Differences

This shows you the differences between two versions of the page.

--- passkey [2024.03.10 20:16] – [Password Managers Supporting Passkeys as of 04 March 2024] Steve Isenberg
+++ passkey [2024.03.13 05:47] (current) – Steve Isenberg
@@ Line 1: / Line 1: @@
 ~~NOCACHE~~ <fc #a0a0a0><fs small>[This page last changed ~~LASTMOD~~;
 visits {{counter|today| time| times}} today, {{counter|yesterday| time| times}} yesterday, and {{counter|total| time total| total times}}]</fs></fc>
-Presentation can be include [[https://blog.1password.com/passkeys-vs-passwords-differences/]]
@@ Line 11: / Line 9: @@
 [[https://www.youtube.com/watch?v=IhuBZOgWbIg|Short video, Passwords: use and risk]] <fc #ffffff>Marx Brothers</fc>
-====Using passwords====
+The following digested from [[https://blog.1password.com/passkeys-vs-passwords-differences/]] with some embellishment
-  - Sign up with a website, eg, buystuff.com
-  - Buystuff accepts a password you create, Buystuff needs to remember this password
+===Passwords - shared secret===
-  - You need to remember this password, using a password manager like KeePassXC or others or writing it down
+  - When you create an account, you choose a password, a ''shared secret'' and give it to the website
-  - When you log in, you need to send the password to buystuff.com
+  - The website uses a math algorithm to encrypt/scramble the password into a hash that it saves
-  - Buystuff makes sure you entered the correct password and if so lets you in
+  - When you login, you send the password to the website
+  - The website uses the same math to encrypt/scramble the password you entered and compares it to the hash it's saved
+  - If the two hashes match then you're in
+===Passwords: What does this mean===
+  * Passwords can be guessed
+  * Passwords can be seen in transit
+  * Passwords need to be complex (u/l case, #, special chars) and long so hard to guess
+  * Some websites may save the password and not the hash (and passwords are compromised in a breech)
+  * Best to use a password manager to create and store complex passwords different for each website (e.g., BitWarden, 1Password, Dashland, KeePass)
+===Passcodes - use public key cryptology===
+  * Each passkey is a pair of keys: a public key and a private key
+  * These are mathematically linked together
+  * Public key is given to and stored by the website when you sign up with the website(and it's ok if attacker sees this)
+  * Private key is never shared
+Public info: your public key and the algorithm used (e.g., 3DES, AES, RSA)\\
+f( f(number, public key) , private key) = number\\
+[[https://www.comparitech.com/blog/information-security/encryption-types-explained/|More info on encryption]]
+===Signing in using Passcodes===
+  - Your device asks website to log you in
+  - Website encrypts some arbitrary number (a ''nonce'') using your public key and sends it to you
+  - Your device uses your private key to decrypt this and sends back the decrypted number
+  - The website verifies that what you sent in #3 matches the arbitrary number it encrypted in #2
+  - If there's a match, you're logged in
-====Using passkeys====
+===Passcodes: What does this mean===
-  - You are using a password manager that supports Passkeys
+  * Passkeys can't be guessed (unlike simple passwords)
-  - Sign up with a website that supports Passkeys, eg, betterstuff.com
+  * Attackers can't do anything if they get your public key (it's useless without your private key that you never share)
-  - Betterstuff may first require that you create a password to log in
+  * Attackers can't see anything useful in transit like they can with passwords
-  - You tell Betterstuff that you want to use Passkeys
+  * You can have many public-private key pairs (I haven't seen a site say this though)
-  - Your password manager creates a Public and Private key that's unique for you
-  - You give the Public key to betterstuff.com
+(Argument: passkeys can be guessed. Yes, you can guess a 1024-bit or ~300 digit number given enough time and computing resources.  Yes, quantum computers may speed this up, which is a concern.)
