WingNews logo WingNews
top | item 40168069

(no title)

triblemaster | 1 year ago

The mental model is very simple. If you use things like Yubikey, it is exactly like a key you use to start your car. A single password protected key maybe. In essence, it is your password manager but something that everyone can use. And something that doesn't need to be on the cloud.

discuss

order

cuu508|1 year ago

It is like a key to start your car, except you can register it with multiple cars. And it has 25 or so "slots" for car registrations. If you lose the key, you cannot order a copy from the car manufacturer. You also cannot make a copy yourself. But you can (usually) register multiple keys with the same car. You do this by plugging two keys into the same car, and the car learns both keys belong to the same owner. You just have to be careful and keep track of which car is registered with which key, and vice-versa. Sometimes the key will not work with a particular car. Also, after you plug in the key, the car will not start right away. It will first ask you to select which key to use. If you use Bitwarden, it may hijack the key insertion interaction and will offer to use its soft-key instead. So, some small differences ;-)

mavhc|1 year ago

That is how you add new keys to my car, have 2 existing keys present to add a third

jve|1 year ago

Well that doesn't help understand: How passkeys can be backed up? Where/how they are stored? What if I loose my phone, computer? How can I login to some app using pc/mobile?

I haven't been into passkeys as you see, but some easy login like that leaves me with a lot of questions.

pseudo0|1 year ago

The TL;DR version in my opinion is that passkeys are quite similar to a SSH key pair, like one you'd use on GitHub. Basically you generate a key pair, the server stores the public key, and the client stores the private key. When you want to authenticate, the server sends a challenge, you sign it with your private key, and send it back. The main debate is over how to manage those keys after generation.

- Backups: It depends. It seems like the big players (Google, Apple) are pushing an implementation where your passkeys are backed up either in the Google Password Manager or iCloud keychain. That way if you lose your device, you can recover your passkeys the same way you recover your other phone data.

- Storage: It depends. Google and Apple are pushing phone implementations where passkeys are protected by a hardware security module of some sort, either the iOS keychain or Android Keystore. The private keys can't actually be stored in the HSM though, because you need to be able to back them up. So the passkeys are stored encrypted on disk, and the decryption key is stored in the keychain/keystore. Other options include passkeys actually stored in hardware (eg. Yubikeys, but then you can't back them up) or 3rd party password managers.

- Login: It's pretty seamless, just click "login with passkey". The browser handles finding the right passkey, and part of the signed challenge includes the domain the passkey is for, preventing MITM-style attacks. There's also a whole separate thing for authenticating a session on a different device via scanning a QR code or Bluetooth.

Here's a good fairly high-level breakdown of how it all works, if you want some additional detail: https://webauthn.wtf/how-it-works/authentication

makeitdouble|1 year ago

I reread your analogy a few times, and while I think it's probably accurate, there is absolutely nothing simple in it. It reminds me of the "It's like Uber, but for mortgage insurances" kind of startup pitch. It perfectly encapsulates the concept, but the concept itself is just crazy niche.

To note: the key to start a car is provided with the car with no specific operation, is locked to no other device, doesn't care about who's handling it, can be duplicated and passed around. It would be closer to the traditional password system in all of its aspects IMHO.