diff options
Diffstat (limited to 'content/2023')
-rw-r--r-- | content/2023/undestanding-passkeys.md | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/content/2023/undestanding-passkeys.md b/content/2023/undestanding-passkeys.md index 1abdf7c8..c58898c7 100644 --- a/content/2023/undestanding-passkeys.md +++ b/content/2023/undestanding-passkeys.md @@ -30,7 +30,7 @@ However, I failed to find any NGOs on the list. ### WebAuthn -Web Authentication (aka WebAuthn)[^webauthn-rfc] is a standard for passwordless authentication using asymmetric cryptography. The standard proposes replacing standard password-based authentication with exchanging public cryptographic keys. The user maintains ownership of the private key he generates on the Client Device (phone, hardware keys, etc.). The service provider (known here as Relying Party) receives a public key during registration. When the user wants to authenticate, the server sends a challenge encrypted with the public key. +Web Authentication (aka WebAuthn)[^webauthn-rfc] is a standard for passwordless authentication using asymmetric cryptography. The standard proposes replacing standard password-based authentication with exchanging public cryptographic keys. The user maintains ownership of the private key he generates on the Client Device (phone, hardware keys, etc.). The service provider (known here as Relying Party) receives a public key during registration. When the user wants to authenticate, the server sends a challenge to the Client Device. [^webauthn-rfc]: [Web Authentication: An API for accessing Public Key Credentials Level 2 RFC](https://www.w3.org/TR/webauthn-2) @@ -65,7 +65,7 @@ Registration under WebAuthn consists of generating a unique key pair and sending Some additional notes here: - The Client Device should sign the sent public key with its own Attestation Certificate[^att-cert]. The certificate is used to attest to the manufacturer and its capabilities. The device can also self-attest using the private key. -- The RFC allows for generating keys using the most popular algorithms]. +- The RFC allows for generating keys using the most popular algorithms. - The unique key pair is not shared between services. The device can generate many certificates for each service, so you can still have multiple accounts for shitposting on Twitter. [^att-cert]: An X.509 Certificate. @@ -80,15 +80,13 @@ The RFC defines the entire registration ceremony but doesn't limit how it should {{<svg-full-width "webauthn-auth.svg" "WebAuthn authentication high level overwiew">}} -First, the server generates a challenge - most likely a big random number. The client device then signs it with the private key. Then the server validates the signature - as possible only with the public key. - - +First, the server generates a challenge - most likely a big random number. The client device then signs it with the private key. Then the server validates the signature - as it is possible only with the public key. ### The cost of Passkeys WebAuthn is a questionable standard. It removes almost all risks from the service provider and puts all responsibility on the user. Since the keys are just strings, nothing stops us from keeping them anywhere. We already do this - maintaining our SSH or GPG keys is something we do every day. However, this does not apply to the mass public. I can't imagine a grandma being tasked with ensuring she will never lose this file. This is where companies came in. -As mentioned above, Apple and Google are trying to become the guardians of public keys. At first, though, it sounds great - if it's in Google Account or Apple iCloud, it will be stored and synced automatically. But after some thinking, it's not a good idea for the majority of people. +As mentioned above, Apple and Google are trying to become the guardians of private keys. At first, though, it sounds great - if it's in Google Account or Apple iCloud, it will be stored and synced automatically. But after some thinking, it's not a good idea for the majority of people. First of all, it's not safe. Reddit is flooded with worried users after iCloud lost their files or photos. Google is known to block accounts out of the blue. Losing access to an image of a dog may be sad, but it's not the end of the world. But what will happen when your internet identity becomes locked instantly? You break your phone and suddenly discover all those keys are gone. You just need to forget your iCloud password, and if the backup email is secured with a passkey, you are out of luck[^apple-recovery]. No food delivery, no bank - not even Twitter to cry about it. [^apple-recovery]: [Apple assumes](https://support.apple.com/en-us/HT201487) that you need an Apple device for a quick and painless Apple password reset. Good luck if you don't have one next to you. |