HackerTrans
TopNewTrendsCommentsPastAskShowJobs

PassageNick

no profile record

Submissions

[untitled]

1 points·by PassageNick·4 jaar geleden·0 comments

[untitled]

1 points·by PassageNick·4 jaar geleden·0 comments

[untitled]

1 points·by PassageNick·4 jaar geleden·0 comments

What Is WebAuthn and How Does It Work?

passage.id
1 points·by PassageNick·4 jaar geleden·0 comments

[untitled]

1 points·by PassageNick·4 jaar geleden·0 comments

Ask HN: Do any of you care about developer certifications?

1 points·by PassageNick·4 jaar geleden·4 comments

Phishers Swim Around 2FA in Coinbase Account Heists

threatpost.com
1 points·by PassageNick·4 jaar geleden·0 comments

comments

PassageNick
·3 jaar geleden·discuss
This is a great question.

I think the biggest barrier to adoption is lack of end user demand for the service. That is followed by people not understanding/believing the incredible increase in user experience and security. It's almost like people think it is too good to be true.
PassageNick
·3 jaar geleden·discuss
It is not clear to me what they are implementing here. There is not mention of passkeys anywhere.
PassageNick
·3 jaar geleden·discuss
Not sure I follow....

Biometrics are very difficult to impossible to reproduce short of physical coercion.
PassageNick
·3 jaar geleden·discuss
Passwordless is actually MFA --

Something you have (your device) Something you are (your biometric)

Those are definitely two factors that are required to be together for passwordless to work
PassageNick
·3 jaar geleden·discuss
>> I hate having to rely on having my phone handy to log into anything.<<

This isn't the case. Nothing about passkeys says you need your phone to login on a website with your laptop, for instance.
PassageNick
·3 jaar geleden·discuss
The problem with legislation like this is that it eliminates the possibility of better solution.

What happens if someone invents a better interface than USB 3.0?

Or better, why would anyone bother when a better interface couldn't be used?
PassageNick
·3 jaar geleden·discuss
No -- every origin has it's own Public/Private key that is stored on the TPM chip on your device. The TPM is designed specifically for securing these keys.

Each passkey is a modest amount of data, and I don't see a person having so many passkeys that the TPM gets full.
PassageNick
·3 jaar geleden·discuss
That's a great article, thanks. In fact, it's a fantastic article. I read it a couple of weeks ago, and learned a lot. Thanks.

Apple's changes do degrade security, but I think it is important to note that even with those degradations, Apple passkeys are still many orders of magnitude more secure than passwords.
PassageNick
·3 jaar geleden·discuss
....and can you explain the cookie theft thing a bit more?
PassageNick
·3 jaar geleden·discuss
If you can take a photograph of someone's fingerprint and reproduce it, how, exactly, does one use that?
PassageNick
·3 jaar geleden·discuss
They cannot block access. The passkeys are actually stored on your devices in a Trusted Platform Module. When moved to the cloud, they are E2E encrypted, and the transferring platform has zero knowledge of your keys.

Currently, you cannot move them to other devices without the cooperation of some cloud service, or the like. At some point you'll have to trust someone to move passkeys between devices.
PassageNick
·3 jaar geleden·discuss
Passwordless is MFA -- something you are and something you have.

I'm not a yubikey expert, but I don't believe that losing your Yubikey will open up your company to a breach.

For a typical passwordless solution, losing your phone isn't a risk, given that no one can reproduce your face or thumbprint.
PassageNick
·3 jaar geleden·discuss
You own your own passkeys on your own device, ultimately. Google/Apple/MS have no ownership or knowledge of the actual keys.
PassageNick
·3 jaar geleden·discuss
Fair enough.
PassageNick
·3 jaar geleden·discuss
Re: Yubikey -- I confess I don't know. The folks in r/yubikey definitely will, though.

The "Big Three" are on the FIDO board, along with 1Password. They can't really do the extinguish thing, and it really isn't in their interst to do so.

An no, the small tweaks don't kick anyone out of the game.

There will be other, perhaps more trusted, companies that you can use to move your passkeys around between eco-systems.
PassageNick
·3 jaar geleden·discuss
The threat surface of a password based system is like Lake Superior.

The threat surface of a passkey based solution is like a small puddle after a rain.

How is there a "reduction" in security here?
PassageNick
·3 jaar geleden·discuss
Yeah, it is non-trivial to implement, but not impossible. Some folks go that route.

There are SaaS solutions that implement it for you and make it easy to include in your app.
PassageNick
·3 jaar geleden·discuss
(Full disclosure: I work at https://passage.id)

WebAuthn is the short name for the "FIDO Alliance Web Authentication Protocol".

"Passkey" is the trade name (that Apple tries to own) for the "stuff" that results from using the WebAuthn protocol. At it's root, a passkey is really the private key portion of that "stuff" that is kept. So yes, in practice, a passkey is the result of a WebAuthn implementation.

MS, Apple, and Google don't implement WebAuthn. Companies like mine do. Each website out there that wants to use passkeys needs to employ WebAuthn, whether via build or buy. What the "Big Three" do is leverage their OS's and platforms to enable the storage and migration of passkeys within their eco-system. WebAuthn is implemented in their browsers, and they enable the use of passkeys (which websites make happen via implementing WebAuthn).

One thing to note is that the Big Three also make a small adjustment to the WebAuthn protocol to allow passkeys to shared inside their cloud infrastructure. This every so slightly reduces the security of passkeys (which start out as very, very many orders of magnitude more secure than passwords).

You can read about Passkeys here: https://passage.id/post/a-look-at-passkeys

More on WebAuthn: https://passage.id/post/what-is-webauth
PassageNick
·4 jaar geleden·discuss
That's a quality aphorism.
PassageNick
·4 jaar geleden·discuss
It seems strange to me that anyone would go anything but Cloud Native today.