(Synced) Passkey Is Weak(yourpasskeyisweak.com)
yourpasskeyisweak.com
(Synced) Passkey Is Weak
https://yourpasskeyisweak.com/
6 comments
What about offline stores passkeys? I've a keepasxc database. Just having the database isn't enough because you need the keyfile and my password to open it.
I get what they're saying but device bound keypasses are brittle. List device lost account. So you need multiple devices. Passkeys are just a bad solution to a valid problem.
I get what they're saying but device bound keypasses are brittle. List device lost account. So you need multiple devices. Passkeys are just a bad solution to a valid problem.
That is what I was thinking, too, but rather than the keyfile being an actual file, it is, instead, on the USB-C HW token. So, to decrypt your KeePassXC db, you'd need the physical token to do the decryption, and ask it to be, effectively, an HSM.
https://keepass.info/help/kb/yubikey.html talks of different ways of doing something like that, but I've not played with it yet.
Another option is just to store passkeys natively on the token itself?
https://keepass.info/help/kb/yubikey.html talks of different ways of doing something like that, but I've not played with it yet.
Another option is just to store passkeys natively on the token itself?
I... Am not sure how I feel about it. On tech merits, this absolutely makes sense - the tech is slinging private keys around, and their secure storage is a hard problem.
On the practical merits - maybe? Token-backed decryption of the password manager's database seems like a devent solution? But does this happen? Is there a password manager which uses the public key derived from FIDO2 token's on-chip private key to decrypt the database?
On-token storage is limited (though 100 passkeys on a YK 5 Nano is fairly generous) - but what if we just used the YK as the "Private key is here and ONLY here" setup?
I kinda like the OFFOAD+ design - it promises to show me to where I am authenticating. With origin binding should be a nobrainer, but still, it speaks to me.