SNs 870: That "Passkeys" Thing

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

Of course Google will push Passkeys.

It’s another way for them to encourage you to connect your mobile phone with your Desktop.

Google has been prompting me (a Linux desktop user) for my mobile phone number for what seems like a year now. Rot’s of Ruck, Google.

I like the concept here and Steve did a good job to spell it out. I also appreciate how up-front he is about his bias because of all the energy he put into his solution.

Personally I like the idea of a unique key for each site, vs. SQRL’s “one key to rule them all” approach. The advice has always been to use a unique password for every site, so why wouldn’t that hold true when we switch over to keys? I know that a public key being exposed isn’t a big deal, but since backing up multiple keys isn’t that hard I don’t see a reason why we shouldn’t do it.

You’re not understanding the mechanics of SQRL. It uses a key it NEVER reveals to anyone (even you) to generate a unique key for EVERY unique domain/site. The bigger benefit is that this key is a public key, so it’s MEANT to be published, so there is no risk if the site gets hacked. The site simply uses the public key to verify the same entity that generated it returns back for later authentication… giving the site no secrets to lose.

SQRL has one key that it uses to generate all the other public/private keys. I know that public keys are supposed to be seen, with both systems if you lose that key or have any other reason to suspect your private key might be at risk you can just generate a new one.

I wonder if the FIDO Alliance made any consideration of Steve’s research before settling on this approach. His system isn’t that complicated, I wonder if maybe it could be added as another option down the line.

FIDO is at version 2. Version 2 supports “securely” storing (and thus presumably changing) a few dozen (25 in the case of Yubico implementations) special secrets in the hardware device, but is not supported by really any site [yet.] FIDO v1 uses a secret physically burned into the hardware device, and unchangeable. If it ever escaped the key, you wouldn’t be able to change it… without replacing the hardware. On the other hand, there are no mechanisms built into the hardware to get at this secret, so it should be very secure. The difference is that FIDO v1 generates a random key for a site, and uses its secure key to export that to the site for storage (as the hardware has no storage of its own.) When you return to the site, you ask for the stored data, which gets input to the hardware, decoded, and used to generate a “challenge” which the site can use to verify the same person has returned. This randomly generated stuff could theoretically be replaced by the site (I am unaware if the FIDO protocol supports this, but I would imagine it would, as this would be required if you wanted to replace your hardware.)

1 Like

Quantum computing is not that far off. IBM is making fast progress.