undefined | Better HN

0 pointsmichaelt1y ago0 comments

> I’ve avoided passkeys so far because I just don’t have a good mental model of them.

OK, so the simplest way to understand is to first know about the previous generation.

U2F keys are designed to be used alongside a username and password, as a more secure replacement for phone apps showing 6-digit codes.

In U2F the key has a hardware 'secure element' where secrets can't be extracted, even if you plug it into a compromised machine. You get a separate public/private key pair for every account and website (so it can't be used to track you between websites) and that key pair can be used to authenticate with the website. A physical button has to be pressed to authenticate, keeping it secure even if an attacker has control over your keyboard and mouse. The browser integration takes care of letting the USB key know which website is asking to authenticate. U2F keys have to be used alongside a username and password.

For a variety of reasons U2F keys never really took off. Partly cost, partly the 'what if I lose it' issue, partly lack of uptake by websites, partly difficulty using them on mobile, partly competition from 'log in with google' type systems.

So the trade group behind U2F said "Hey, maybe we could just emulate the hardware secure element in the smartphone's OS? And while we're at it, we could save the username, and use fingerprint/faceid instead of a password, eliminate that tedious button press, and automatically back up the public/private keypairs to the cloud". They kept a USB option about for the sake of tradition, but it's on life support.

So that's the mental model of a Passkey: It's like an impossible-to-clone USB hardware secure element that does challenge-response authentication to websites. Except it's emulated in OS software, and is no longer impossible to clone.

Another way of thinking of it is: It's very similar to using the 'Log in with Google' / 'Log in with Apple ID' buttons you see on many websites, you're authenticating to a service by proving you have access to a cloud account. The implementation details in the background are very different, but the result is broadly the same.

0 comments

chrisweekly1y ago

> "and use fingerprint/faceid instead of a password"

This is the part that makes absolutely no sense to me. An essential aspect of passwords is that they can be changed. If someone manages to fake the digital representation of my fingerprints or face, what now? Security guru Bruce Schneier has written about this w/ much more eloquence and authority.

vel0city1y ago

The fingerprint/faceid is just a local proof to unlock the actual asymmetric encryption key. It is not your actual identifier to the remote server. So if you need to redo your auth, you just rekey and stash the new key in your authenticator (or have your authenticator originate the key material and never expose it to main memory at all).

Think an SSH key protected by a passphrase. Your passphrase isn't the thing that actually logs you into the server, its just what you use to unlock your actual key material you use in your SSH handshake. Your fingerprint/face identity is just your local unlock of the actual key material stored in some other secure enclave.

chrisweekly1y ago

thanks, that does help.

throwaway484761y ago

The unstated value of a USB key is the functional similarity to metal keys for ordinary people.

int_19h1y ago

Not quite. It's easy to create a duplicate of your metal key, and many people do exactly that to avoid a situation where they lose it and have no way of opening their door. The fact that you can't do that with USB keys is my biggest gripe with them. I understand that inability to copy even if you have physical access to the original has its security advantages, but 1) most things don't actually need that much security, and 2) it could still be done by e.g. allowing you to buy them in premanufactured batches where all keys are identical.

c0wb0yc0d3r1y ago

This is exactly how I describe them to many as well. I just wish there was a USB key with the durability of a metal key.

2 more replies

selykg1y ago

The biometric stuff is simply allowing access to the keys. It’s not being used for anything else.

Your face or fingerprint being out there isn’t a concern because that’s not, ultimately, the thing being used to generate the keys or anything.

It’s an ease of use function.

On iOS for instance, as I understand it, these are being stored in iCloud Keychain. Which has a password. The derived key for iCloud Keychain is stored in such a way that the system has access if you allow biometrics to be used.

Biometrics then simply allow access, in essence, not part of the encryption process. The password for iCloud Keychain is necessary to add those items on a new device. Your biometrics aren’t stored by Apple anywhere other than in the device.

Honestly I am blown away how few people on this site understand how this stuff works. It’s fascinating and I’m surprised more people aren’t interested in understanding it. But so many people assume the biometrics are being used in the encryption process and that if your face is somehow stolen your whole life is doomed. These features have been on Apple devices for what.. a decade almost at this point? More? The process for Face ID is the same as Touch ID. Developers make zero distinction between the two in code, as that whole process is passed off to the system and effectively results in a bool value (or access to the secure item requested). At no point does a developer ever get your biometrics data.

I don’t know how Android or Windows do it but it is similar enough I suspect.

