Good question, alexandros !
ISTM it is BOTH; a safer means of "logging in" to a compatible site, AND another mechanism for Google to use to help build (and sell) its history of your online activities.
I'm presently thinking I'll stick with a Keepass data base of very-complex passwords, copied to my various devices; and 2FA via my email account.
BIG THANKS TO Equal2024 cb474 and Titan_M2 for helping to explain/understand this!!!
P.S. Sigh...... I'm guessing that gmail users will soon be pressured to use passkeys at gmail and then elsewhere.
Mainstream password managers will adopt them, as mentioned above. Even KeePass is discussing it.
Yikes! matchboxbananasynergy . I'm hoping that means that the present keepass functionality will add compatibility with the passkey architecture, and not be somehow replaced by it.
cb474 So the account you're logging into knows your public key and you hold the private key. Only the device holding the private key can autheticate the account and nothing is transmitted that can be comprised (only the public key is transmitted). This means passkeys are not subject to phishing attacks.
Titan_M2 That’s not what makes them resistant to phishing. Passkeys and security keys are origin bound, they only work on the website they were registered on.
Can you explain more what the point is your making? I don't really understand.
In a phishing attack, the attacker tries to trick someone into giving up their credetials (e.g. password) so they can use it to log into that person's account. But with passkeys the private key always stays on your device and it's encrypted, so you don't even know what it is, let alone have the ability to give it to someone else. So, I think my explanation of how passkeys resist phishing is correct.
If it's not, again, I really don't even understand what you're saying and how it's different from what I said. So I'd appreciate a more detailed explanation.
cb474 In a phishing attack, the attacker tries to trick someone into giving up their credetials (e.g. password) so they can use it to log into that person's account. But with passkeys the private key always stays on your device and it's encrypted, so you don't even know what it is, let alone have the ability to give it to someone else.
It's actually more than that. Sophisticated phishing websites don't just read the password, but pose as entire frontend for the legitimate site. When you login into the phishing site, it authenticates on your behalf in real time to the legitimate site, this is how it can get through SMS, TOTP, Google prompt. If security keys and passkeys worked the same way, a phishing website could just as well trick you into logging in while on the backend they pass the authentication challenge to the legitimate site.
Titan_M2 Sophisticated phishing websites don't just read the password, but pose as entire frontend for the legitimate site. When you login into the phishing site, it authenticates on your behalf in real time to the legitimate site, this is how it can get through SMS, TOTP, Google prompt. If security keys and passkeys worked the same way, a phishing website could just as well trick you into logging in while on the backend they pass the authentication challenge to the legitimate site.
My understanding is that the newer FIDO protocols mix the client IP address into the challenge, so the response must originate from the correct machine and a stolen response won't work, unless the malicious person is running code on your machine.
That is my hasty semi-understanding, though. If somebody corrects me, or goes into detail, we can all learn something.
de0u My understanding is that the newer FIDO protocols mix the client IP address into the challenge
That would be dumb, IP addresses do not uniquely identify users. Phishing resistance comes from the origin binding (emphasis mine): https://www.w3.org/TR/webauthn-1/#rp-id
A valid domain string that identifies the WebAuthn Relying Party on whose behalf a given registration or authentication ceremony is being performed. A public key credential can only be used for authentication with the same entity (as identified by RP ID) it was registered with.
Titan_M2 It's actually more than that. Sophisticated phishing websites don't just read the password, but pose as entire frontend for the legitimate site. When you login into the phishing site, it authenticates on your behalf in real time to the legitimate site, this is how it can get through SMS, TOTP, Google prompt. If security keys and passkeys worked the same way, a phishing website could just as well trick you into logging in while on the backend they pass the authentication challenge to the legitimate site.
Okay, I guess I would call that a man in the middle attack, not a phishing attack, so that's why I didn't understand how what you were saying applied to what I was talking about. I do feel less clear about how passkeys protect against man in the middle attacks. I'm still not sure I fully understand it, from what's been said in this thread.
Here's how Yubico describes the process for passkey authentication:
A passkey generation process creates a pair of mathematically related cryptographic keys: one private key that resides on the user’s hardware, and another public key that resides with the relying party, and linked to the account. During subsequent logins, the server will submit a randomly generated “challenge” to the user’s device, which it must respond to by signing said challenge using the private key. The relying party can then validate the authenticity of the private key by decrypting the response using the associated public key. If the original randomly generated challenge matches the decrypted response, authentication is confirmed and access is granted.
https://www.yubico.com/resources/glossary/what-is-a-passkey/
It makes sense how that prevents tradition phishing/social engineering, as I'm using the terms, but I don't really understand how that prevents a man in the middle attack. What's to prevent an intermediary website from capturing the challenge, passing it on to the end users, getting the signed response, and then using it to log into the website itself?
cb474 What's to prevent an intermediary website from capturing the challenge, passing it on to the end users, getting the signed response, and then using it to log into the website itself?
See my quote above from the spec, the browser won't use the passkey to sign a challenge at all on a different website.
Titan_M2 See my quote above from the spec, the browser won't use the passkey to sign a challenge at all on a different website.
