@nikitonsky Let me ramble about information security... |

@nikitonsky Let me ramble about information security theory for a moment.

To authorize a user, you either check they **have** something (key, card, file, private key, etc) or they **know** something (password, pin, passphrase, etc). If you check both it's 2FA, and that's why storing TOTPs in a password manager is the dumbest thing one can do.

Passkeys provide a good and reliable way to "have" something. Unlike files (e.g, ssh keys) they can't be stolen remotely. Unlike key cards they can't be cloned with a simple reader. It's really hard to create a copy of it, that's why they're good.

But they are definitely not like passwords :)

Like 23 September at 11:15 | Wall-to-wall | Open on lor.sh

4 comments

Niki Tonsky

@bemyak what do you mean “hard to make copy”? It’s just data, why is it hard?

23 September at 15:27 | Open on mastodon.online

@nikitonsky I assumed by passkeys you meant something like Yubikey or Nitrokey. Once a key is written there, it can't be extracted by "normal" means. If you want a backup, you buy two devices and write your keys to both of them¹

[1] https://support.yubico.com/hc/en-us/articles/360016614880-Can-I-duplicate-a-YubiKey

23 September at 15:41 | Open on lor.sh

Niki Tonsky

@bemyak no, this one https://en.wikipedia.org/wiki/Passkey

23 September at 15:50 | Open on mastodon.online

@nikitonsky Nitrokey and Yubikey can act as passkeys for FIDO2. I use my Flipper Zero for WebAuth, and there the keys are encrypted with device-specific keys, so merely copying them onto another device will now work¹. I'm not sure about other implementations, but I assume they act similarly?

[1] https://docs.flipper.net/u2f

23 September at 16:47 | Open on lor.sh