Differences

This shows you the differences between two versions of the page.

--- passkey [2024.03.10 19:55] – [Using passwords] Steve Isenberg
+++ passkey [2024.03.13 05:47] (current) – Steve Isenberg
@@ Line 1: / Line 1: @@
 ~~NOCACHE~~ <fc #a0a0a0><fs small>[This page last changed ~~LASTMOD~~;
 visits {{counter|today| time| times}} today, {{counter|yesterday| time| times}} yesterday, and {{counter|total| time total| total times}}]</fs></fc>
-Presentation can be include [[https://blog.1password.com/passkeys-vs-passwords-differences/]]
@@ Line 11: / Line 9: @@
 [[https://www.youtube.com/watch?v=IhuBZOgWbIg|Short video, Passwords: use and risk]] <fc #ffffff>Marx Brothers</fc>
-====Using passwords====
+The following digested from [[https://blog.1password.com/passkeys-vs-passwords-differences/]] with some embellishment
-  - Sign up with a website, eg, buystuff.com
-  - Buystuff accepts a password you create, Buystuff needs to remember this password
+===Passwords - shared secret===
-  - You need to remember this password, using a password manager like KeePassXC or others or writing it down
+  - When you create an account, you choose a password, a ''shared secret'' and give it to the website
-  - When you log in, you need to send the password to buystuff.com
+  - The website uses a math algorithm to encrypt/scramble the password into a hash that it saves
-  - Buystuff makes sure you entered the correct password and if so lets you in
+  - When you login, you send the password to the website
+  - The website uses the same math to encrypt/scramble the password you entered and compares it to the hash it's saved
+  - If the two hashes match then you're in
+===Passwords: What does this mean===
+  * Passwords can be guessed
+  * Passwords can be seen in transit
+  * Passwords need to be complex (u/l case, #, special chars) and long so hard to guess
+  * Some websites may save the password and not the hash (and passwords are compromised in a breech)
+  * Best to use a password manager to create and store complex passwords different for each website (e.g., BitWarden, 1Password, Dashland, KeePass)
+===Passcodes - use public key cryptology===
+  * Each passkey is a pair of keys: a public key and a private key
+  * These are mathematically linked together
+  * Public key is given to and stored by the website when you sign up with the website(and it's ok if attacker sees this)
+  * Private key is never shared
+Public info: your public key and the algorithm used (e.g., 3DES, AES, RSA)\\
+f( f(number, public key) , private key) = number\\
+[[https://www.comparitech.com/blog/information-security/encryption-types-explained/|More info on encryption]]
+===Signing in using Passcodes===
+  - Your device asks website to log you in
+  - Website encrypts some arbitrary number (a ''nonce'') using your public key and sends it to you
+  - Your device uses your private key to decrypt this and sends back the decrypted number
+  - The website verifies that what you sent in #3 matches the arbitrary number it encrypted in #2
+  - If there's a match, you're logged in
-====Using passkeys====
+===Passcodes: What does this mean===
-  - Sign up with a website that supports passkeys, eg, goodstuff.com
+  * Passkeys can't be guessed (unlike simple passwords)
-  - You are using a password manager that supports passkeys
+  * Attackers can't do anything if they get your public key (it's useless without your private key that you never share)
-  - Your password manager creates a public and private key that's unique for you
+  * Attackers can't see anything useful in transit like they can with passwords
-  - You give the public key to goodstuff.com
+  * You can have many public-private key pairs (I haven't seen a site say this though)
-  - The private key never leaves your device
-  - When you want to log into goodstuff.com, the website creates a secret number and encrypts it using your public key, sends it to you
+(Argument: passkeys can be guessed. Yes, you can guess a 1024-bit or ~300 digit number given enough time and computing resources.  Yes, quantum computers may speed this up, which is a concern.)
-  - Only you can decrypt the message as only you have the private key
-  - You decrypt the message and send back the secret number or phrase to goodstuff.com
-  - The website goodstuff.com receives this, compares it to what they encrypted and sent, and if matches they know it is you, and you're logged in
-A lot of this happens behind the scenes.
