Passkeys and Modern Authentication

(lucumr.pocoo.org)

184 points Bogdanp | 1 comments | 02 Sep 25 13:47 UTC | HN request time: 0.396s | source

Show context

alphazard ◴[02 Sep 25 17:11 UTC] No.45105959[source]▶

Unfortunately the tech community is full of people who pride themselves on being aware of and advocating for the latest standard put out by whatever company. That's how we end up with lots of complicated nonsense like most of what is sent in HTTP headers, or the contents of a TLS certificate.

On the topic of authentication, it's solved. SSH nailed it, any further complexity is strictly worse. Signing up is uploading a public key. Signing in is cryptographically signing a commitment to the current ephemeral tunnel.

replies(10): >>45106121 #>>45106140 #>>45106170 #>>45106176 #>>45106183 #>>45106261 #>>45106406 #>>45106911 #>>45107421 #>>45107745 #

vbezhenar ◴[02 Sep 25 17:24 UTC] No.45106176[source]▶

>>45105959 #

ssh is terribly insecure with no way of checking server certificate fingerprint automatically. Web solved it decades ago with CA.

replies(2): >>45106217 #>>45109724 #

karmarepellent ◴[02 Sep 25 17:26 UTC] No.45106217[source]▶

>>45106176 #

This is incorrect. SSH certificates work just like x509 certificates in that regard. Also, with PubkeyAuthentication, there exist all kinds of ways to collect host keys before connecting to them for the first time and thus avoiding the trust-on-first-use problem. Especially in private networks where you control all the nodes.

replies(2): >>45108600 #>>45113360 #

1. vbezhenar ◴[03 Sep 25 08:06 UTC] No.45113360[source]▶

>>45106217 #

When I connect to github using ssh, I must google github page with ssh fingerprint and verify it by hand. Imagine how many people actually do that, instead of blindly accepting the key.

If github can't make it right, nobody can.

↑