. I guess this process could be fully automated.

The advantage is that this enables disabling passkey for a specific device. If a device is stolen, a password/passkey manager could be used to disable all passkeys tied to that device.

Another advantage is that a private key doesn't need to be shared with a third-party. A cloud service provider doesn't need to ever see your private key, unless you also want to have a cloud based backup. But the passkey backed on the cloud would need to be an unique keypair and maybe even have a different authorization policy (e.g. requiring another authentication factor when using it).

↑