←back to thread

Passkeys and Modern Authentication

(lucumr.pocoo.org)
184 points Bogdanp | 4 comments | 02 Sep 25 13:47 UTC | HN request time: 0s | source
Show context
alphazard ◴[02 Sep 25 17:11 UTC] No.45105959[source]
Unfortunately the tech community is full of people who pride themselves on being aware of and advocating for the latest standard put out by whatever company. That's how we end up with lots of complicated nonsense like most of what is sent in HTTP headers, or the contents of a TLS certificate.

On the topic of authentication, it's solved. SSH nailed it, any further complexity is strictly worse. Signing up is uploading a public key. Signing in is cryptographically signing a commitment to the current ephemeral tunnel.

replies(10): >>45106121 #>>45106140 #>>45106170 #>>45106176 #>>45106183 #>>45106261 #>>45106406 #>>45106911 #>>45107421 #>>45107745 #
vbezhenar ◴[02 Sep 25 17:24 UTC] No.45106176[source]
ssh is terribly insecure with no way of checking server certificate fingerprint automatically. Web solved it decades ago with CA.
replies(2): >>45106217 #>>45109724 #
karmarepellent ◴[02 Sep 25 17:26 UTC] No.45106217[source]
This is incorrect. SSH certificates work just like x509 certificates in that regard. Also, with PubkeyAuthentication, there exist all kinds of ways to collect host keys before connecting to them for the first time and thus avoiding the trust-on-first-use problem. Especially in private networks where you control all the nodes.
replies(2): >>45108600 #>>45113360 #
palata ◴[02 Sep 25 20:30 UTC] No.45108600[source]
SSH does have certificates, but in practice most people using SSH don't use SSH certificates and don't check the fingerprints.

Not sure if we can say it's solved if nobody wants to use it by choice (certificates are probably mostly used in enterprise setups, but in my experience it's not even that common there).

replies(1): >>45109833 #
1. tptacek ◴[02 Sep 25 22:17 UTC] No.45109833[source]
If you have a small, stable number of hosts, an SSH PKI doesn't make a lot of sense. With a large fleet, and/or if you want to tie your fleet into an OIDC IdP, certificates are pretty common; the most common way of solving this problem, I think?
replies(1): >>45110542 #
2. palata ◴[02 Sep 25 23:40 UTC] No.45110542[source]
I think it's the case in big companies. But most companies are not big :-), which means that a lot of people are using SSH without ever checking the fingerprint. That would be my intuition.
replies(1): >>45110731 #
3. tptacek ◴[03 Sep 25 00:06 UTC] No.45110731[source]
SSH has always relied on key continuity for this problem; you're exposed when you're first introduced to a host (on a particular client) but then fine from that point on.

This of course breaks down with cattle fleets where ~most logins are to hosts you've never hit before, which is why cattle fleets tend to use SSH PKI.

replies(1): >>45113569 #
4. palata ◴[03 Sep 25 08:47 UTC] No.45113569{3}[source]
Over the years I have seen - repeatedly - colleagues just removing ~/.ssh/known_hosts when SSH showed the warning that says something like "YOU MAY HAVE BEEN HACKED!!!".

I think passkeys resolve that, even though it's more of a human issue than a technical issue :-).