However, the "passkeys" branding is pretty much exclusively used for keys that sync, usually with the platform authenticator. Wouldn't that be kind of a big deal, if you were a tinfoil hatter? Am I missing anything?
However, the "passkeys" branding is pretty much exclusively used for keys that sync, usually with the platform authenticator. Wouldn't that be kind of a big deal, if you were a tinfoil hatter? Am I missing anything?
runjake•57m ago
I don't know your level of technical knowledge, but Passkeys are essentially a key pair (public/private) that follows the FIDO2/WebAuthn standard, similar to how PGP, SSH keys, or even website SSL keys work.
The difference here is the private key is stored in a Secure Enclave or a Trusted Platform Module (TPM) on your devices. The Secure Enclave/TPM are theoretically hardware-isolated so that even your OS can't directly access them (no DMA). Instead, you use a special authentication API to make the calls. Again, no direct memory access (unless an exploit is found. :-P)
Normally, you use biometrics or a PIN to provide user verification to the Secure Enclave/TPM, which unlocks access.
Here's how the flow works as I understand it:
1. You visit a website and try to login.
2. The server sends a randomized challenge string.
3. Your device's authenticator signs that challenge using the private key.
4. That signature gets sent back to the server.
5. The server verifies the signature using the public key it has on file.
Why Passkeys are cool:
- No shared secrets, so there's nothing on the server that's useful to steal.
- They're phishing resistant, the browser or whatever ensures the origin matches before allowing auth.
- No replay attacks because the server issues a new randomized challenge string every time.
- No cred stuffing because each passkey is unique to the service it's generated for.
This should all be correct to the best of my unexpert knowledge.