Conversation

Notices

1. Embed this notice
   Phillip (pb4000@infosec.exchange)'s status on Monday, 06-Nov-2023 16:02:53 JST Phillip

   in reply to

   This is because they use public key cryptography/asymmetric encryption, as opposed to the symmetric encryption we are used to with passwords. It is functionally identical to using ssh keys vs a password.

   On sign up, your device generates a key pair and sends only the public key to the server. On login, the server provides the client with a challenge signed by the client's public key, which can only be completed with the client's private key. Your private key NEVER leaves your device. If the server gets breached, then the attackers can only get your public key, which is effectively useless. Even TOTP doesn't use asymmetric keys. This is huge!

   The Fido alliance website has a nice, albeit greatly simplified, explainer here. I'd strongly recommend giving it a read.

   🧵2/2

   https://fidoalliance.org/how-fido-works/

   • Embed this notice
     Phillip (pb4000@infosec.exchange)'s status on Monday, 06-Nov-2023 16:02:55 JST Phillip

     #Passkeys have a lot of confusion and valid criticism against them. However, there is one huge benefit that I feel like no one is talking about: they effectively eliminate password breaches as we know it!

     #security #cybersecurity #passwords #technology

     🧵1/2

     Paul Cantrell repeated this.