#Tag · bonfire.cafe

@publicvoit @renchap @gracjan Nice try. Please watch my explanation that I sent to Renaud.

@publicvoit@graz.social replied · 6 days ago

@rmondello @renchap @gracjan To my understanding, some implementations that allow migration of #passkeys to other accounts are prone to #Phishing.

https://arxiv.org/abs/2501.07380
"Another concern could be #socialengineering, where a user is tricked into sharing a passkey with an account controlled by an attacker." -> classic phishing, I'd say.

Convenience vs. #security, the usual trade-off.

According to that, roaming authenticators (classic #FIDO2 USB/NFC devices that are able to handle passkeys) are the only phishing-resistant method.

Still, Passkeys are much better than anything else (except FIDO2 HW tokens, of course) but it seems to be the case that the slogan that passkeys are 100% protecting against phishing isn't true any more.

What are your thoughts on that angle?

arXiv.org

Device-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey Authentication

With passkeys, the FIDO Alliance introduces the ability to sync FIDO2 credentials across a user's devices through passkey providers. This aims to mitigate user concerns about losing their devices and promotes the shift toward password-less authentication. As a consequence, many major online services have adopted passkeys. However, credential syncing has also created a debate among experts about their security guarantees. In this paper, we categorize the different access levels of passkeys to show how syncing credentials impacts their security and availability. Moreover, we use the established framework from Bonneau et al.'s Quest to Replace Passwords and apply it to different types of device-bound and synced passkeys. By this, we reveal relevant differences, particularly in their usability and security, and show that the security of synced passkeys is mainly concentrated in the passkey provider. We further provide practical recommendations for end users, passkey providers, and relying parties.

tante

@tante@tldr.nettime.org · last month

So I think I'll need to read up on it a bit. I understand that "Passkeys" try to do something similar as SSH pubkeys.
But do you know a good technical explainer of what's going on and how it works?

(Yes, I could search myself but I am looking for recommendations of articles you have read that you found helpful and clear.)

EDIT: https://passkeys.io did make some things clearer.

Karl Voit :emacs: :orgmode:

@publicvoit@graz.social replied · last month

@tante Ich habe auf https://karl-voit.at/FIDO2-vs-Passkeys/ zu #Passkeys und #FIDO2 gebloggt und u.a. auch erklärt, weshalb Passkeys in immer mehr Situationen leider nicht mehr gänzlich gegen #Phishing schützen, FIDO2 meiner Meinung nach aber sehr wohl.

D.h. die Hardware-Tokens liefern aktuell den einzig wasserdichten Schutz gegen Phishing. Trotzdem haben Passkeys viele Vorteile gegenüber den üblichen Methoden wie #TOTP, #TAN via #SMS oder #Email, ...

#publicvoit

Authentifizierung mit FIDO2 und Passkeys

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.0 no JS en

Automatic federation enabled