However, the "passkeys" branding is pretty much exclusively used for keys that sync, usually with the platform authenticator. Wouldn't that be kind of a big deal, if you were a tinfoil hatter? Am I missing anything?
However, the "passkeys" branding is pretty much exclusively used for keys that sync, usually with the platform authenticator. Wouldn't that be kind of a big deal, if you were a tinfoil hatter? Am I missing anything?
(Although I recommend reading more about FIDO2 keys and webauthn instead of passkeys, because passkeys are one specific variant of FIDO2 webauthn + marketing around it.)
runjake•3mo ago
I don't know your level of technical knowledge, but Passkeys replace passwords by using public key cryptography instead of shared secrets (passwords).
They consist of a key pair (public and private) and are based on the FIDO2/WebAuthn standard. Like other public key systems (PGP, SSH keys, or SSL certificates), the public key is shared while the private key remains secret.
There are two main types of Passkeys: device-bound and synced. Both types are significantly more secure than passwords and resistant to phishing, but they have different trade-offs between security and convenience.
Device-Bound Passkeys:
With device-bound Passkeys, the private key is stored in a Secure Enclave or a Trusted Platform Module (TPM) on your device. The Secure Enclave and TPM are hardware-isolated, preventing even your operating system from directly accessing them. Instead, you use a special authentication API to make calls. There is no direct memory access to these keys unless an exploit is discovered.
Think of a Secure Enclave and Trusted Platform Modules as a little, isolated computer inside your device -- because that's what they are! They have their own processor and operating system, and they are completely isolated from the rest of the device. They only release signatures and never release secrets (and aren't even capable of doing so, under normal cases). The device can only talk to the Secure Enclave/TPM via special authentication APIs.
Synced Passkeys:
Synced Passkeys store the private key in encrypted form within a password manager or platform keychain (like iCloud Keychain, Google Password Manager, or 1Password. These passkeys are designed to be backed up and synchronized across your devices for convenience. While the keys are encrypted during storage and transit, they're not permanently bound to a single hardware chip.
This makes them more flexible and user-friendly, though they rely on the security of your account and the encryption used by the syncing service rather than hardware isolation.
Here's how the flow works as I understand it:
1. You visit a website and try to login.
2. The server sends a randomized challenge string.
3. Your device's authenticator signs that challenge using the private key.
4. That signature gets sent back to the server.
5. The server verifies the signature using the public key it has on file.
Why Passkeys are cool:
- No shared secrets, so there's nothing on the server that's useful to steal.
- They're phishing resistant, the browser or whatever ensures the origin matches before allowing auth.
- No replay attacks because the server issues a new randomized challenge string every time.
- No cred stuffing because each passkey is unique to the service it's generated for.
This should all be correct to the best of my unexpert knowledge.
---
Edit: Corrected some serious errors and forgot to explain device-bound vs. synced passkeys -- a major oversight!
Disclaimer: Yes, I'm a human and I use --. This comment is self-written but I did use AI for grammar correction.
r-johnv•3mo ago
I had a fair understanding of passkeys before reading your response, but I too learnt something from it.
Thank you.