Hacker friends:
Am I correct in thinking passkeys replace "something you know" with something you have," or am I missing something here?
[lots of good discussion in replies, but in summary: don't, not even once.]
This entry was edited (1 month ago)
silverwizard likes this.
Michał "rysiek" Woźniak · 🇺🇦 reshared this.
silverwizard
in reply to Michael Lucas • •Kitty Wife Milkshake
in reply to silverwizard • • •silverwizard
in reply to Kitty Wife Milkshake • •Kitty Wife Milkshake
in reply to silverwizard • • •well yes there are keys but they never leave the device, and they are supposed to be inaccessible even when you have access the physical key (there was a vulnerability discovered in older yubikeys that made them copiable recently, but if someone has access to the usb key physically they could just steal it at this point as with any "something you own")
But sure, there are keys in it. But following this logic everything in our universe is information so everything you own could technically be copied, but that's not a good way to think about it is it
silverwizard
in reply to Kitty Wife Milkshake • •like this
Kitty Wife Milkshake likes this.
Kitty Wife Milkshake
in reply to silverwizard • • •Michael Lucas
in reply to Kitty Wife Milkshake • • •@marta @silverwizard
yeah, it's a weird fuzzy area. All depends on what you need to wrap your brain around.
Kitty Wife Milkshake likes this.
silverwizard
in reply to silverwizard • •Kitty Wife Milkshake likes this.
Kitty Wife Milkshake
in reply to silverwizard • • •Eugen
in reply to Michael Lucas • • •Michael Lucas
in reply to Eugen • • •Chris
in reply to Michael Lucas • • •Martin Schultz
in reply to Michael Lucas • • •GitHub - bulwarkid/ssh-passkey: A utility to use SSH keys as passkeys
GitHubCarl C
in reply to Michael Lucas • • •sungo
in reply to Michael Lucas • • •Michael Lucas
in reply to sungo • • •@sungo
Your opinion matches my understanding of what I've read.
I shall join you in rip-dom.
Ben Zanin
in reply to Michael Lucas • • •@sungo right there with you two. The more I read the spec docs for passkeys, the clearer a picture I have of the concerns and priorities of the companies pushing them, and the more convinced I become that passkeys are For Someone But Not For Me™.
I believe @mhoye coined the phrase "what if you wanted your SSH privkey to have a landlord"
Random Geek
in reply to sungo • • •reshared this
Michał "rysiek" Woźniak · 🇺🇦 reshared this.
Tak!
in reply to Michael Lucas • • •Antranig Vartanian
in reply to Michael Lucas • • •Indeed. think of it like a… asymmetric key-based authentication on SSH.
The spec however is not polished yet. They should’ve just made it simple and done, instead of complicated and incomplete.
priryo
in reply to Michael Lucas • • •Michael Lucas
in reply to priryo • • •viq
in reply to Michael Lucas • • •Assuming physical device, like a yubikey, there are two ways it can work.
You just touch the key. This is a non-resident key, that can only be used as a second factor, in addition to giving your username and password.
[1/2]
release_candidate
in reply to Michael Lucas • • •they are like ssh keys, but for webpages.
So, yes, something "you have". Just like ssh, the keys for webpages are way better than the passwords.
The only problem is that they are harder to backup.
florian
in reply to Michael Lucas • • •you are missing something. You replace something you know with something google or apple have.
They pinky swear to only present it when they are somewhat sure that it might possibly be you who wants to access a thing.
(Sounds like a shitpost but I'm serious)
silverwizard likes this.
reshared this
Michael Lucas and John-Mark Gurney reshared this.
ed(1) conference
in reply to florian • • •@florian With the added "benefit" that if you want to take your passkey-ring and move it to something else that isn't Apple/Goog, well, no. You neither may, nor can.
I'm a little less concerned about passkey integration when it comes to password-managers with an openly-documented format that would let me take them elsewhere.
But Goog/Apple? Not even once.
florian
in reply to florian • • •forgot to send this the other day, Re: passkeys
Just found it in my gtd inbox.
mastodon.social/@mhoye/1133183…
mhoye
2024-10-16 17:48:56
florian
in reply to florian • • •it's here in the spec: fidoalliance.org/specs/cx/cxp-…
I don't actually read it that negatively, but then I haven't read the spec...
mhoye
in reply to Michael Lucas • • •slash
in reply to Michael Lucas • • •It's a secure authentication scheme, using public key crypto. The real problem is 1) no way to archive and/or transfer auth tokens to a new device, or a different vendor. I believe they will "back up" to the vendor's own cloud, but you can't take your Goog keys and move them to Apple.
2) The software for managing passkeys have various limits on how *many* keys you can store. This is also why, even though YubiCo was involved, you won't find a YubiKey that can store all of your keys.
Andreas Albrecht
in reply to Michael Lucas • • •I thought you choose a passkey so that the mean guys don't need to cut off your thumb or head to get access?!
Arnim Sommer 🇪🇺
in reply to Michael Lucas • • •