←back to thread

Passkeys and Modern Authentication

(lucumr.pocoo.org)
184 points Bogdanp | 1 comments | 02 Sep 25 13:47 UTC | HN request time: 0.207s | source
Show context
alphazard ◴[02 Sep 25 17:11 UTC] No.45105959[source]
Unfortunately the tech community is full of people who pride themselves on being aware of and advocating for the latest standard put out by whatever company. That's how we end up with lots of complicated nonsense like most of what is sent in HTTP headers, or the contents of a TLS certificate.

On the topic of authentication, it's solved. SSH nailed it, any further complexity is strictly worse. Signing up is uploading a public key. Signing in is cryptographically signing a commitment to the current ephemeral tunnel.

replies(10): >>45106121 #>>45106140 #>>45106170 #>>45106176 #>>45106183 #>>45106261 #>>45106406 #>>45106911 #>>45107421 #>>45107745 #
karmarepellent ◴[02 Sep 25 17:24 UTC] No.45106183[source]
> Signing in is cryptographically signing a commitment to the current ephemeral tunnel.

I can see how SSH could be used for authentication on the web. And I have no doubt that it would be sound out-of-the-box. But I am not sure what you mean by your last sentence. Do you mean that authentication targets are gated and only reachable by establishing a tunnel via some kind of forwarding?

Aside from the wonderful possibilities that are offered by using port forwarding of some kind, you could also simply use OpenSSH's ForceCommand to let users authenticate via SSH and then return a short-lived token that can then be used to log into an application (or even a SSO service).

I guess no one uses SSH for authentication in this way because it is non-standard and kind of shuts out non-technical people.

replies(3): >>45106528 #>>45106698 #>>45106862 #
1. manithree ◴[02 Sep 25 17:57 UTC] No.45106698[source]
Not just non-technical people, but a lot of Windows developers I've worked with over the years can't seem to grasp the asymmetric key concept enough to use it for git (and then complain about git over over https).

Being in charge of the strength and security of your private key is something most people don't want to do, so we get multiple identities made "easy" by walled gardens getting popular in passkeys.