The "To Keep Up" Wiki

A collection of information we find useful

User Tools

Site Tools

Trace: utilities
passkey

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
passkey [2024.03.12 14:43] Steve Isenbergpasskey [2024.03.13 05:47] (current) Steve Isenberg
Line 1: Line 1:
 ~~NOCACHE~~ <fc #a0a0a0><fs small>[This page last changed ~~LASTMOD~~; ~~NOCACHE~~ <fc #a0a0a0><fs small>[This page last changed ~~LASTMOD~~;
 visits {{counter|today| time| times}} today, {{counter|yesterday| time| times}} yesterday, and {{counter|total| time total| total times}}]</fs></fc> visits {{counter|today| time| times}} today, {{counter|yesterday| time| times}} yesterday, and {{counter|total| time total| total times}}]</fs></fc>
- 
-Presentation can be include [[https://blog.1password.com/passkeys-vs-passwords-differences/]] 
  
  
Line 11: Line 9:
 [[https://www.youtube.com/watch?v=IhuBZOgWbIg|Short video, Passwords: use and risk]] <fc #ffffff>Marx Brothers</fc> [[https://www.youtube.com/watch?v=IhuBZOgWbIg|Short video, Passwords: use and risk]] <fc #ffffff>Marx Brothers</fc>
  
-====Using passwords==== +The following digested from [[https://blog.1password.com/passkeys-vs-passwords-differences/]] with some embellishment  
-  - Sign up with a websiteegbuystuff.com + 
-  - Buystuff accepts a password you createBuystuff needs to remember this password +===Passwords - shared secret=== 
-  - You need to remember this passwordusing a password manager like KeePassXC or others or writing it down +  - When you create an accountyou choose a passworda ''shared secret'' and give it to the website 
-  - When you log inyou need to send the password to buystuff.com +  - The website uses math algorithm to encrypt/scramble the password into a hash that it saves 
-  - Buystuff makes sure you entered the correct password and if so lets you in+  - When you loginyou send the password to the website 
 +  - The website uses the same math to encrypt/scramble the password you entered and compares it to the hash it's saved 
 +  - If the two hashes match then you're in 
 + 
 +===Passwords: What does this mean=== 
 +  * Passwords can be guessed 
 +  * Passwords can be seen in transit 
 +  * Passwords need to be complex (u/l case#, special chars) and long so hard to guess 
 +  * Some websites may save the password and not the hash (and passwords are compromised in a breech) 
 +  * Best to use a password manager to create and store complex passwords different for each website (e.g., BitWarden, 1Password, Dashland, KeePass) 
 + 
 +===Passcodes - use public key cryptology=== 
 +  * Each passkey is a pair of keys: a public key and a private key 
 +  * These are mathematically linked together  
 +  * Public key is given to and stored by the website when you sign up with the website(and it's ok if attacker sees this) 
 +  * Private key is never shared 
 + 
 +Public info: your public key and the algorithm used (e.g., 3DES, AES, RSA)\\  
 +f( f(number, public key) , private key) = number\\  
 +[[https://www.comparitech.com/blog/information-security/encryption-types-explained/|More info on encryption]] 
 + 
 +===Signing in using Passcodes=== 
 +  - Your device asks website to log you in 
 +  - Website encrypts some arbitrary number (a ''nonce'') using your public key and sends it to you 
 +  - Your device uses your private key to decrypt this and sends back the decrypted number 
 +  - The website verifies that what you sent in #3 matches the arbitrary number it encrypted in #2 
 +  - If there's a match, you're logged in
  