The FUD around passkeys feels like some sort of propaganda campaign to discredit it.

pixl971y ago

"A pass key is an ssh key with more steps for the user to fuck up and get locked out of their account"

I mean there is plenty of FUD, but at the end of the day it's not terribly exciting technology.

kevinsync1y ago

Agree. I actually wanted to acquire a biometric signature to do something with it on iOS and was super bummed once I dug in to see how it works -- all Apple exposes is a function that returns true or false hahaha

m3kw91y ago

This is the part where you have people dismissing a security from a simple assumption and reverting back to another assumption of their current state. Is still dangerous

taeric1y ago

Your fingerprint/faceid/whatever is used to access the passkey. It is not the passkey. To that end, yes, if you are worried about clandestine access to your phone (if that is your passkey), then you probably don't want to allow access using fingerprint/faceid. And if someone can copy your passkey off of your phone, you are again compromised.

m3kw91y ago

Your faith in humanity seem low, because this would never be pushed worldwide by security experts who eats and sleeps it, if it was so easily broken where you just figures it out during a comment

NoMoreNicksLeft1y ago

This sounds, to me, like a really bad and convoluted way of storing pub/priv in a password manager, and hoping the software implementation gets it right when it's trying to manage these things for me because I'm too dumb to manage passwords and too hobbled by bad IT policies that want to change my passwords every 4 weeks.

red_admiral1y ago

Yubikeys absolutely took off in certain corporate, government and tech environments. Just not so much with the general public.

michaeltOP1y ago

Eh, somewhat. The lost key account recovery story is much better in large organisations, where you have a 24/7 helpdesk that can check your ID badge in person, a HR department with a photocopy of your passport, and suchlike.

But for example if you're using Azure/AD? No U2F + Password allowed, gotta go straight to "passwordless" [1].

So they never took off far enough for Microsoft to support them.

[1] https://learn.microsoft.com/en-us/entra/identity/authenticat...

ryandrake1y ago

[deleted]

whartung1y ago

The big question I have is are the keys device/browser specific?

Seems to me I need to be able to log in with a password from any place (my phone, my machine, my office, my wifes phone, her laptop, my friends laptop, etc.).

I mean, who knows when I'll want or need to get into Something.

Also, my wife and I share accounts (such as Amazon). So, it needs to work seamlessly across all of her devices.

Then there's always the "F-with it factor" that I loathe. At least I understand passwords. Can (mostly) always recover a password (I recall trying to recover my Apple ID password -- they bluntly said "ok, but you have to come back in 2 weeks", so I was locked out for 2 weeks).

And, of course the level of patience my wife has with Technology is less than zero.

I rely on my Safari auto fill, when I use another browser, I just copy the pw from Safari.

And I don't use any of the cloud services. I have an iPhone, but don't use iCloud.

j / k navigate · click thread line to collapse

0 pointsmichaelt1y ago0 comments

> I’ve avoided passkeys so far because I just don’t have a good mental model of them.

OK, so the simplest way to understand is to first know about the previous generation.

U2F keys are designed to be used alongside a username and password, as a more secure replacement for phone apps showing 6-digit codes.

0 comments

chrisweekly1y ago

> "and use fingerprint/faceid instead of a password"

vel0city1y ago

chrisweekly1y ago

thanks, that does help.

throwaway484761y ago

The unstated value of a USB key is the functional similarity to metal keys for ordinary people.

int_19h1y ago

c0wb0yc0d3r1y ago

This is exactly how I describe them to many as well. I just wish there was a USB key with the durability of a metal key.

2 more replies

selykg1y ago

The biometric stuff is simply allowing access to the keys. It’s not being used for anything else.

Your face or fingerprint being out there isn’t a concern because that’s not, ultimately, the thing being used to generate the keys or anything.

It’s an ease of use function.

I don’t know how Android or Windows do it but it is similar enough I suspect.

The FUD around passkeys feels like some sort of propaganda campaign to discredit it.

pixl971y ago

"A pass key is an ssh key with more steps for the user to fuck up and get locked out of their account"

I mean there is plenty of FUD, but at the end of the day it's not terribly exciting technology.

kevinsync1y ago

m3kw91y ago

This is the part where you have people dismissing a security from a simple assumption and reverting back to another assumption of their current state. Is still dangerous

taeric1y ago

m3kw91y ago

Your faith in humanity seem low, because this would never be pushed worldwide by security experts who eats and sleeps it, if it was so easily broken where you just figures it out during a comment

NoMoreNicksLeft1y ago

red_admiral1y ago

Yubikeys absolutely took off in certain corporate, government and tech environments. Just not so much with the general public.

michaeltOP1y ago

But for example if you're using Azure/AD? No U2F + Password allowed, gotta go straight to "passwordless" [1].

So they never took off far enough for Microsoft to support them.

[1] https://learn.microsoft.com/en-us/entra/identity/authenticat...

ryandrake1y ago

[deleted]

whartung1y ago

The big question I have is are the keys device/browser specific?

Seems to me I need to be able to log in with a password from any place (my phone, my machine, my office, my wifes phone, her laptop, my friends laptop, etc.).

I mean, who knows when I'll want or need to get into Something.

Also, my wife and I share accounts (such as Amazon). So, it needs to work seamlessly across all of her devices.

And, of course the level of patience my wife has with Technology is less than zero.

I rely on my Safari auto fill, when I use another browser, I just copy the pw from Safari.

And I don't use any of the cloud services. I have an iPhone, but don't use iCloud.

j / k navigate · click thread line to collapse