I have literally implemented SRP at both the client and server side but I am still unable to figure out, if I were to purchase or set up a "Passkey", what exactly I would have, or how it would work, or which computers, web browsers or web sites I shoul...
-
I have literally implemented SRP at both the client and server side but I am still unable to figure out, if I were to purchase or set up a "Passkey", what exactly I would have, or how it would work, or which computers, web browsers or web sites I should expect it to work with
-
I've been reading lots of explanations of passkeys but they all either contradict each other or go unbelievably vague on fundamental points, for example saying that an authenticator "communicates" a key to a website without elaborating on how the communication occurs. I *think* what happened here was at some point during standardization "Passkey"/FIDO/WebAuthn wound up becoming an umbrella containing several fundamentally different kinds of system
-
FIDO2 was the basis for WebAuthn which was basically then renamed to Passkeys because WebAuthn is a terrible name to give to users
so functionally, a Passkey is a FIDO2 device implemented securely within your PC (utilizing the TPM) and should work the same from the website’s perspective as a hardware FIDO2 token
-
@irenes @mcc unfortunately the only answer I have there is “do not use a passkey” but I think you already know that
problem, of course, being that browsers are making it harder to use FIDO2 tokens instead unless your TPM is disabled or unusable and any machine you don’t trust probably has a usable TPM. so maybe you end up using a passkey accidentally
that said, it depends on why you don’t trust the PC—the secrets are stored in the TPM so even untrusted PCs may be safe with a Passkey in specific threat models. but I am not your lawyer (or anyone’s) and I should not provide advice on what applies to your threat model
-
@demize @irenes @mcc I don’t have this use case, but I believe that there is a version of this which uses a QR code challenge handshake with a phone and does auth on the backend so you never need to put the keys on the PC. I believe this article explains it: https://www.corbado.com/blog/webauthn-passkey-qr-code
-
@glyph @demize @irenes Yeah, I've heard of this one, but I virtually never see Bluetooth successfully working in the wild with things like speakers so I don't have any expectation it would work with password managers. (And at the moment the Windows machine I specifically don't trust, and would be most interested in using my phone to remotely authenticate with, does not have Bluetooth at all)
-
fail0verflow proved pretty recently that without a secondary credential the TPM is fundamentally broken (something I’d known was theoretically true for a while, by virtue of how it works). don’t rely on solely the TPM for protection, really
(it’s fine for most people, mind you, just… fundamentally flawed)
-
@mcc there is a fundamental disagreement within the “passkey” community where both factions believe the term “passkey” means “phishing-proof cryptographic authentication using FIDO2” but one faction believes that it just means “cloud-synchronized version of this to address potential problems with device loss” and the other faction believes it means “any device which can do this including single-device TPM encrypted tokens or hardware keys where device loss means unrecoverable account”
-
-
@glyph Yeah. And the problem I have is that what I fundamentally want is "allow me to authenticate with forward secrecy on device A using a private key on device B, where A and B are fully airgapped" and someone on the Webauthn standards body appears to consider my usecase to be "phishing" and is specifically introducing technical constraints to prevent it being possible.
-
@irenes @mcc @glyph no, because it transmits the secrets in cleartext over a bus between the chip and the CPU
also whoops it was stacksmashing actually https://youtu.be/wTl4vEednkQ
-
@glyph I am somewhat suspicious about this because the efforts put in place to prevent airgapped negotiation have the effect of making the easiest and most practical way to use webauthn be using one of the proprietary OS-locked systems, and the vendors of these exact proprietary systems are on the w3 board
-