-  - The Private key never leaves your device (stays in password manager)\\
-  - When you want to log into betterstuff.com, the website creates a secret number or character string and encrypts it using your Public key, sends it to you
-  - Only you can decrypt the message as only you have the Private key
-  - You decrypt the message and send back the secret number or character string to betterstuff.com
-  - The website betterstuff.com receives this, compares it to the number or string that they encrypted and sent, and if matches they know it is you, and you're logged in
-//A lot of this happens behind the scenes.//
 ===1. Passkey Example===
@@ Line 61: / Line 80: @@
 ==2b. Login using an existing passkey==
-On smi's Muscat, log into Shopify.com using BitWarden for either the  ''shopify1'' or ''shopify2'' account and its passkey.
+On smi's Muscat using Firefox, log into Shopify.com using BitWarden.\\
+On smi's Muscat using Firefox, log into Nintendo.com using Bitwarden.
+//note that I've only added the BitWarden extension to Firefox on Muscat.//
 ==2b. Creating passkey==
+<hidden>
 This from video [[https://bitwarden.com/passwordless-passkeys/|this Bitwarden demo video]]
@@ Line 75: / Line 98: @@
   - Log out, log in.  Select the icon where userID is entered, select Shopify.
   - You're logged in.
+</hidden>
+At Nintendo
+  - In BitWarden, create login for Nintendo(name, user name=email, pw)
+  - Go to nintendo.com (the website)
+  - Sign-up
+  - Select the login info f/BitWarden
+  - Get verification email w/code, enter 4-digit code on Nintendo
+  - Log out, log in using new acct
+  - Account settings > Sign-in and security settings
+  - Scroll to Passkey, Edit
+  - Register a New Passkey
+  - Follow verification process: Submit to start it
+  - Enter 6-digit code
+  - Register
+  - BitWarden: select the login you just created to save the passkey
+Let's try it
+  - Sign out
+  - Sign in ''Passkey Sign-In''
+  - BitWarden: select the login you just created to use its saved passkey
+You're in.
@@ Line 135: / Line 180: @@
 |1Password|on Android  |Free for 14 days. Individual plan $2.99/mo: 1 user, unlimited devices & passwords\\ [[https://9to5google.com/2024/03/05/1password-adds-passkey-support-on-android/|Passkey support on Android]]|
 |Dashlane |yes, mobile only |Free: 1 device at a time, 25 passwords. Paid="Premium" $4.99/mo, many devices, no limit on passwords, VPN.\\ [[https://support.dashlane.com/hc/en-us/articles/360001166969-Compare-Dashlane-plans|plan comparison]]|
-|KeepassXC|browser only\\ NR4PT|Vault where you want it. 1 user, unlimited collections, devices, passwords. Password generator. Not sure passkey details. Note: you save your encrypted 'vault' where you want, eg: your computer, memory stick, cloud storage.|
+|KeepassXC|using browser extension|Vault where you want it. 1 user, unlimited collections, devices, passwords. Password generator. Not sure passkey details. Note: you save your encrypted 'vault' where you want, eg: your computer, memory stick, cloud storage.|
 |Apple|requires iOS & iPadOS 16, MacOS 13 or later.|No charge. [[https://support.apple.com/guide/iphone/use-passkeys-to-sign-in-to-apps-and-websites-iphf538ea8d0/ios|Details on use]]|
 |Google|yes     |[[https://www.google.com/account/about/passkeys/|about and link for setting up]]|
-[[https://www.corbado.com/blog/keepassxc-passkeys|info on Keepass and passkeys.]]\\
-NR4PT: Not ready for prime time (my opinion)
@@ Line 148: / Line 190: @@
   * [[https://blog.1password.com/passkeys-vs-passwords-differences/]]
   * [[https://tech.co/news/passkeys-vs-passwords]]
+  * [[https://passkeys.directory/|passkeys directory]] has info on sites supporting (and not supporting) passkeys
+  * [[https://www.corbado.com/blog/keepassxc-passkeys|info on Keepass and passkeys.]]