81
submitted 4 months ago by bilbobaggins@lemmy.world to c/privacy@lemmy.ml

A lot of services support passkeys. Microsoft even has an option to make my account "passwordless". Since they are more secure than passwords, will you be switching some / most of your accounts to passkeys any time soon? Interested to hear everyone's thoughts on passkeys. 🔑

you are viewing a single comment's thread
view the rest of the comments
[-] GravitySpoiled@lemmy.ml 37 points 4 months ago

I use a password manager. I don't care about it. Passwords are reasonably secure.

[-] American_Jesus@lemm.ee 13 points 4 months ago

Passwords can be leaked, mostly by bad security on server side.

Passkeys use secure keys, it checks public keys on both sides and send private key to authenticate, without both keys can't login or if the server is compromised.

It's like GPG or SSH works.

[-] Dark_Arc@social.packetloss.gg 34 points 4 months ago* (last edited 4 months ago)

Close but private keys don't get sent.

It sends information encrypted via your public key to your client, then your client proves that it's the real owner of the key by decrypting the message, and then sending a new message back encrypted by the private key that the server can then verify.

This is what's better than a password, the information for providing authentication (the private key) never leaves your computer (where as you almost in all implementations of password based auth, send the password itself to the server).

[-] JubilantJaguar@lemmy.world 7 points 4 months ago

A question, since you sound like you know what you're talking about. Is this analagous to password-free SSH? I.e., private key used to log in on the basis of a pre-agreed public key?

[-] Dark_Arc@social.packetloss.gg 9 points 4 months ago

Yeah basically. See "What is a passkey" on https://fidoalliance.org/faqs/#PasskeysFAQs

From a technical standpoint, passkeys are FIDO credentials that are discoverable by browsers or housed within native applications or security keys for passwordless authentication. Passkeys replace passwords with cryptographic key pairs for phishing-resistant sign-in security and an improved user experience. The cryptographic keys are used from end-user devices (computers, phones, or security keys) for user authentication.

[-] JubilantJaguar@lemmy.world 5 points 4 months ago

Which begs the question, "What is FIDO?". To which the About FIDO page replies, literally, "FIDO authentication uses standard public key cryptography techniques to provide phishing-resistant authentication".

Arrghghgh! Orwell was right about people's incredibly capacity to write with zero clarity.

More generally, IMO what we have here is a classic case of ELI5 vs "ELI know something already". I use SSH and manage the keys myself but I still can't find an answer to this question: is a "passkey" just another word for "the private key in a public-private keypair?"

Whenever I look into this, the explainer always either jumps straight into super-dense technical details, or describes it all in term of metaphors as if talking to a small child. Oh well.

[-] Dark_Arc@social.packetloss.gg 2 points 4 months ago

Reading through all the jargon and simplifying it, the answer: yes they're the same in the way you mean.

"SSH" and "passkey" are both technologies built on asymmetric cryptography. They thus at a fundamental level do work in the same way, it's all the protocol and practices stuff that gets bolted on that is where things become different and where things took time to get into place so we could use these things on the web (and not just "we" who know what SSH is but "we" who make up society).

Arrghghgh! Orwell was right about people's incredibly capacity to write with zero clarity.

The problem is arguably that for the people who understand it enough to say "yeah, they're the same idea", the key point is "asymmetric cryotherapy" in an authentication context, the key point is not SSH. SSH is just how most technically inclined users have most directly experienced asymmetric cryptography deployed as an authentication mechanism. It's that same mistake textbooks often make of burying the lead in an otherwise obscure reference the reader may or may not pickup on.

But yes, it would be helpful if some major site would provide this comparison "so that I don't have to! 😉"

See also "Enrollment and Sign-in with FIDO" in https://fidoalliance.org/how-fido-works/

[-] JubilantJaguar@lemmy.world 3 points 4 months ago

It’s that same mistake textbooks often make of burying the lead in an otherwise obscure reference the reader may or may not pickup on.

Exactly. Thanks for clarifying.

[-] biscuitswalrus@aussie.zone 3 points 4 months ago

It's PKI, public key infrastructure. It's secure so it's used in many applications. Including ssh using keys.

[-] GravitySpoiled@lemmy.ml 11 points 4 months ago

It sends the private key? Are you sure about that?

[-] SzethFriendOfNimi@lemmy.world 3 points 4 months ago

Just like positrons are the opposite of electrons maybe passkeys send private keys and keep the public ones in PKI… wait…

[-] otp@sh.itjust.works 5 points 4 months ago

Passwords can be leaked, mostly by bad security on server side.

Wouldn't this be solved by storing only hashed passwords?

Let's assume that hashing passwords falls into the "good security" bucket, and wouldn't be part of the "bad security" scenario.

[-] otp@sh.itjust.works 1 points 4 months ago

Figured as much. I thought that was just "standard", but even "standard" can be a lot to expect lol

[-] jim@programming.dev 9 points 4 months ago

Password managers support passkeys.

[-] wesker@lemmy.sdf.org 5 points 4 months ago* (last edited 4 months ago)

I use a password AND passkey.

this post was submitted on 11 Aug 2024
81 points (95.5% liked)

Privacy

32506 readers
1252 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS