this post was submitted on 09 Apr 2024
503 points (92.7% liked)
Technology
59440 readers
3634 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Could someone ELI5 (if possible) what passkeys actually are?
Basically hardware keys (like YubiKey) without hardware
So…. Software keys…
a.k.a password-protected certificates
Most in the crypto industry wouldn’t consider a hardware key that shares metal with an internet connected device to be a very safe hardware key though. Of course when your hardware key such as a ledger or yubikey is plugged into your computer, now it’s also sharing metal.
I think the industry needs a term to differentiate between all these categories of hardware wallets.
The best is an airgapped hardware wallet such as Keystone.
Oh, yes. Let’s listen to the crypto industry, that famous industry with no security breaches or frauds. We might as well ask for site design advice from restaurants that don’t put their hours or menu somewhere prominent on their site.
I'd like to think there's a difference between the cryptography industry and the cryptocurrency industry
That's probably what pisses me off the most about the cryptocurrency world. They somehow appropriated the word "crypto" to mean their internet money, instead of the meaning it had tracing back to World War 2, if not earlier.
The crypto industry has been perfecting key security for 10 years with huge financial incentive to do so.
Hacks and grifters are in every industry. It’s unrelated to a conversation about passkeys.
Let me know when the crypto community gets key security perfected so I can buy some glorified airplane points from a guy named catfucker88 or whatever. In the mean time, I’ll use normal cryptography libraries and leave the headassery to others.
Who hurt you?
A few extremely beautiful women but they got consent beforehand and I hold no grudges. If I’m honest with myself, I mostly enjoyed it.
Did they scare you from crypto? Perhaps they sold all of your assets and hid the proceeds in crypto?
I’m genuinely curious why the disdain for a censorship resistant, global state machine.
Is it selective? Like are newer high speed L1 ledgers like sui and solana hated by you just as much? Do you just hate memecoins?
No, I’m just a Democratic socialist software engineer with an economics background. I’m pretty much exactly who would think blockchain is unimpressive tech and would be suspicious of the libertarian utopian economic theories behind it.
A lot of it is that I see most of the mistakes of the 1800’s American free banking era being repeated. There’s a lot of intuitive-seeming economic ideas that have been discredited by real world events. Most crypto enthusiasts buy into one, whether it’s goldbugism or Austrian economics or whatever. Most of the economic theories behind bitcoin were things we usually learned the hard way are not effective.
And so, of course it’s ripe with scams. Sometimes, what sounds like common sense is actually just some mistake humans make every time we forget history. I was originally hopeful the tech would make things like international remittances cost-free (and disrupt Western Union or whatever) but it really hasn’t.
And, like it or not, we have a carbon budget. Off-grid Bitcoin mining using solar or wind doesn’t bother me. Have fun with that. But if any part of it requires more burning of coal or natural gas, it’s a net negative to humanity even before we get into money laundering and scams.
I think I have considered the merits — you mentioned avoiding government oppression — and still think the negative outweigh the positives. But I sometimes smoke so what do I know?
It’s such a huge industry which often gets attention due to its scams and ponzis. That part bugs me. It’s like getting in a tizzy about the SWIFT network because people gamble in Las Vegas.
The stablecoin market and surrounding tools for remittance, lending, settlement, etc are quite different from influencers pumping $CUMROCKET or whatever nonsense they come up with.
Being able to test and observe the crazy economic theories you’ve mentioned is kinda fascinating. And the game theory involved.
Permissionless, programmable, globally synchronized ledgers bring new trustless value transfer capabilities which certainly shouldn’t be completely written off because of some grifters or economic idiots.
And in the context of this conversation, gathering some ideas and lessons learned from an industry using keypairs with retail consumers to protect trillions in value is certainly worth consideration.
I’m genuinely hopeful it becomes something. Sometimes, after a bubble bursts, people find out the true upside. Like when the dot com bubble burst, there was suddenly all this super cheap infrastructure and bandwidth. That allowed a lot of innovation.
The bubble bursts every 4 years.
Bitcoin dies constantly
Wtf are you talking about
If the key is in the same device that's being used to access a protected resource over the network, the thing can be potentially be hacked and the key retrieved.
That's why there are solutions were the key never leaves a secure hardware device, such as challenge-response authentication were a bank card's smartchip is used to generate responses to the challenges (with the key never being outside the card) or keydongles that show a variable code, depending on time.
This is actually pretty old tech.
Not ELI5 level but...
If you understand SSH keys, it's basically the same thing made more general.
Whatever website (e.g. lemmy.world) has a copy of the public key, they encrypt something with the public key, you decrypt it, reencrypt it with your private key and send it back (where they can then decrypt it and verify what they got back is what they expected). By performing that round trip, you've verified you have the correct key, and the "door opens."
The net effect is you can prove who you are, without actually giving someone the ability to impersonate you. It's authentication via "secret steps only you would know" instead of authentication by a fixed "password" (that anyone who hears it can store and potentially use for their own purposes).
