• PastaGorgonzola@lemmy.world
    link
    fedilink
    English
    arrow-up
    27
    arrow-down
    1
    ·
    1 year ago

    The biggest difference: nothing sensitive is stored on the server. No passwords, no password hashes, just a public key. No amount of brute forcing, dictionary attacks or rainbow tables can help an attacker log in with a public key.

    “But what about phising? If the attacker has the public key, they can pretend to be the actual site and trick the user into logging in.” Only if they also manage to use the same domain name. Like a password manager, passkeys are stored for a specific domain name. If the domain doesn’t match, the passkey won’t be found.

    https://www.youtube.com/watch?v=qNy_Q9fth-4 gives a pretty good introduction on them.

    • xinayder@infosec.pub
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      1 year ago

      This is something being sold in favor of passkeys but I can’t ser how “more secure” it is for me.

      I use Bitwarden, the domain name matching works exactly like passkey’s. How more secure a passkey is, if it has 0 changes to this domain name detection?

      • PastaGorgonzola@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        1 year ago

        That’s the part where the server doesn’t story any information that an attacker could use to log in. The attacker would need the private key, which is stored inside a secure chip on your device (unless you decide to store it in your password manager). All that’s stored server side, is the public key.

        When you’re using a password, the server will store a hashed version of that password. If this is leaked, an attacker can attempt to brute-force this leaked password. If the server didn’t properly store hash the password, a leak simply exposes the password and allows the attacker access. If the user didn’t generate unique passwords for each site/server, that exposes them further to password spraying. In that case an attacker would try these same credentials on multiple sites, potentially giving them access to all these accounts.

        In case of passkey, the public key doesn’t need to be secret. The secret part is all on your end (unless you store that secret in the managed vault of your password manager).

        I do agree that your risk is quite small if you’re already

        • using a decent password manager
        • doing that the right way
        • have enabled 2FA wherever possible
      • Natanael@slrpnk.net
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        1 year ago

        With a breach of the server then they can get your password the next time you log in and maintain persistent access until they’re both kicked out and everybody has changed passwords.

        With passkeys you don’t need to do anything, they never had your secret.