 So, passkeys. I started to see lots of notifications about them, and I naturally wondered what they are. Is my understanding correct that it’s the same idea as with password managers: they generate long unique password and remember it for you? So if I already using password manager, I don’t really need passkeys? Am I right? 31 comments
@nikitonsky Most will probably, because they need it for communication. But assume I configure my YubiKey and use it for PassKeys, I lose it, and you find it on the street. Then you could try and use it to log into amazon.com, and if there is a PassKey on there for that domain, you could log into amazon.com with my account without knowing anything about me @nikitonsky Passkeys have the added benefit that they are never transmitted to somewhere or someone else. They are just used to do some cryptographic operations with the result being sent. Unless your password manager has some kind of bug, it's impossible to steal them from you.  @nikitonsky Passkeys are more like hardware keys. They are tied to a domain, so phising for a passkey on another domain is not possible… @nikitonsky Almost. Passkeys have an API. Password managers too, but they can also used by hand so they can be phished. @nikitonsky Never seen such a password manager. Also: passwords might get sniffed. With passkeys, you need to hijack the communication channel, because of the challenge/response nature (but I'm no expert). However, the difference between passwords and passkeys might be more applicable to "normal" users (although even experts get phished sometimes). @doekman I mean, what password manager gives you: - Unique password per site But I like signing the challenge part instead of sending entire password. That’s the part password managers don't give you @nikitonsky I'm not in favour of passkeys. The passkey on GitHub doesn't work anymore for some reason (yubikey does work). However, passwords have problems. They can be stolen (and you only notice it when it's too late). Password managers are not fool proof. I use Safari, and that's probably the worst offender. But my girlfriend uses Chrome’s, and it just doesn't work all the time. 1/2 @nikitonsky afaik, the 'long unique password' is a public key. The server does not have access to the private key. The passkey is tied to the website domain name. Passkeys cannot yet be moved between authenticators. Imo a different idea from passwords and password managers, better in many respects. Eventual UX story might be much nicer, short-term they’re unfamiliar and come with new UX challenges.(Have only used passkeys as a user, not yet as server operator. See also recent DHH/Hey comments.)  @nikitonsky I assumed by passkeys you meant something like Yubikey or Nitrokey. Once a key is written there, it can't be extracted by "normal" means. If you want a backup, you buy two devices and write your keys to both of them¹ [1] https://support.yubico.com/hc/en-us/articles/360016614880-Can-I-duplicate-a-YubiKey @nikitonsky Nitrokey and Yubikey can act as passkeys for FIDO2. I use my Flipper Zero for WebAuth, and there the keys are encrypted with device-specific keys, so merely copying them onto another device will now work¹. I'm not sure about other implementations, but I assume they act similarly? @nikitonsky it's public/private keys for authentication, so you never have to pass a secret to the server, and the server doesn't hold anything that's worth leaking @willhbr so during auth server asks you to sign something instead of transmitting password for check? > server doesn't hold anything that's worth leaking This is already true with hashed/salted passwords, no? @nikitonsky yeah, your device signs something and the server never receives the private key. Also the password manager integrates directly into the browser so you just click "sign in w/ passkey" instead of it having to hack around filling in a form. If a site does a bad job choosing their hash/salt then a leaked DB could be reversed to passwords (or they could be storing in plaintext), and the server receives the plain password during authentication, neither of those are possible with passkeys @nikitonsky they are cryptographic credentials (so server side only includes your public key, no leaks) whose evaluation also involves web origin (so no fishing possible, like u2f second factor). Downsides: they are bound to their storage, you can't write them like a text password (hi Google on TV) making backing up not as easy. Having them in a password manager is already kinda close to regular passwords, but not quite.   @nikitonsky passkey is set of public and private key, so they are better than just long password (nothing can leak from website DB)  @dotfox @sitnik_ru sure, it’s just Andrey tried to say it is somehow an unique attribute of passkeys, which is wrong. Normally website DBs don’t store user passwords either, so these can’t leak either. They store emails, which in passkey case is the same as storing public part @nikitonsky can. But with a public key you can't login. For login you sign random data from the server with a private key and send a signature to the server. So public key leakage has no security issues for you. @nikitonsky email is a user’s global ID, not a secret. The public key is unique for each website and can't be used to identificate users. A public key is better than a password hash because of the better crypto methods behind (it is hard to do hash right). @nikitonsky You’re correct; an intuitive interpretation of a pass key is a randomly generated password. They’re better than passwords because you can’t use them in a phishing site, and because they’re guaranteed to be unique. And it’s not really possible to steal them. However, the UX is not as refined as using a password - it’s closer to using a hardware security key. Implications for recovery are similar, if that’s your only way in.  @nikitonsky Passkeys are better because they provide a much stronger guarantee to the service that it is actually you. Phishing, password theft, impersonation practically not possible. Passkeys are worse because they are less portable between ecosystems, providers and devices. There is inherent tendency for big players (Apple, Google, MS) to win the whole market |
Gregory's Server
@nikitonsky afaik passkeys are the whole credentials. A password in a password manager needs to be entered for the correct username, a passkey is both.