 ===1. Passkey Example===
-Let's try a simple public/private key and we'll use addition as an operation and 3-digit numbers to make it easier for this example.
+Let's try a simple public/private key and we'll use addition as an operation and 3-digit numbers to make it easier for this example.  Note: it's really much more complicated than this!
-  * Pick a public key: ''359''; private key will be ''751''.
+  * Pick a Public key: ''359''; Private key will be ''751''.
-  * Remember, everyone can know the public key but only you know the private key.
+  * Remember, everyone can know the Public key but only you know the Private key.
   * Suppose message is 246
-  * Add public key:
+  * Add Public key:
     * 2+''3'' = 5
     * 4+''5'' = 9
     * 6+''9'' = 5 (drop the carry)
   * Thus the encrypted message is 595, they send this to you
-  * Anyone monitoring the communication only sees 595 and even though they know your public key, they can't decrypt the 595
+  * Anyone monitoring the communication only sees 595 and even though they know your Public key, they can't decrypt the 595
-  * You receive the message 595 and decrypt it using your private key (751), as only you know this
+  * You receive the message 595 and decrypt it using your Private key (751), as only you know this
     * 5+''7'' = 2 (drop the carry)
     * 9+''5'' = 4
@@ Line 47: / Line 68: @@
   * and you have decrypted the message and see 246.
-Note this is a simple example. In real life a much larger public key and private key would be used involving large prime numbers and complex mathematics.  See: section below for 'gory math'.
+Note this is a simple example. In real life a much larger Public key and Private key would be used involving large prime numbers and complex mathematics.  See: section below for 'gory math'.
 ===2. Live Demonstration===
-==2a. Using existing passkey==
+==2a. Setting up==
-On smi's Muscat, log into Shopify.com using BitWarden for either shopify1 or shopify2 account and its passkey.
+We'll assume that you have set up your environment, you need to do this just once.  For this demo I'm using Bitwarden, https://bitwarden.com
+  - install Bitwarden,
+  - create Bitwarden account,
+  - log into Bitwarden,
+  - install Bitwarden extension to Firefox.
+//Note that Bitwarden has OS requirements and that we are using the free version//))
+==2b. Login using an existing passkey==
+On smi's Muscat using Firefox, log into Shopify.com using BitWarden.\\
+On smi's Muscat using Firefox, log into Nintendo.com using Bitwarden.
+//note that I've only added the BitWarden extension to Firefox on Muscat.//
 ==2b. Creating passkey==
+<hidden>
 This from video [[https://bitwarden.com/passwordless-passkeys/|this Bitwarden demo video]]
-  - Set up environment once((1:install Bitwarden, 2:create Bitwarden account, 3:log into Bitwarden, 4:install Bitwarden extension to Firefox.  //Note that Bitwarden has OS requirements and that we are using the free version//))
   - Go to Shopify.com
   - Create account with password. Save to Bitwarden.
@@ Line 65: / Line 98: @@
   - Log out, log in.  Select the icon where userID is entered, select Shopify.
   - You're logged in.
+</hidden>
+At Nintendo
+  - In BitWarden, create login for Nintendo(name, user name=email, pw)
+  - Go to nintendo.com (the website)
+  - Sign-up
+  - Select the login info f/BitWarden
+  - Get verification email w/code, enter 4-digit code on Nintendo
+  - Log out, log in using new acct
+  - Account settings > Sign-in and security settings
+  - Scroll to Passkey, Edit
+  - Register a New Passkey
+  - Follow verification process: Submit to start it
+  - Enter 6-digit code
+  - Register
+  - BitWarden: select the login you just created to save the passkey
+Let's try it
+  - Sign out
+  - Sign in ''Passkey Sign-In''
+  - BitWarden: select the login you just created to use its saved passkey
+You're in.
-<hidden initialState="hidden" onHidden="Click to see gory math" on Visible="Click to hide this section">
+<hidden initialState="hidden" onHidden="Click to see gory math public/private key example" on Visible="Click to hide this section">
 this should be hidden
 <fs large>**Passkey internals -- example**</fs>
@@ Line 90: / Line 145: @@
 Let's say the website encrypts the string "HELLO", and will send it to us, we'll decrypt using our private key and return the string to the website.
