Difference between revisions of "Passkey"

From MgmtWiki
Jump to: navigation, search
(Features)
Line 8: Line 8:
  
 
==Features==
 
==Features==
* Passkeys can be synced between devices where enabled by the device. This feature can be blocked by using device-bound [[Passkey]]s.
+
* Originally [[Passkey]]s were device bound and could not be moved between devices.
 +
* [[Passkey]]s since 2024 can be synced between devices that have enabled syncing. This feature can be blocked by using device-bound [[Passkey]]s.
 
* The user must unlock the passkey on the device before it is used. Typically a [[Biometric Factor]] or pin is used.
 
* The user must unlock the passkey on the device before it is used. Typically a [[Biometric Factor]] or pin is used.
  

Revision as of 16:39, 16 September 2024

Full Title or Meme

As the name Passkey suggests, it requires dual verification of an account before someone can sign-in to that account.

Context

With Passkeys there’s a subtle difference to FIDO 2.0 as it surrounds a multi-device Fast Identity Authentication with another protocol. Passkey uses a notification, which is generally sent to an individual’s smartphone during a log-in process and lets them authenticate their credentials. Often, this is done using a PIN or biometric process and thereby removes the need for conventional letter and number combination passwords.[1]

Features

  • Originally Passkeys were device bound and could not be moved between devices.
  • Passkeys since 2024 can be synced between devices that have enabled syncing. This feature can be blocked by using device-bound Passkeys.
  • The user must unlock the passkey on the device before it is used. Typically a Biometric Factor or pin is used.

Problems

  • I Stopped Using Passwords. It’s Great—and a Total Mess Wired 2024-02
  • The credentials created by a web connected user on a browser are completely useless when the underlying protocol insistes on some complex format like SD-JWT.
  • Misconceptions about passkeys or not?
  • FIDO requires secure origin binding and TLS. But that is not accessible to all password managers, so a man-in-the-middle-attack only requires spoofing the origin to be part of the origin used for the key. (in other words, the FIDO binding does not seem to apply to what happens in the xxx-manager unless the xxx-manager is fully integrated into a browser that is FIDO compliant)

Acceptance

  • Passkeys support by both Apple and Google. See the website for details.
  • By the end of 2023 it looks like more people are using passkeys than expected.[2]
    1Password experienced a particular spike in October 2023, correlating with big companies like Amazon and WhatsApp rolling out their support for passkeys during this month, with over 70,000 created between October 16-22 alone.

Solutions

With this update, your Chrome on Android 14 and later can create and save a passkey to a third-party password manager, or authenticate using a passkey saved there. Also, learn how a relying party can detect which password manager a passkey is created at.[3]

Portability

Vendor Relationship Management (via Doc Searls) is coming true but it is fully hidden behind terms like:

  • Password Management,
  • Credential Management,
  • Portable Passkeys.

But the point is that a human being can move their access and metadata about the sites that they visit as a part of their daily life. I hope it works out! I hope they make the result extensible. See this video clip from Rew Isalm and Nick Steele.

References

  1. FIDO Passkeys - Accelerating the Availability of Simpler, Stronger Passwordless Sign-Ins https://fidoalliance.org/passkeys/
  2. Lewis Maddison, Looks like more people are using passkeys than expected 1Password sees passkeys exceed 700k (2023-12-21) https://www.techradar.com/pro/security/looks-like-more-people-are-using-passkeys-than-expected
  3. Eiji Kitaura, Passkeys UX updates on Chrome on Android https://developer.chrome.com/blog/passkeys-on-credential-manager

Other Material