←back to thread

Passkeys and Modern Authentication

(lucumr.pocoo.org)
184 points Bogdanp | 2 comments | 02 Sep 25 13:47 UTC | HN request time: 0s | source
Show context
dan-robertson ◴[02 Sep 25 17:43 UTC] No.45106484[source]
What do security professionals think about passkeys? In particular, those who were not involved in designing them. Lots of the arguments in this article feel very much like the sort of thing one would expect from someone into open source (not saying they are wrong, and I think they are well explained here) but I feel they will inevitably be the product of different concerns than those a security practitioner might have.
replies(5): >>45106725 #>>45106875 #>>45108342 #>>45108792 #>>45116912 #
parliament32 ◴[03 Sep 25 15:26 UTC] No.45116912[source]
Compliance/security role at a company you've heard of here.

Passkeys are absolutely fantastic. Pretty much every complaint you see in these threads is seen as a positive in an enterprise context.

> Attestation restricts passkey clients

GOOD. I need a way to prove passkeys live on hardware-backed crypto devices (see NIST SP 800-63B), attestation makes that possible.

> But auth lock-in

GOOD. All our corporate sign-in events should be through our single IDP using SSO. Of course we want lock-in.

> But I can't sign in to my children's devices

GOOD. An identity represents a entity, it should be impossible for you to pretend to be another entity, regardless of whether they're a child or dog or whatever. If you need "parental access" or similar to some accounts, contact your service provider and ask for that feature.

> It's hard to export my passkeys

GOOD. Encrypted or not, a core security tenet is "a private key should never leave the device it was generated on" (hence the existence of HSMs, TPMs, etc). It should absolutely be impossible to ship your private keys around. Further, the primary appeal of passkeys in our context is phishing resistance, and it should be technologically impossible for a user to get bamboozled into exporting and sending their passkey to an adversary.

> But I need my backups

Why? Just contact IT if you lose your credentials. If you're on the personal side and don't have an IT authority, you should just generate passkeys on multiple devices and add all of them to your accounts.

> But that's a pain

Security is almost always inversely proportional to convenience.

replies(1): >>45117327 #
NoGravitas ◴[03 Sep 25 16:02 UTC] No.45117327[source]
>> But auth lock-in > > GOOD. All our corporate sign-in events should be through our single IDP using SSO. Of course we want lock-in.

My workplace uses Duo Mobile for a second factor, which is functionally identical to TOTP, and probably uses TOTP internally (if your android phone is rooted, you can export Duo Mobile keys to your choice of TOTP app). But as long as I'm being a good corporate citizen, I can't use my choice of TOTP app. What actual security (non-theater) interest does that serve?

replies(1): >>45117992 #
1. parliament32 ◴[03 Sep 25 16:52 UTC] No.45117992[source]
If a user can use any TOTP app of their choice, what's the mitigation for them installing a malware TOTP app that ships their private keys directly to CCP HQ?

Duo is regularly audited by independent third-party assessors to attest SDCL, data protection in their datacenters, etc.[1] Audits aren't a guarantee but they provide a reasonable amount of assurance that their software products and infrastructure have at least basic data protection measures.

> if your android phone is rooted, you can export Duo Mobile keys

This is the exact reason why personally owned devices, in most organizations, require MDM enrollment and attestation before being granted access to corporate resources.

[1] https://duo.com/solutions/compliance

replies(1): >>45118502 #
2. NoGravitas ◴[03 Sep 25 17:40 UTC] No.45118502[source]
If you can't use a TOTP app of your choice, what's the point of there being a standard? Pick an audited app using a proprietary scheme, you don't need interoperability, and if you don't need interoperability, you don't need a standard.