-====Using passkeys==== +===Passcodes: What does this mean=== 
-  - You are using a password manager that supports Passkeys +  Passkeys can't be guessed (unlike simple passwords) 
-  - Sign up with a website that supports Passkeys, eg, betterstuff.com +  * Attackers can't do anything if they get your public key (it's useless without your private key that you never share) 
-  - Betterstuff may first require that you create a password to log in +  * Attackers can't see anything useful in transit like they can with passwords 
-  You tell Betterstuff that you want to use Passkeys  +  You can have many public-private key pairs (I haven't seen a site say this though) 
-  Your password manager creates a Public and Private key that's unique for you +   
-  - You give the Public key to betterstuff.com +(Argument: passkeys can be guessedYes, you can guess a 1024-bit or ~300 digit number given enough time and computing resources.  Yes, quantum computers may speed this upwhich is a concern.) 
-  - The Private key never leaves your device (stays in password manager)\\  +  
-  - When you want to log into betterstuff.comthe website creates a secret number or character string and encrypts it using your Public key, sends it to you +
-  - Only you can decrypt the message as only you have the Private key +
-  You decrypt the message and send back the secret number or character string to betterstuff.com +
-  - The website betterstuff.com receives this, compares it to the number or string that they encrypted and sent, and if matches they know it is you, and you're logged in +
-//A lot of this happens behind the scenes.//+
  
 ===1. Passkey Example=== ===1. Passkey Example===
Line 67: Line 86:
  
 ==2b. Creating passkey== ==2b. Creating passkey==
 +<hidden>
 This from video [[https://bitwarden.com/passwordless-passkeys/|this Bitwarden demo video]] This from video [[https://bitwarden.com/passwordless-passkeys/|this Bitwarden demo video]]
  
Line 78: Line 98:
   - Log out, log in.  Select the icon where userID is entered, select Shopify.   - Log out, log in.  Select the icon where userID is entered, select Shopify.
   - You're logged in.   - You're logged in.
 +</hidden>
 +
 +At Nintendo
 +  - In BitWarden, create login for Nintendo(name, user name=email, pw)
 +  - Go to nintendo.com (the website)
 +  - Sign-up
 +  - Select the login info f/BitWarden
 +  - Get verification email w/code, enter 4-digit code on Nintendo
 +  - Log out, log in using new acct
 +  - Account settings > Sign-in and security settings
 +  - Scroll to Passkey, Edit
 +  - Register a New Passkey
 +  - Follow verification process: Submit to start it
 +  - Enter 6-digit code
 +  - Register
 +  - BitWarden: select the login you just created to save the passkey
 +
 +Let's try it
 +  - Sign out
 +  - Sign in ''Passkey Sign-In''
 +  - BitWarden: select the login you just created to use its saved passkey
 +You're in.
  
  
Line 141: Line 183:
 |Apple|requires iOS & iPadOS 16, MacOS 13 or later.|No charge. [[https://support.apple.com/guide/iphone/use-passkeys-to-sign-in-to-apps-and-websites-iphf538ea8d0/ios|Details on use]]| |Apple|requires iOS & iPadOS 16, MacOS 13 or later.|No charge. [[https://support.apple.com/guide/iphone/use-passkeys-to-sign-in-to-apps-and-websites-iphf538ea8d0/ios|Details on use]]|
 |Google|yes     |[[https://www.google.com/account/about/passkeys/|about and link for setting up]]| |Google|yes     |[[https://www.google.com/account/about/passkeys/|about and link for setting up]]|
- 
-[[https://www.corbado.com/blog/keepassxc-passkeys|info on Keepass and passkeys.]]\\  
-NR4PT: Not ready for prime time (my opinion) 
  
  
Line 151: Line 190:
   * [[https://blog.1password.com/passkeys-vs-passwords-differences/]]   * [[https://blog.1password.com/passkeys-vs-passwords-differences/]]
   * [[https://tech.co/news/passkeys-vs-passwords]]   * [[https://tech.co/news/passkeys-vs-passwords]]
-  * [[https://passkeys.directory/|Community-driven directory of websites, apps, and services that offer passkey sign-ins]]+  * [[https://passkeys.directory/|passkeys directory]] has info on sites supporting (and not supporting) passkeys 
 +  * [[https://www.corbado.com/blog/keepassxc-passkeys|info on Keepass and passkeys.]]
passkey.1710279793.txt.gz · Last modified: 2024.03.12 14:43 by Steve Isenberg