I see more and more articles, etc. regarding FIDO Passkeys since phishing attacks, and other types get more and more sophisticated. I’ve read over this…
…but I don’t really get the use cases across various devices or accessing websites requiring authentication, e.g. Banking/Financial Services, Utilities, Nest/Alexa, forums like this website, etc.
How does a FIDO passkey replace an O/S, browser-based, or online service (e.g. LastPass) password managers. As an example of what I am trying to understand, how do I login to TAK if it under FIDO passkey control? As in if I want to access via my mobile phone, then later my Windows PC w/Firefox, then later at friend’s house on his computer, then login to DMS jump server and use Chrome to access. Is this seamless in the sense that my typing in my username and password is?
They don’t really. A lot of these password managers are how people sync their passkeys across devices. The big thing with passkeys is that they are cryptographic key pairs - and can have extra meta data signed into them by the server request. This Is why some sites will use a passkey only as a password, but you still need to enter a username and or some other information. Then there are some sites where you can just log in directly with a passkey, And don’t need to remember a username or anything.
They’re more secure than a regular password because they are full keys (way more bits of data) then your typical hashed password would be. Also the private keys/secure side is kept primarily by the client, the server only sees the public key, which is not really sensitive… Which means that dumping the database isn’t going to reveal anyone’s passwords or ability to impersonate. (I mean, obviously if a hacker has access to the database, that’s still a huge issue because they could overwrite keys and other info directly but…)
More and more OSs an services are offering passkey syncing natively Google, Apple, I think Microsoft now, password managers, etc. you can also buy the hardware/USB ones like Titan or yubikeys, which add an additional security layer since the private keys and signing occur only/directly on a USB chip that can’t get firmware updates, making it much harder to duplicate/hack.
They don’t necessarily stop all phishing attacks, but they can help - since there is a cryptographic agreement between server and client built into the passkey - So Man in the middling doesn’t work really to get the underlying crypto data.
The parts where this gets irritating is that if you use something like a password manager, it usually won’t be able to feed through a remote desktop connection like a copy and pasted password would. If you had a USB passkey…you could forward the USB device over the RDP, But usually you then lose access to it on your local computer until after the session is closed.
The passkey landscape is a hot mess. Browser and OS vendors hijacked it and made it less than wonderful. I’m hoping that, over time, this sorts itself out so that the interoperability issues between all my different devices is not mind numbingly painful.
TLDR: I’m not using passkeys right now if at all possible. I do use security keys and a password manage (keepass) for security.
I still mostly use good old passwords. I grudgingly use 2FA if forced, but I am learning that is hell for survivors should you die. Paperless statements are a double dose of hell - just do not do it if you love your survivors any at all.
I do not fear hackers as much as flaws in browsers and operating systems and crap like Crowdstrike.
Yep…this, along with rising concerns of co-opting session cookies (directly associated with MITM) was what got me wondering, investigating…
Yeah…this is kinda what I was wondering/worried about, since it was obvious that something that seemed like it should be simple to understand and adopt, wasn’t. (hence the thread here…). Thanks for your input and perspective :–)
I personally don’t use any big service Passkey syncing - I will never use Apple or Google’s passkey services.
Passkeys themselves as a standard are fairly straightforward and easy to implement. They also make sense: Its similar cryptography that we use for TLS, GPG/PGP, Mail signing.
What drives me nuts is that most desktop apps/browser are pretty okay with 3rd party and all sort of passkey management solutions, but phones seem to be super locked down to the vendor of the phone (Android Chrome only allows the passkeys to be saved to the google password account… Apple to the apple keychain and so forth)