Mastodawn

Passkeys are an authentication mechanism, but the prf WebAuthn extension lets us use them for symmetric encryption, too!

I wrote about how that works, and how it's implemented in Typage, the TypeScript implementation of age.

Bonus: there's also a CLI plugin to use passkeys stored on FIDO2 hardware tokens.

https://words.filippo.io/passkey-encryption/?source=Mastodon

Encrypting Files with Passkeys and age

Encrypting files with passkeys, using the WebAuthn prf extension and the TypeScript age implementation.

Show thread

Arian 2d ago

@filippo prf kinda scares me. It doesn't seem resistent to active interposers (think for example hostile usb hub emulating a passthrough fido2 device) unless I'm missing something.

Show thread

Filippo Valsorda (🏝️🔙 Aug 1)1d ago

@arianvp all FIDO2 operations are vulnerable to active interposers right?

The way we use prf in age, that will still only get you one decryption of a known file per UP interaction, you can't extract a long-term reusable secret.

And a hostile hub essentially has control of the host system (by emulating a keyboard), so the impact is just equivalent to system compromise.

Show thread

Chris 1d ago

@filippo this is actually so cool

Show thread

Arik 1d ago

@filippo I've looked at https://filekey.app before, seems to be a thing

FileKey

Encrypt and share files securely with passkeys. Fully offline, easy-to-use, and zero-knowledge for ultimate file protection.