-  - Convert the message HE to numerical representation: 8 5 12 15
+The website does:
+  - Convert the message HELLO to numerical representation: 8 5 12 15
   - Using the public key (5, 221), the website computes
     * H = 8^5 mod 221 = 32768 mod 221 = 119
     * E = 5^5 mod 221 = 3125 mod 221 = 197
+    * L = 12^5 mod 221 = 248831 mod 221 = 35
     * L = 12^5 mod 221 = 248831 mod 221 = 35
     * O = 15^5 mod 221 = 759375 mod 221 = 65
@@ Line 105: / Line 162: @@
   * 119^77 mod 221 = 8 which is 8th letter or H
   * 197^77 mod 221 = 5 which is 5th letter or E
+  * 35^77 mod 221 = 12 which is 12th letter or L
   * 35^77 mod 221 = 12 which is 12th letter or L
   * 65^77 mod 221 = 15 which is 15th letter or O
+We have decrypted the message to the string HELLO.
 We then send the plaintext HELLO back to the website.  Since we're the only ones with the private key that can decode a message sent with our public key, the website knows it is really us.
@@ Line 118: / Line 177: @@
 ^App      ^Passkeys    ^What's for free?^
-|Bitwarden|Browser only|Free: 2 users, 2 collections, Unlimited devices & passwords, passkeys, username and password generator. Online vault only.\\ [[https://bitwarden.com/pricing/|pricing and details]] [[https://bitwarden.com/search/?q=passkeys|Bitwarden and passkeys (search)]]|
+|Bitwarden|Browser only|Free: 2 users, 2 collections, Unlimited devices & passwords, passkeys, username and password generator. Online vault only but you can back it up elsewhere.\\ [[https://bitwarden.com/pricing/|pricing and details]] [[https://bitwarden.com/search/?q=passkeys|Bitwarden and passkeys (search)]]|
 |1Password|on Android  |Free for 14 days. Individual plan $2.99/mo: 1 user, unlimited devices & passwords\\ [[https://9to5google.com/2024/03/05/1password-adds-passkey-support-on-android/|Passkey support on Android]]|
 |Dashlane |yes, mobile only |Free: 1 device at a time, 25 passwords. Paid="Premium" $4.99/mo, many devices, no limit on passwords, VPN.\\ [[https://support.dashlane.com/hc/en-us/articles/360001166969-Compare-Dashlane-plans|plan comparison]]|
-|KeepassXC|browser only\\ NR4PT|Vault where you want it. 1 user, unlimited collections, devices, passwords. Password generator. Not sure passkey details. Note: you save your encrypted 'vault' where you want, eg: your computer, memory stick, cloud storage.|
+|KeepassXC|using browser extension|Vault where you want it. 1 user, unlimited collections, devices, passwords. Password generator. Not sure passkey details. Note: you save your encrypted 'vault' where you want, eg: your computer, memory stick, cloud storage.|
 |Apple|requires iOS & iPadOS 16, MacOS 13 or later.|No charge. [[https://support.apple.com/guide/iphone/use-passkeys-to-sign-in-to-apps-and-websites-iphf538ea8d0/ios|Details on use]]|
 |Google|yes     |[[https://www.google.com/account/about/passkeys/|about and link for setting up]]|
-[[https://www.corbado.com/blog/keepassxc-passkeys|info on Keepass and passkeys.]]\\
-NR4PT: Not ready for prime time (my opinion)
@@ Line 134: / Line 190: @@
   * [[https://blog.1password.com/passkeys-vs-passwords-differences/]]
   * [[https://tech.co/news/passkeys-vs-passwords]]
+  * [[https://passkeys.directory/|passkeys directory]] has info on sites supporting (and not supporting) passkeys
+  * [[https://www.corbado.com/blog/keepassxc-passkeys|info on Keepass and passkeys.]]