I saw the quote. It does not explain how the passkey system knows the wrong website is serving it the authenticaling challenge, it just asserts that it knows and that it won't work. I was just trying to understand how it actually works and why it's not subject to the sort of man in the middle attacks that are used with regular passwords and TOTP.
I'm also curious, if in the case of passkeys the browser can recognize that the wrong website is serving it the authentication challenge, why isn't that already used for security with plain old passwords? Why do man in the middle attacks work at all, where a website looks like the authenticate website, but is really a fake one, being used to capture passwords and TOTP, and then pass them on to the real site, so the fraudster can get into it? Why wouldn't the browser just recognize that the wrong website is asking for the password, etc., and reject it?
I'm not sure I'm the best person to answer this, but I'll give it a shot. My understanding is that passkeys generate a unique public/private key pair for each user, device, and website combination. The website's URL is stored as part of the passkey. The browser matches the passkey's URL to the website's URL used in its TLS certificate.
Traditional passwords and TOTP codes don't have a protocol to associate a password or code with a specific website. It's up to the user to know when to enter the right password or code on the right site. That's why phishing and MITM work so well, because the user can be tricked into entering a password or code on the wrong site.
Verification usually only works one way, because the server is the only side that has a public/private key pair for TLS. The client browser can verify the authenticity of the server, but the server can't verify the authenticity of the browser. The server just has to trust that the password or code is being sent from a valid client and not a MITM.
Technically most browsers do support client certificates, which a web server could use to verify a browser. In practice very few sites use client certificates, because they're difficult to setup and maintain on the clients. They tend to a require a centralized certificate authority that everyone has to agree to trust.
Passkeys get around this by generating a unique key pair for every user of every website, instead of a single client certificate that multiple sites need to agree to trust. Passkeys give up some centralized control, and they require more storage, but they should be easier to implement than client certificates combined with user passwords.
alankeny Thanks for the explanation. That does make sense. I can see how that would work.
One thing that's interesting about this is that it means passkeys really are doing more than just be alternatives to passwords. They don't simply verify that it's the correct person who is logging in. They also verify that the website is the correct website. So passkeys are a kind of two way, rather than one way authentication. Both parties are authenticated to each other. Of course, there are still other problems with passwords.
It also suggests that the two functionalities could be separate from each other. If there was a better way to authenticate the website you're logging into, then you could use a regular password and it would be more secure. As you point out, client certificates have not worked so well for this. But, in a sense, it's more this problem that passkeys set out to solve, than the problem of weak passwords.
Relaying a comment from another forum.
All these seem to imply:
I will likely use redundant personally-managed security keys for finance, critical authentication, clients, etc. (Need a good lanyard!) I'll use my phone with passkeys for everything else.
Of course this is soon as I'm sure it's all working. 😁 I am not saying I've tested this yet. This just seemed like wise words to me.
Thought I would share
If someone could be convinced to give a phisher access to, say, their Google account, couldn't the phisher sync all of the victim's passkeys to their device, thus giving them quick and easy access to all of their passkey-protected accounts? Since we're talking about the average person, he likely would not tinker with the default settings, so would not choose single-use passkeys. Nor would the average person want to.
Compare this to convincing someone to give up the master password to their password manager—not likely. They may, however, be convinced to hand over one or two passwords to certain accounts. So I don't think it's accurate to say passkeys make phishing a thing of the past, and in the case of successful phishing, the compromise would have a larger impact.
Yeah, con artists are gonna con. Victims are gonna ... vic. I can't imagine either will ever stop.
"Three great forces rule the world: stupidity, fear and greed." - Albert Einstein
Hi everyone, I've read articles and everything... I don't understand anything about passkey, I don't understand what it's for, if someone can explain it to me in children's words... I'd really like to understand. Thank you
I found it totally confusing, and I have no clue if I set it up successfully or not.
Google needs to get a native speaker of Standard North American English to write a straightforward set of instructions, and accompanying explanation.
Obviously the geeks understand it, but it leaves the rest of us completely mystified.
[deleted] If I have your permission to lie a little I'll give it a try.
I believe the basic idea is that each web service you use (e.g., Twitter, Google) negotiates a very-long random password with one of your devices (e.g., your Pixel phone) to use when logging in to that web service. Then you don't need to remember a password for that web service, and they don't need to worry that you've picked a short password or a password you've used for every other web service. All you need to do is to carry your phone and remember how to unlock your phone, which you probably do naturally, and it's always great if a security scheme relies on what you naturally do instead of things that are annoying for you to do (like remember a different long password for each web service).
I lied when I said it's a password. It's not really the same thing as a password, so it can't be stolen while you're logging in to the web service, and if you are tricked into logging in to something that isn't the service you think it is, the passkey just won't work, so unlike a password it can't be phished.
I also lied when I said it's a separate password for each device, because some device ecosystems (e.g., Apple) have ways to synchronize a passkey across all of your devices. So if you want to log into Google Drive and your iPhone has a passkey for Google then your iPad will too.
If you already use a password manager with long random passwords, especially if your password manager does cloud synching between devices, then your setup is similar in many ways to what passkeys will do. Passkeys arguably are better because passkeys can't be phished, and also because lots and lots of people don't use per-site long random passwords, so passkeys might be a way to get a couple billion people to stop using "dog1234" as their password for 100 different web services.
Does that help?
