Differences

This shows you the differences between two versions of the page.

--- passkey [2024.03.04 13:15] – Steve Isenberg
+++ passkey [2024.03.13 05:47] (current) – Steve Isenberg
@@ Line 1: / Line 1: @@
 ~~NOCACHE~~ <fc #a0a0a0><fs small>[This page last changed ~~LASTMOD~~;
 visits {{counter|today| time| times}} today, {{counter|yesterday| time| times}} yesterday, and {{counter|total| time total| total times}}]</fs></fc>
-<fs xx-large>This is a work in progress</fs>
-Presentation can be just [[https://blog.1password.com/passkeys-vs-passwords-differences/]]
 ====Passkey vs Password. What's the difference?====
-Password: alpha-numberic-special character sequence, a shared secret.  Longer and more complex is better.
+Password: alpha-numberic-special character sequence, a shared secret.  Longer and more complex is better.\\
 Passkey: Uses Public Key Cryptology.
-[[https://www.youtube.com/watch?v=W50L4UPfWsg|Short video, Passwords: use and risk]]
+[[https://www.youtube.com/watch?v=IhuBZOgWbIg|Short video, Passwords: use and risk]] <fc #ffffff>Marx Brothers</fc>
+The following digested from [[https://blog.1password.com/passkeys-vs-passwords-differences/]] with some embellishment
+===Passwords - shared secret===
+  - When you create an account, you choose a password, a ''shared secret'' and give it to the website
+  - The website uses a math algorithm to encrypt/scramble the password into a hash that it saves
+  - When you login, you send the password to the website
+  - The website uses the same math to encrypt/scramble the password you entered and compares it to the hash it's saved
+  - If the two hashes match then you're in
+===Passwords: What does this mean===
+  * Passwords can be guessed
+  * Passwords can be seen in transit
+  * Passwords need to be complex (u/l case, #, special chars) and long so hard to guess
+  * Some websites may save the password and not the hash (and passwords are compromised in a breech)
+  * Best to use a password manager to create and store complex passwords different for each website (e.g., BitWarden, 1Password, Dashland, KeePass)
+===Passcodes - use public key cryptology===
+  * Each passkey is a pair of keys: a public key and a private key
+  * These are mathematically linked together
+  * Public key is given to and stored by the website when you sign up with the website(and it's ok if attacker sees this)
+  * Private key is never shared
+Public info: your public key and the algorithm used (e.g., 3DES, AES, RSA)\\
+f( f(number, public key) , private key) = number\\
+[[https://www.comparitech.com/blog/information-security/encryption-types-explained/|More info on encryption]]
-====Using passwords====
+===Signing in using Passcodes===
-  - Sign up with a website, eg, buystuff.com
+  - Your device asks website to log you in
-  - Buystuff accepts a password you create
+  - Website encrypts some arbitrary number (a ''nonce'') using your public key and sends it to you
-  - You need to remember this password, using a password manager like KeePassXC or others
+  - Your device uses your private key to decrypt this and sends back the decrypted number
-  - When you log in, you need to send the password to buystuff.com
+  - The website verifies that what you sent in #3 matches the arbitrary number it encrypted in #2
-  - Buystuff makes sure you entered the correct password and if so lets you in
+  - If there's a match, you're logged in
-====Using passkeys====
+===Passcodes: What does this mean===
-  - Sign up with a website that supports passkeys, eg, goodstuff.com
+  * Passkeys can't be guessed (unlike simple passwords)
-  - You are using a password manager that supports passkeys
+  * Attackers can't do anything if they get your public key (it's useless without your private key that you never share)
-  - Your password manager creates a public and private key that's unique for you
+  * Attackers can't see anything useful in transit like they can with passwords
-  - You give the public key to goodstuff.com
+  * You can have many public-private key pairs (I haven't seen a site say this though)
-  - The private key never leaves your device
-  - When you want to log into goodstuff.com, the website creates a secret number and encrypts it using your public key, sends it to you
+(Argument: passkeys can be guessed. Yes, you can guess a 1024-bit or ~300 digit number given enough time and computing resources.  Yes, quantum computers may speed this up, which is a concern.)
-  - Only you can decrypt the message as only you have the private key
-  - You decrypt the message and send back the secret number or phrase to goodstuff.com
-  - The website goodstuff.com receives this, compares it to what they encrypted and sent, and if matches they know it is you, and you're logged in
 ===1. Passkey Example===
-Let's try a simple public/private key and we'll use addition as an operation and 3-digit numbers to make it easier for this example.
