| View previous topic :: View next topic |
| Author |
Message |
Goverp
Advocate
Joined: 07 Mar 2007
Posts: 2009
|
 Posted: Tue Nov 28, 2023 11:20 am Post subject: Passkeys anyone? |
 |
|
A recent edition of a (Windows) PC mag extolled the virtues of passkeys - IIUC using public key cryptography for secure logon, and using 2 factor authentication (such as a fingerprint reader-secured smartphone) to access those keys. The intent is removing passwords completely, and login could be by, for example, a bluetooth exchange with said smartphone; there are alternatives including Yubikeys, scanning QR codes with a smartphone, etc.
A search on the Gentoo fora and wiki reveals nothing (except a few old posts using "passkey" to mean password). Googling "linux passkey" isn't too helpful neither.
Anyone know if it's just hype, "coming soon", already here, or not as good as something else?
_________________
Greybeard |
|
| Back to top |
|
 |
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20067
|
| Posted: Sat Dec 09, 2023 5:55 am Post subject: |
|
|
What do you mean by hype?
I believe github started to require 2FA a while ago after a breach. Apparently it was scheduled for this year.
https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa
I think gmail started to recently require 2FA, though I can't find the reference. What I'm seeing (search results) is only certain features, and a passkey isn't required.
My concern is having to deal with the lack of security in requiring a phone (SMS). I no longer use my phone for much of anything other than the phone. I also don't use app stores. I'm really supposed to tie up important accounts with an easy to lose usb key? That sounds like a brilliant idea. Better yet, it has an ESD event. Also, I'm not giving private information to the organizations that want it just so they can have it for "security."
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
Goverp
Advocate
Joined: 07 Mar 2007
Posts: 2009
|
| Posted: Sat Dec 09, 2023 10:53 am Post subject: |
|
|
"Hype" would be as in a new name for old technology that's not particularly used.
As I read it, this is supposed to be more than just 2FA, specifically getting rid of passwords, which I'd quite like.
I agree about the danger of losing a device if it's the sole repository for the key. However, if that key is a public/private keypair sitting, for example, on a fingerprint-protected phone, I can and would have a backup of those keys, so losing the phone is not the end of the world. Anyway, I expect that as long as I knew my mother's maiden name and a couple other bits of public data, I could get Google or Apple or someone to reinstate my passwords 
_________________
Greybeard |
|
| Back to top |
|
|
spica
Apprentice
Joined: 04 Jun 2021
Posts: 288
|
| Posted: Sun Dec 10, 2023 7:53 am Post subject: |
|
|
The adoption of passwordless devices introduces a potential vulnerability,
allowing third parties to gain unauthorized access or decrypt disks in the
absence of the device owner. While the password may still exist, residing
either on the target system or within the device as a key, the decision
to disable user passwords seems like an effort to shift responsibility from
the system to the end user, in my opinion. |
|
| Back to top |
|
|
hdcg
Tux's lil' helper
Joined: 07 Apr 2013
Posts: 120
|
| Posted: Sun Dec 10, 2023 9:23 am Post subject: |
|
|
| Goverp wrote: | "Hype" would be as in a new name for old technology that's not particularly used.
As I read it, this is supposed to be more than just 2FA, specifically getting rid of passwords, which I'd quite like. |
This matches my understanding of the Passkey approach. You own the key to your data and by the magic auf asymmetric cryptography you do not have to disclose it.
"Hype" as you defined it, yes. Key-based ssh logins is concept-wise quite similar. New are the standards (e.g. WebAuthn) evolving around this approach, making it usable for the masses. Service providers may offer you to store/synchronize the key for you. Whether this is a good idea, depends on your use case. It may add convenience and recovery options for the sake of security. As usual there is no one-size-fits-all.
| spica wrote: | The adoption of passwordless devices introduces a potential vulnerability,
allowing third parties to gain unauthorized access or decrypt disks in the
absence of the device owner.
|
I do not get this point. The device/application holding the private key is essential for gaining access to the data. How save this device is and also the Passkey setup/implementation, is another story.
| spica wrote: | While the password may still exist, residing
either on the target system or within the device as a key, the decision
to disable user passwords seems like an effort to shift responsibility from
the system to the end user, in my opinion. |
Generally there is no password involved any longer. Its role is replaced by the private key. The latter may be secured by a password or 2nd factor, but without the key these factors are not sufficient to access your data. And yes, a strict implementation (where only you have stored the private key) gives you exclusive access to your data and if you loose the key, you loose your data. As mentioned above, the right approach depends on your use case and the sensibility of the data.
Yubico has a nice description how Passkeys work: https://developers.yubico.com/Passkeys/How_passkeys_work.html
It also shows who may be involved into a Passkey solution and may have access to parts of the security chain. E.g. in this document the "application" owns the private key. If this application is not trustworthy or not running in an trustworthy environment, the security is reduced.
Best regards,
Holger |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
