HackerTrans
TopNewTrendsCommentsPastAskShowJobs

PassageNick

no profile record

Submissions

[untitled]

1 points·by PassageNick·4 года назад·0 comments

[untitled]

1 points·by PassageNick·4 года назад·0 comments

[untitled]

1 points·by PassageNick·4 года назад·0 comments

What Is WebAuthn and How Does It Work?

passage.id
1 points·by PassageNick·4 года назад·0 comments

[untitled]

1 points·by PassageNick·4 года назад·0 comments

Ask HN: Do any of you care about developer certifications?

1 points·by PassageNick·4 года назад·4 comments

Phishers Swim Around 2FA in Coinbase Account Heists

threatpost.com
1 points·by PassageNick·4 года назад·0 comments

comments

PassageNick
·3 года назад·discuss
This is a great question.

I think the biggest barrier to adoption is lack of end user demand for the service. That is followed by people not understanding/believing the incredible increase in user experience and security. It's almost like people think it is too good to be true.
PassageNick
·3 года назад·discuss
It is not clear to me what they are implementing here. There is not mention of passkeys anywhere.
PassageNick
·3 года назад·discuss
Not sure I follow....

Biometrics are very difficult to impossible to reproduce short of physical coercion.
PassageNick
·3 года назад·discuss
Passwordless is actually MFA --

Something you have (your device) Something you are (your biometric)

Those are definitely two factors that are required to be together for passwordless to work
PassageNick
·3 года назад·discuss
>> I hate having to rely on having my phone handy to log into anything.<<

This isn't the case. Nothing about passkeys says you need your phone to login on a website with your laptop, for instance.
PassageNick
·3 года назад·discuss
The problem with legislation like this is that it eliminates the possibility of better solution.

What happens if someone invents a better interface than USB 3.0?

Or better, why would anyone bother when a better interface couldn't be used?
PassageNick
·3 года назад·discuss
No -- every origin has it's own Public/Private key that is stored on the TPM chip on your device. The TPM is designed specifically for securing these keys.

Each passkey is a modest amount of data, and I don't see a person having so many passkeys that the TPM gets full.
PassageNick
·3 года назад·discuss
That's a great article, thanks. In fact, it's a fantastic article. I read it a couple of weeks ago, and learned a lot. Thanks.

Apple's changes do degrade security, but I think it is important to note that even with those degradations, Apple passkeys are still many orders of magnitude more secure than passwords.
PassageNick
·3 года назад·discuss
....and can you explain the cookie theft thing a bit more?
PassageNick
·3 года назад·discuss
If you can take a photograph of someone's fingerprint and reproduce it, how, exactly, does one use that?
PassageNick
·3 года назад·discuss
They cannot block access. The passkeys are actually stored on your devices in a Trusted Platform Module. When moved to the cloud, they are E2E encrypted, and the transferring platform has zero knowledge of your keys.

Currently, you cannot move them to other devices without the cooperation of some cloud service, or the like. At some point you'll have to trust someone to move passkeys between devices.
PassageNick
·3 года назад·discuss
Passwordless is MFA -- something you are and something you have.

I'm not a yubikey expert, but I don't believe that losing your Yubikey will open up your company to a breach.

For a typical passwordless solution, losing your phone isn't a risk, given that no one can reproduce your face or thumbprint.
PassageNick
·3 года назад·discuss
You own your own passkeys on your own device, ultimately. Google/Apple/MS have no ownership or knowledge of the actual keys.
PassageNick
·3 года назад·discuss
Fair enough.
PassageNick
·3 года назад·discuss
Re: Yubikey -- I confess I don't know. The folks in r/yubikey definitely will, though.

The "Big Three" are on the FIDO board, along with 1Password. They can't really do the extinguish thing, and it really isn't in their interst to do so.

An no, the small tweaks don't kick anyone out of the game.

There will be other, perhaps more trusted, companies that you can use to move your passkeys around between eco-systems.
PassageNick
·3 года назад·discuss
The threat surface of a password based system is like Lake Superior.

The threat surface of a passkey based solution is like a small puddle after a rain.

How is there a "reduction" in security here?
PassageNick
·3 года назад·discuss
Yeah, it is non-trivial to implement, but not impossible. Some folks go that route.

There are SaaS solutions that implement it for you and make it easy to include in your app.
PassageNick
·3 года назад·discuss
(Full disclosure: I work at https://passage.id)

WebAuthn is the short name for the "FIDO Alliance Web Authentication Protocol".

"Passkey" is the trade name (that Apple tries to own) for the "stuff" that results from using the WebAuthn protocol. At it's root, a passkey is really the private key portion of that "stuff" that is kept. So yes, in practice, a passkey is the result of a WebAuthn implementation.

MS, Apple, and Google don't implement WebAuthn. Companies like mine do. Each website out there that wants to use passkeys needs to employ WebAuthn, whether via build or buy. What the "Big Three" do is leverage their OS's and platforms to enable the storage and migration of passkeys within their eco-system. WebAuthn is implemented in their browsers, and they enable the use of passkeys (which websites make happen via implementing WebAuthn).

One thing to note is that the Big Three also make a small adjustment to the WebAuthn protocol to allow passkeys to shared inside their cloud infrastructure. This every so slightly reduces the security of passkeys (which start out as very, very many orders of magnitude more secure than passwords).

You can read about Passkeys here: https://passage.id/post/a-look-at-passkeys

More on WebAuthn: https://passage.id/post/what-is-webauth
PassageNick
·4 года назад·discuss
That's a quality aphorism.
PassageNick
·4 года назад·discuss
It seems strange to me that anyone would go anything but Cloud Native today.