+Let's try a simple public/private key and we'll use addition as an operation and 3-digit numbers to make it easier for this example.  Note: it's really much more complicated than this!
-  * Pick a public key: 359; private key will be 751.  You'll see why shortly.
+  * Pick a Public key: ''359''; Private key will be ''751''.
-  * Remember, everyone can know the public key but only you know the private key.
+  * Remember, everyone can know the Public key but only you know the Private key.
   * Suppose message is 246
-  * Add public key:
+  * Add Public key:
-    * 2+3 = 5
+    * 2+''3'' = 5
-    * 4+5 = 9
+    * 4+''5'' = 9
-    * 6+9 = 5 (drop the carry)
+    * 6+''9'' = 5 (drop the carry)
-  * Thus the encrypted message is 595
+  * Thus the encrypted message is 595, they send this to you
-  * You receive the message 595 and decrypt it using your private key (751), only you know this
+  * Anyone monitoring the communication only sees 595 and even though they know your Public key, they can't decrypt the 595
-    * 5+7 = 2 (drop the carry)
+  * You receive the message 595 and decrypt it using your Private key (751), as only you know this
-    * 9+5 = 4
+    * 5+''7'' = 2 (drop the carry)
-    * 5+1 = 6
+    * 9+''5'' = 4
-  * and you decrypt the message and see 246.
+    * 5+''1'' = 6
+  * and you have decrypted the message and see 246.
-Note this is a simple example. In real life a much larger public key and private key would be used involving large prime numbers and complex mathematics.
+Note this is a simple example. In real life a much larger Public key and Private key would be used involving large prime numbers and complex mathematics.  See: section below for 'gory math'.
 ===2. Live Demonstration===
-==2a. Using existing passkey==
+==2a. Setting up==
-On smi's Muscat, log into Shopify.com using BitWarden for either shopify1 or shopify2 account and its passkey.
+We'll assume that you have set up your environment, you need to do this just once.  For this demo I'm using Bitwarden, https://bitwarden.com
+  - install Bitwarden,
+  - create Bitwarden account,
+  - log into Bitwarden,
+  - install Bitwarden extension to Firefox.
+//Note that Bitwarden has OS requirements and that we are using the free version//))
+==2b. Login using an existing passkey==
+On smi's Muscat using Firefox, log into Shopify.com using BitWarden.\\
+On smi's Muscat using Firefox, log into Nintendo.com using Bitwarden.
+//note that I've only added the BitWarden extension to Firefox on Muscat.//
 ==2b. Creating passkey==
-This from video [[https://bitwarden.com/passwordless-passkeys/|this Bitwarden demo video]], we'll use Shopify.
+<hidden>
-  - Set up environment once((install Bitwarden, create Bitwarden account, log into Bitwarden, install Bitwarden extension to Firefox.  Note that Bitwarden has OS requirements))
+This from video [[https://bitwarden.com/passwordless-passkeys/|this Bitwarden demo video]]
   - Go to Shopify.com
   - Create account with password. Save to Bitwarden.
@@ Line 65: / Line 98: @@
   - Log out, log in.  Select the icon where userID is entered, select Shopify.
   - You're logged in.
+</hidden>
+At Nintendo
+  - In BitWarden, create login for Nintendo(name, user name=email, pw)
+  - Go to nintendo.com (the website)
+  - Sign-up
+  - Select the login info f/BitWarden
+  - Get verification email w/code, enter 4-digit code on Nintendo
+  - Log out, log in using new acct
+  - Account settings > Sign-in and security settings
+  - Scroll to Passkey, Edit
+  - Register a New Passkey
+  - Follow verification process: Submit to start it
+  - Enter 6-digit code
+  - Register
+  - BitWarden: select the login you just created to save the passkey
+Let's try it
+  - Sign out
+  - Sign in ''Passkey Sign-In''
+  - BitWarden: select the login you just created to use its saved passkey
+You're in.
-====Passkey internals -- example====
-===1. Key Generation===
+<hidden initialState="hidden" onHidden="Click to see gory math public/private key example" on Visible="Click to hide this section">
+this should be hidden
+<fs large>**Passkey internals -- example**</fs>
+<fs medium>**Key Generation**</fs>
 This is done once, when we sign up with a website.
   - Select two large prime numbers, p and q.  For simplicity let's use p = 13 and q = 17.
@@ Line 83: / Line 139: @@
 and her private key (d, n) which is (77, 221)
-===Encryption===
+<fs medium>**Encryption**</fs>
 Here's how the website uses this passkey to authenticate us.