That's all wrapped up in an open protocol anyone can implement and use to provide a variety of (hopefully) user friendly implementations (like the one Proton made) 🙂
From my understanding it's the concept of trust. Basic passwords are complete trust that both ends are who they say they are, on a device that is trusted, and passing the password over the wire is sufficient and nobody else tries to violate that trust. Different types of techniques over time have been designed to reduce that level of trust and at a fundamental level, passkeys are zero trust. This means you don't even trust your own device (except during the initial setup) and the passkey you use can only be used on that particular device, by a particular user, with a particular provider, for a particular service, on their particular hardware.....etc. If at any point trust is broken, authentication fails.
Remember, this is ELI5, the whole thing is more complex. It's all about trust. HOW this is done and what to do when it fails is way beyond EIL5. Again, this is from my own understanding, and the analogy of hardware passwords isn't too far off.
so it's basically what a SSH key is? can I not log in to an account from my laptop if I set it up on my phone then? that seems like a massive hassle if it's the case
It basically performs the same function as an SSH key (providing public key authentication), yes.
Your issue with logging in on your phone vs laptop can be solved by either syncing them (like the OS/Browser platforms of Google/Apple/Microsoft or a password manager like Proton Pass/Bitwarden do) or by setting up each device separately (like most people should do with SSH keys). Each method comes with trade-offs: syncing means they aren't device bound and can potentially be stolen, setting it up on each device can be a pain, etc.
The important thing to remember is that passkeys don't need to be the only authentication methods attached to an account. You can use the convenience of a passkey most of the time when it's possible and then fall back to another method (like a password/TOTP pair) when that's not available (such as when setting up a new device). There's also always the standard account recovery options if all else fails, those don't necessarily go away.
The other thing to remember is that it's not trying to be a perfectly secure solution to all authentication everywhere but to replace passwords with something better. Not having to generate and store random passwords with arbitrary complexity requirements, being able to log in with just a tap or a click, and not having anything that needs to be kept secret on the website's side can be enough of an improvement over passwords to make the change worthwhile.
If a passkey isn't device bound, what makes different/better than a complex password? Is it just the standardisation that you mention? Enforcing using passkeys becomes exactly the same as enforcing using complex passwords
One key benefit regarding hacking: the data that's passed back and forth between the user's browser/app and the website/service is a challenge and a response and is no longer sensitive like a password is and the authentication related data (the public key) that the website stores for a user's account isn't useful to an attacker.
One key benefit regarding phishing: passkeys/WebAuthn credentials incorporate the domain name into part of the authentication and it's enforced by the browser. This means that using a passkey/security key on the wrong site won't give an attacker anything useful unless they also somehow control the DNS and have a valid TLS certificate to impersonate the site with. This is unlike the situation with a phishing website where a user can be tricked by a fake but convincing looking website into giving over not just a password but a one time code provided through SMS or a TOTP.
One key benefit regarding usability: The user just has to choose which account to log into from their password manager instead of having it need to autofill correctly on the website (I still run into sites that don't autofill right). They also don't need to worry about any specific password complexity requirements or changing passwords in response to breaches or password expiration times.
this makes a lot of sense, thanks!
You setup passkeys for all your devices with biometric features. I know I have a Yubikey for my desktop, facial recognition on my phone, and a fingerprint reader on my laptop. So, I setup 3 passkeys using biometric (fingerprint or face). I also kept my password and 2FA for now because it’s all new. I wouldn’t recommend jumping in face first.
I only am using it on a few key sites and partly because I’m a web developer testing it all out. I wouldn’t advise it for the average user at the moment but it’ll mature and many password managers can store passkeys now. As it matures, I’m hopeful it becomes seamless like FaceID and fingerprint readers.
Close, but you are still trusting the device you own. If I were to compromise that device, I could capture that key and use it. Again, this is my limited understanding, but a zero trust solution works in such a way that the actual keys are not stored anywhere. During setup, new temporary keys are generated. A keypass binds to the temporary key for use of authentication. The temporary key can be revoked at any time for any reason, whether it's due to a breach or routine policies. It can be as aggressive as it needs, and the implication is that if someone else (either you or an attacker) got issued a new temporary key then the other would not receive it. Using an incorrect temporary key would force an initialization again, using the actual keys that aren't stored anywhere.
The initialization process should be done in a high trust environment, ideally in person with many forms of vetting. But obviously this doesn't take place online, so there is the risk that your device is not trusted. This is why the process falls back on other established processes, like 2FA, biometrics, or using another trusted device. How this is done is up to the organization and not too important.
But don't get too hooked on the nuances of passwords, keys, passkeys,etc. The entire purpose is to limit trust, so that if any part of the process is compromised, there is nothing of value to share.
Disclosure: Worked in military and this seems to be a consumer implementation of public/private key systems using vector set algorithms that generate session keys, but without the specialized hardware. It's obviously different, but has a lot of parallels, the idea in this case is that the hardware binds to the private/public keys and generates temporary session keys to each unique device it communicates with, and all devices can talk with members of it's own vector set. Capturing a session key is useless as it's constantly being updated, and the actual keys are stored on a loading device (which is subsequently destroyed afterwards, ensuring the actual key doesn't exist anywhere and is non recoverable, but that's another thing altogether). My understanding of passkey systems is solely based on this observation, and I have not actually implemented such a solution myself.
I guess it's a bit like a bank card with a PIN. You go to pay for something and your card stores your credentials on it. To allow those credentials to be read you need to unlock them using the PIN.