top | item 40168230

(no title)

A physical device which is not your computer stores some secret information which can authenticate you. This can be passwords, passkeys, GPG keys, your retina etc.

The physical device can be password protected. So you have two step authentication: 1. your physical device 2. your password to that device

Phones are currently being promoted for various reasons, but I believe something like Yubikeys or other FIDO2 fobs will be a better device. You can have multiple of them, you can store one of them in your bank safe. Someone stealing it of you is proper theft which can be traced in a usual manner by police. Stealing is not enough because you still need the password. The difficulty of asking you for password remains equal to difficulty of hitting you with a wrench. You don't need to remember stuff anymore, because you can just use your physical keys. You will need to travel with those keys, but its just same as your house keys. It is probably an extra key in your key fob.

To add to it, the U2F/FIDO2 standard will make it vendor independent, and so no lock-in.

discuss

fauigerzigerk|1 year ago

What I find rather confusing is what happens on each device. There appear to be multiple places where passkeys can get stored (iCloud Keychain, Google account, Chrome profile, Bitwarden, ...?) and depending on where it's stored it may or may not get synced to various other devices, browsers and apps.

So my problem is that I keep forgetting which device, browser or app I used when I created a particular passkey. I'm never asked where I want to store a particular passkey and where I want it to be available. This is all an implicit function of a combination of factors apparently.

It's like misplacing my keys has been taken to a whole new level of abstraction :-)

postalrat|1 year ago

Many places let you enter and name multiple passkeys. So you as your keychain one and name it "keychain". And also add phone and call it "whatever phone" then use either.

Personally I only use devices that don't sync and can't be copied for security reasons.

marssaxman|1 year ago

There's something here I am not following. First you say:

> Stealing is not enough because you still need the password.

But then:

> You don't need to remember stuff anymore, because you can just use your physical keys.

How are these statements both true?

vbezhenar|1 year ago

Safari on macOS uses passkeys without phone. So unless you consider security chip inside macbook a separate device, that's not true, that's just one of modes.

triblemaster|1 year ago

Security chip inside macbook is a separate device for authentication purposes if it needs to be unlocked and cannot be bypassed by the OS.

geertj|1 year ago

Thanks! A bit late to the party, but if you still see this, I presume the authentication exchange between the web server and the device is some kind of challenge response? And if so, does the challenge/response depend on the type of credential that's in the device?