 Website wants to send a message to us, with passkey our job is to decode this and return the decrypted message to the website so the website will know we are who we claim.
@@ Line 89: / Line 145: @@
 Let's say the website encrypts the string "HELLO", and will send it to us, we'll decrypt using our private key and return the string to the website.
-  - Convert the message HE to numerical representation: 8 5 12 15
+The website does:
+  - Convert the message HELLO to numerical representation: 8 5 12 15
   - Using the public key (5, 221), the website computes
     * H = 8^5 mod 221 = 32768 mod 221 = 119
     * E = 5^5 mod 221 = 3125 mod 221 = 197
+    * L = 12^5 mod 221 = 248831 mod 221 = 35
     * L = 12^5 mod 221 = 248831 mod 221 = 35
     * O = 15^5 mod 221 = 759375 mod 221 = 65
@@ Line 98: / Line 156: @@
-===Decryption===
+<fs medium>**Decryption**</fs>
 We receive the encrypted message (119, 197, 35, 35, 65) from the website.\\
 we use our private key to decrypt the message using our private key (d, n) = (77, 221)\\
@@ Line 104: / Line 162: @@
   * 119^77 mod 221 = 8 which is 8th letter or H
   * 197^77 mod 221 = 5 which is 5th letter or E
+  * 35^77 mod 221 = 12 which is 12th letter or L
   * 35^77 mod 221 = 12 which is 12th letter or L
   * 65^77 mod 221 = 15 which is 15th letter or O
+We have decrypted the message to the string HELLO.
 We then send the plaintext HELLO back to the website.  Since we're the only ones with the private key that can decode a message sent with our public key, the website knows it is really us.
@@ Line 111: / Line 171: @@
 In this example, we chose small prime numbers for simplicity, but in practice, much larger prime numbers are used to enhance security. The modulus (n) is derived from the product of these primes, and the public exponent (e) is chosen such that it is coprime to φ(n). The private exponent (d) is calculated using modular arithmetic. This ensures that only the possessor of the private key can decrypt messages encrypted with the corresponding public key.
+</hidden>
+====Password Managers Supporting Passkeys as of 04 March 2024====
+^App      ^Passkeys    ^What's for free?^
+|Bitwarden|Browser only|Free: 2 users, 2 collections, Unlimited devices & passwords, passkeys, username and password generator. Online vault only but you can back it up elsewhere.\\ [[https://bitwarden.com/pricing/|pricing and details]] [[https://bitwarden.com/search/?q=passkeys|Bitwarden and passkeys (search)]]|
+|1Password|on Android  |Free for 14 days. Individual plan $2.99/mo: 1 user, unlimited devices & passwords\\ [[https://9to5google.com/2024/03/05/1password-adds-passkey-support-on-android/|Passkey support on Android]]|
+|Dashlane |yes, mobile only |Free: 1 device at a time, 25 passwords. Paid="Premium" $4.99/mo, many devices, no limit on passwords, VPN.\\ [[https://support.dashlane.com/hc/en-us/articles/360001166969-Compare-Dashlane-plans|plan comparison]]|
+|KeepassXC|using browser extension|Vault where you want it. 1 user, unlimited collections, devices, passwords. Password generator. Not sure passkey details. Note: you save your encrypted 'vault' where you want, eg: your computer, memory stick, cloud storage.|
+|Apple|requires iOS & iPadOS 16, MacOS 13 or later.|No charge. [[https://support.apple.com/guide/iphone/use-passkeys-to-sign-in-to-apps-and-websites-iphf538ea8d0/ios|Details on use]]|
+|Google|yes     |[[https://www.google.com/account/about/passkeys/|about and link for setting up]]|
 ====References====
-  * https://www.techtarget.com/whatis/feature/Passkey-vs-password-What-is-the-difference
+  * [[https://www.keepersecurity.com/blog/2023/10/17/passkey-vs-password-whats-the-difference/]]
-  * https://blog.1password.com/passkeys-vs-passwords-differences/
+  * [[https://www.techtarget.com/whatis/feature/Passkey-vs-password-What-is-the-difference]]
-  * https://tech.co/news/passkeys-vs-passwords
+  * [[https://blog.1password.com/passkeys-vs-passwords-differences/]]
+  * [[https://tech.co/news/passkeys-vs-passwords]]
+  * [[https://passkeys.directory/|passkeys directory]] has info on sites supporting (and not supporting) passkeys
+  * [[https://www.corbado.com/blog/keepassxc-passkeys|info on Keepass and passkeys.]]