Eric BoddenJun 13, 2023

In the past weeks, I have taken a first look at #Passkey, the new password-less authentication mechanism recently made available by Apple, Google and Microsoft. How does it work? What are its properties? Find some answers in my article here:

https://www.linkedin.com/pulse/look-password-less-authentication-passkeys-eric-bodden/

A look into password-less authentication with Passkeys

In the past weeks, I have taken a first look at #Passkey, the new password-less authentication mechanism recently made available by Apple, Google and Microsoft. How does it work? What are its properties? Passkeys make use of the authentication standard #FIDO2, which itself consists of #WebAuthn and

Show threadVolker StolzJun 13, 2023
@guybrush They reinvented client-side certificates (of X.509-fame), didn't they?
Show threadEric BoddenJun 13, 2023
@fm_volker good question. Maybe. Honestly I don't know much about those.
Show threadVolker StolzJun 14, 2023

@guybrush Just like any PKI really...generate key-pair locally (and protected) on device, have a mechanism for the remote to certify it, and update your cert locally.

Next time you show up (via the cert), the remote recognises you via its signature. You just unlock your local certificate store a la your ssh-keyring.

So the mechanisms seem totally similar to me, yet of course we suffer from NIH and do it all over again...

Show threadEric Bodden
@fm_volker Yes sounds like the same idea. I think the two things that might have changed now is (1) simple addition of biometry as a second factor and (2) a relatively clever infrastructure for exchanging keys securely across devices.
Jun 14, 2023 at 1:11pmWeb