A recent edition of a (Windows) PC mag extolled the virtues of passkeys - IIUC using public key cryptography for secure logon, and using 2 factor authentication (such as a fingerprint reader-secured smartphone) to access those keys. The intent is removing passwords completely, and login could be by, for example, a bluetooth exchange with said smartphone; there are alternatives including Yubikeys, scanning QR codes with a smartphone, etc.
A search on the Gentoo fora and wiki reveals nothing (except a few old posts using "passkey" to mean password). Googling "linux passkey" isn't too helpful neither.
Anyone know if it's just hype, "coming soon", already here, or not as good as something else?
Passkeys anyone?
Message
What do you mean by hype?
I believe github started to require 2FA a while ago after a breach. Apparently it was scheduled for this year.
https://docs.github.com/en/authenticati ... cation-2fa
I think gmail started to recently require 2FA, though I can't find the reference. What I'm seeing (search results) is only certain features, and a passkey isn't required.
My concern is having to deal with the lack of security in requiring a phone (SMS). I no longer use my phone for much of anything other than the phone. I also don't use app stores. I'm really supposed to tie up important accounts with an easy to lose usb key? That sounds like a brilliant idea. Better yet, it has an ESD event. Also, I'm not giving private information to the organizations that want it just so they can have it for "security."
I believe github started to require 2FA a while ago after a breach. Apparently it was scheduled for this year.
https://docs.github.com/en/authenticati ... cation-2fa
I think gmail started to recently require 2FA, though I can't find the reference. What I'm seeing (search results) is only certain features, and a passkey isn't required.
My concern is having to deal with the lack of security in requiring a phone (SMS). I no longer use my phone for much of anything other than the phone. I also don't use app stores. I'm really supposed to tie up important accounts with an easy to lose usb key? That sounds like a brilliant idea. Better yet, it has an ESD event. Also, I'm not giving private information to the organizations that want it just so they can have it for "security."
Quis separabit? Quo animo?
"Hype" would be as in a new name for old technology that's not particularly used.
As I read it, this is supposed to be more than just 2FA, specifically getting rid of passwords, which I'd quite like.
I agree about the danger of losing a device if it's the sole repository for the key. However, if that key is a public/private keypair sitting, for example, on a fingerprint-protected phone, I can and would have a backup of those keys, so losing the phone is not the end of the world. Anyway, I expect that as long as I knew my mother's maiden name and a couple other bits of public data, I could get Google or Apple or someone to reinstate my passwords
As I read it, this is supposed to be more than just 2FA, specifically getting rid of passwords, which I'd quite like.
I agree about the danger of losing a device if it's the sole repository for the key. However, if that key is a public/private keypair sitting, for example, on a fingerprint-protected phone, I can and would have a backup of those keys, so losing the phone is not the end of the world. Anyway, I expect that as long as I knew my mother's maiden name and a couple other bits of public data, I could get Google or Apple or someone to reinstate my passwords
Greybeard
The adoption of passwordless devices introduces a potential vulnerability,
allowing third parties to gain unauthorized access or decrypt disks in the
absence of the device owner. While the password may still exist, residing
either on the target system or within the device as a key, the decision
to disable user passwords seems like an effort to shift responsibility from
the system to the end user, in my opinion.
allowing third parties to gain unauthorized access or decrypt disks in the
absence of the device owner. While the password may still exist, residing
either on the target system or within the device as a key, the decision
to disable user passwords seems like an effort to shift responsibility from
the system to the end user, in my opinion.
This matches my understanding of the Passkey approach. You own the key to your data and by the magic auf asymmetric cryptography you do not have to disclose it.Goverp wrote:"Hype" would be as in a new name for old technology that's not particularly used.
As I read it, this is supposed to be more than just 2FA, specifically getting rid of passwords, which I'd quite like.
"Hype" as you defined it, yes. Key-based ssh logins is concept-wise quite similar. New are the standards (e.g. WebAuthn) evolving around this approach, making it usable for the masses. Service providers may offer you to store/synchronize the key for you. Whether this is a good idea, depends on your use case. It may add convenience and recovery options for the sake of security. As usual there is no one-size-fits-all.
I do not get this point. The device/application holding the private key is essential for gaining access to the data. How save this device is and also the Passkey setup/implementation, is another story.spica wrote:The adoption of passwordless devices introduces a potential vulnerability,
allowing third parties to gain unauthorized access or decrypt disks in the
absence of the device owner.
Generally there is no password involved any longer. Its role is replaced by the private key. The latter may be secured by a password or 2nd factor, but without the key these factors are not sufficient to access your data. And yes, a strict implementation (where only you have stored the private key) gives you exclusive access to your data and if you loose the key, you loose your data. As mentioned above, the right approach depends on your use case and the sensibility of the data.spica wrote:While the password may still exist, residing
either on the target system or within the device as a key, the decision
to disable user passwords seems like an effort to shift responsibility from
the system to the end user, in my opinion.
Yubico has a nice description how Passkeys work: https://developers.yubico.com/Passkeys/ ... _work.html
It also shows who may be involved into a Passkey solution and may have access to parts of the security chain. E.g. in this document the "application" owns the private key. If this application is not trustworthy or not running in an trustworthy environment, the security is reduced.
Best regards,
Holger