Difference between revisions of "Passkey"
(→Context) |
(→Problems) |
||
Line 13: | Line 13: | ||
==Problems== | ==Problems== | ||
* [https://www.wired.com/story/stopped-using-passwords-passkeys/ I Stopped Using Passwords. It’s Great—and a Total Mess] Wired 2024-02 | * [https://www.wired.com/story/stopped-using-passwords-passkeys/ I Stopped Using Passwords. It’s Great—and a Total Mess] Wired 2024-02 | ||
− | + | * The credentials created by a web connected user on a browser are completely useless when the underlying protocol insistes on some complex format like SD-JWT. | |
+ | * [https://github.com/passkeydeveloper/passkeys.dev/issues/363 Misconceptions about passkeys] or not? | ||
+ | * FIDO requires secure origin binding and TLS. But that is not accessible to all password managers, so a man-in-the-middle-attack only requires spoofing the origin to be part of the origin used for the key. (in other words, the FIDO binding does not seem to apply to what happens in the xxx-manager unless the xxx-manager is fully integrated into a browser that is FIDO compliant) | ||
==Acceptance== | ==Acceptance== |
Revision as of 16:49, 28 April 2024
Contents
Full Title or Meme
As the name Passkey suggests, it requires dual verification of an account before someone can sign-in to that account.
Context
With Passkeys there’s a subtle difference to FIDO 2.0 as it surrounds a multi-device Fast Identity Authentication with another protocol. Passkey uses a notification, which is generally sent to an individual’s smartphone during a log-in process and lets them authenticate their credentials. Often, this is done using a PIN or biometric process and thereby removes the need for conventional letter and number combination passwords.[1]
- State of Passkeys according to the guys that created the thing. 2024-04
Features
- Passkeys can be synced between devices where enabled by the device. This feature can be blocked by using device-bound Passkeys.
- The user must unlock the passkey on the device before it is used. Typically a Biometric Factor or pin is used.
Problems
- I Stopped Using Passwords. It’s Great—and a Total Mess Wired 2024-02
- The credentials created by a web connected user on a browser are completely useless when the underlying protocol insistes on some complex format like SD-JWT.
- Misconceptions about passkeys or not?
- FIDO requires secure origin binding and TLS. But that is not accessible to all password managers, so a man-in-the-middle-attack only requires spoofing the origin to be part of the origin used for the key. (in other words, the FIDO binding does not seem to apply to what happens in the xxx-manager unless the xxx-manager is fully integrated into a browser that is FIDO compliant)
Acceptance
- Passkeys support by both Apple and Google. See the website for details.
- By the end of 2023 it looks like more people are using passkeys than expected.[2]
1Password experienced a particular spike in October 2023, correlating with big companies like Amazon and WhatsApp rolling out their support for passkeys during this month, with over 70,000 created between October 16-22 alone.
Portability
Vendor Relationship Management (via Doc Searls) is coming true but it is fully hidden behind terms like:
- Password Management,
- Credential Management,
- Portable Passkeys.
But the point is that a human being can move their access and metadata about the sites that they visit as a part of their daily life. I hope it works out! I hope they make the result extensible. See this video clip from Rew Isalm and Nick Steele.
References
- ↑ FIDO Passkeys - Accelerating the Availability of Simpler, Stronger Passwordless Sign-Ins https://fidoalliance.org/passkeys/
- ↑ Lewis Maddison, Looks like more people are using passkeys than expected 1Password sees passkeys exceed 700k (2023-12-21) https://www.techradar.com/pro/security/looks-like-more-people-are-using-passkeys-than-expected
Other Material
- For a more generic solutions check out this wiki page: Vendor Relationship Manager,