It’s a great idea, and it could be awesome, but things are not being addressed. Or being handwaved as “we can address them later”. This recent discussion from last month (both the discussion in the linked github issue, and in the HN thread both including some key players in the PassKey system) is pretty telling: https://news.ycombinator.com/item?id=39698502
I still don’t understand passkeys. What prevents someone else from using my passkey? Maybe I should just set one up to get a better idea of how they work.
Passkeys are like using a private key to log in. There are several ways it’s better:
Passwords can be stored improperly by a website leading it to be leaked
Passkeys never leave the device so a website being breached can never leak your passkey
The website only stores the public portion of the key which is useless to an attacker
Passkeys can only be stolen by attacking and breaching the device or password manager that holds it
Passwords can and often are reused across multiple sites so a single leaked password can compromise many sites
Passkeys are created for each site so an attacker would need to steal each one separately
Passwords can be phished by fooling a user into entering the password
Passkeys can’t be phished easily since it’s designed not to leave the device - if such an attack was found it could be patched in the browser / password manager. You can’t patch all password forms to stop phishing in the same way
If you’re familiar with ssh keys, it’s similar to that and why the top security recommendation for new servers is to disable passwords and use keys instead.
The difference is, you literally never give the private key to anyone. Nobody will ever ask for it.
It works through public private key encryption. To login the site will send your computer a “challenge” (some kind of math problem) that’s first encrypted with your public key. That means only your private key will be able to decrypt the challenge. Then your machine will generate an answer, encrypt it with the private key and sent that back. If the public key decrypts the answer and it matches, they know you are you.
Except they don’t. They may request a passkey which is just an oversimplification about what is going on behind the scenes, with information being passed back and forth as Steve described.
But the private key never leaves the device. This is such a huge distinction that is easy to overlook. But it is very, very important.
Haha fair enough. I should have known from the quotes. It is something I hear a lot from people who don’t know the difference, and I’m sure you do too.
not exacly, if someone hack a site that has poor security they gonna have your password, it you put your passkey there, it’s useless, also people can’t see you writibg yoyr password if don’t write it
Yes, but a password is a shared secret. So both you and the person you are interacting with need the password and therefore it is more vulnerable. With a past key, only you have the private key and the company or service you are interacting with never has access to the secret. Basically, they encrypt a message to you using your public key and then your private key decrypts it and sends them a response back with the correct answer.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !protonprivacy@lemmy.world
Empowering you to choose a better internet where privacy is the default. Protect yourself online with
Proton Mail, Proton VPN, Proton Calendar, Proton Drive. Proton Pass and SimpleLogin.
Proton Mail is the world’s largest secure email provider. Swiss, end-to-end encrypted, private, and free.
Proton VPN is the world’s only open-source, publicly audited, unlimited and free VPN. Swiss-based, no-ads, and no-logs.
Proton Calendar is the world’s first end-to-end encrypted calendar that allows you to keep your life private.
Proton Drive is a free end-to-end encrypted cloud storage that allows you to securely backup and share your files. It’s open source, publicly audited, and Swiss-based.
Proton Pass Proton Pass is a free and open-source password manager which brings a higher level of security with rigorous end-to-end encryption of all data (including usernames, URLs, notes, and more) and email alias support.
SimpleLogin lets you send and receive emails anonymously via easily-generated unique email aliases.
Passkeys are great, and generally a plus for security; but (a) all the most popular implementations have not implemented key export and transfer to alternate implementations (b) It includes an implementation ID + hardware attestation feature which can be used to disable ‘unapproved’ implementations by key consumers. Considering the most common device with a ‘secure’ environment, and can implement this are your cell phones, and they are made by Apple + Google, this effectively locks your identity to either of these platforms. © All the public signals smell and look like the providers (apple, google, Microsoft) are doing everything they can to implement the features to make lock in all but inevitable, including mandating that implementations user-hostile features, or risk being rejected by sites.
It’s a great idea, and it could be awesome, but things are not being addressed. Or being handwaved as “we can address them later”. This recent discussion from last month (both the discussion in the linked github issue, and in the HN thread both including some key players in the PassKey system) is pretty telling: https://news.ycombinator.com/item?id=39698502
I certainly hope the future isn’t like that
I still don’t understand passkeys. What prevents someone else from using my passkey? Maybe I should just set one up to get a better idea of how they work.
Passkeys are like using a private key to log in. There are several ways it’s better:
If you’re familiar with ssh keys, it’s similar to that and why the top security recommendation for new servers is to disable passwords and use keys instead.
No one else can use it as long as they do not have your private key.
No one else can use your password as long as they don’t have your password
The difference is, you literally never give the private key to anyone. Nobody will ever ask for it.
It works through public private key encryption. To login the site will send your computer a “challenge” (some kind of math problem) that’s first encrypted with your public key. That means only your private key will be able to decrypt the challenge. Then your machine will generate an answer, encrypt it with the private key and sent that back. If the public key decrypts the answer and it matches, they know you are you.
“Websites ask me for it every time I visit them bro 🤪”
Except they don’t. They may request a passkey which is just an oversimplification about what is going on behind the scenes, with information being passed back and forth as Steve described.
But the private key never leaves the device. This is such a huge distinction that is easy to overlook. But it is very, very important.
I guess my sarcasm needed the /s; was just mocking people who would try to retort with some half brained comment like that.
Of course passkeys are better and more secure, I’m 100% on board with them.
Haha fair enough. I should have known from the quotes. It is something I hear a lot from people who don’t know the difference, and I’m sure you do too.
not exacly, if someone hack a site that has poor security they gonna have your password, it you put your passkey there, it’s useless, also people can’t see you writibg yoyr password if don’t write it
Yes, but a password is a shared secret. So both you and the person you are interacting with need the password and therefore it is more vulnerable. With a past key, only you have the private key and the company or service you are interacting with never has access to the secret. Basically, they encrypt a message to you using your public key and then your private key decrypts it and sends them a response back with the correct answer.
But if you’re using it now, wouldn’t it be a present key?
Lol. Nice
Hopefully. Passwords are inherently unsafe.