• pyre@lemmy.world
    link
    fedilink
    English
    arrow-up
    14
    ·
    2 months ago

    I’m not gonna lie I still don’t understand how passkeys work, or how they’re different from 2fa. I’m just entering a PIN and it’s ok somehow? I don’t get it.

    • cashew@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      ·
      2 months ago

      It uses asymmetric cryptography. You sign a login request with the locally stored private key and the service verifies the signature with their stored public key. The PIN on your device is used to unlock access to the private key to sign the login request.

        • Spotlight7573@lemmy.world
          link
          fedilink
          English
          arrow-up
          10
          ·
          2 months ago

          Typically in most situations where a PIN is used on a modern device, it is not just the number you enter but some kind of hardware backing that is limited to the local device and also does things like rate limiting attempts.

    • Spotlight7573@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      2 months ago

      The passkey stored locally in some kind of hardware backed store on your device or in your password manager is the first factor: something you have.

      The PIN/password or fingerprint/face to unlock the device and access the stored passkey is the second factor: something you know or something you are, respectively.

      Two factors gets you to 2FA.

    • johannesvanderwhales@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      edit-2
      2 months ago

      If you’ve ever used ssh it’s very similar to how ssh keys work. You create a cryptographic key for the site; this is the passkey itself. When you go to “log in” the client and server exchange cryptographic challenges, which also verifies the site’s identity (so you can’t be phished…another site can’t pretend to be your bank, and there are no credentials to steal anyway). Keys are stored locally and are generally access restricted by various methods like PIN, passphrase, security key, OTP, etc. When you’re entering your PIN it’s how the OS has chosen to secure the key storage. But you’ve also already passed one of the security hurdles just by having access to that phone/computer. It is “something you have”.

      • Valmond@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        2
        ·
        2 months ago

        So one password to access them all basically?

        That’s quite a weakness.

        • Spotlight7573@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          2 months ago

          So one password to access them all basically?

          That’s essentially how all password managers work currently though?

            • Spotlight7573@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              2 months ago

              If it makes you feel better, most PINs on modern devices are hardware backed in some way (TPM, secure enclave, etc) and do things like rate limiting. They’ll lock out using a PIN if it’s entered incorrectly too many times.

        • johannesvanderwhales@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          2 months ago

          It’'s really up to the end device (and the user of said device) to decide how much security to put around the local keys. But importantly, it also requires access to the device the passkeys are stored on which is a second factor. And notably many of the implementations of it require biometrics to unlock.

          The “one password” thing is also true of password managers, of course. One thing about having one master passphrase is that if you do not have to remember 50 of them, then you can make that passphrase better then you otherwise might, plus it should be unique, which prevents one of the most common attack vectors.

          • Valmond@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            2 months ago

            As I said to Spotlight7573 yes true, I just hoped for something better.

            • johannesvanderwhales@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              2 months ago

              If you’re paranoid about this, go buy a yubikey and use that to secure your device/access to your passkeys. Being able to secure your own data instead of relying on the admin who may or may not know what they’re doing to secure the server is an advantage of passkeys.

    • JakenVeina@lemm.ee
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 months ago

      As I understand it (and assuming you know what asymmetric keys are)…

      It’s about using public/private key pairs and swapping them in wherever you would use a password. Except, passwords are things users can actually remember in their head, and are short enough to be typed in to a UI. Asymmetric keys are neither of these things, so trying to actually implement passkeys means solving this newly-created problem of “how the hell do users manage them” and the tech world seems to be collectively failing to realize that the benefit isn’t worth the cost. That last bit is subjective opinion, of course, but I’ve yet to see any end-users actually be enthusiastic about passkeys.

      If that’s still flying over your head, there’s a direct real-world corollary that you’re probably already familiar with, but I haven’t seen mentioned yet: Chip-enabled Credit Cards. Chip cards still use symmetric cryptography, instead of asymmetric, but the “proper” implementation of passkeys, in my mind, would be basically chip cards. The card keeps your public/private key pair on it, with embedded circuitry that allows it to do encryption with the private key, without ever having to expose it. Of course, the problem would be the same as the problem with chip cards in the US, the one that quite nearly killed the existence of them: everyone that wants to support or use passkeys would then need to have a passkey reader, that you plug into when you want to login somewhere. We could probably make a lot of headway on this by just using USB, but that would make passkey cards more complicated, more expensive, and more prone to being damaged over time. Plus, that doesn’t really help people wanting to login to shit with their phones.