Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Passkeys (imperialviolet.org)
100 points by pabs3 on Sept 23, 2022 | hide | past | favorite | 15 comments


At BlinkShell we recently added support for WebAuthn for SSH keys. WebAuthn signatures have been a part OpenSSH for a while now, but it looks like we are the first client to do so. You can check out a few cool flows here https://twitter.com/BlinkShell/status/1570427813819486212?s=...

IMO, the best part of Apple adding Passkeys support over WebAuthn is that we are finally able to use Secure Keys as well across all devices. If this takes off, I wonder if it would somehow end up replacing FIDO2 for Secure Keys scenarios as wel.


For anyone else familiar with WebAuthn but confused about the generic term 'passkey' like I was: the author is probably talking about some new Apple feature for IOS. It looks just like regular WebAuthn from what I can tell.


This is a joint development announced by Apple, FIDO, Google, and Microsoft. Passkeys follow the WebAuthn standard but add the functionality of working cross-device without needing to re-enroll and allow one device to authenticate for another near by device (ie phone authenticating log in attempt on laptop).

https://fidoalliance.org/apple-google-and-microsoft-commit-t...


If you’re familiar with U2F and FIDO2 MFA, Adam Langley’s interview on the “Security, Cryptography, Whatever” podcast is worth listening to for the discussion of what’s happened since and the thinking behind many of the decisions:

https://securitycryptographywhatever.buzzsprout.com/1822302/...


Yes, it is WebAuthn + iCloud storage of the client credentials.


Note that Microsoft and Google also agreed to the Passkey terminology and will be adopting it in all their Webauthn-related UIs


Also, there is a draft being working on for credentials transfer:

   This document describes a mechanism to transfer digital credentials
   securely between two devices.  Secure credentials may represent a
   digital key to a hotel room, a digital key to a door lock in a house
   or a digital key to a car.  Devices that share credentials may belong
   to the same or two different platforms (e.g. iOS and Android).
   Secure transfer may include one or more write and read operations.
   Credential transfer needs to be performed securely due to the
   sensitive nature of the information.
* https://datatracker.ietf.org/doc/html/draft-secure-credentia...


Being very pedantic: "passkey" is spelt with a lowercase "p" like with "password".


Checkout this webauthn (passkey) implementation helpful for your web projects: https://github.com/authcompanion/authcompanion2


This looks really useful. Thank you.


Seems like there is no standard for a HTTP protocol for Webauthn logins, like there is for Basic Auth, Kerberos Negotiate, etc?


Unfortunately not. But recently serialisation and deserialisation _has_ been added to the standard. So it's something:

https://github.com/w3c/webauthn/pull/1703

Github maintains a Ponyfill for browsers that don't support this standardised serialisation format yet: https://github.com/github/webauthn-json


The author of the pull request wrote a tool to deal with the serialisation/deserialisation which works great and has a passkey option: https://simplewebauthn.dev/docs/


Found some possibly related issues:

https://github.com/w3c/webauthn/issues/1616 https://github.com/w3c/webauthn/issues/1255


This is a great tutorial. thanks!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: