Table of Contents
[This page last changed 2024.03.13 05:47; visits 3 times today, 5 times yesterday, and 785 total times]
Passkey vs Password. What's the difference?
Password: alpha-numberic-special character sequence, a shared secret. Longer and more complex is better.
Passkey: Uses Public Key Cryptology.
Short video, Passwords: use and risk Marx Brothers
The following digested from https://blog.1password.com/passkeys-vs-passwords-differences/ with some embellishment
Passwords - shared secret
- When you create an account, you choose a password, a
shared secret
and give it to the website - The website uses a math algorithm to encrypt/scramble the password into a hash that it saves
- When you login, you send the password to the website
- The website uses the same math to encrypt/scramble the password you entered and compares it to the hash it's saved
- If the two hashes match then you're in
Passwords: What does this mean
- Passwords can be guessed
- Passwords can be seen in transit
- Passwords need to be complex (u/l case, #, special chars) and long so hard to guess
- Some websites may save the password and not the hash (and passwords are compromised in a breech)
- Best to use a password manager to create and store complex passwords different for each website (e.g., BitWarden, 1Password, Dashland, KeePass)
Passcodes - use public key cryptology
- Each passkey is a pair of keys: a public key and a private key
- These are mathematically linked together
- Public key is given to and stored by the website when you sign up with the website(and it's ok if attacker sees this)
- Private key is never shared
Public info: your public key and the algorithm used (e.g., 3DES, AES, RSA)
f( f(number, public key) , private key) = number
More info on encryption
Signing in using Passcodes
- Your device asks website to log you in
- Website encrypts some arbitrary number (a
nonce
) using your public key and sends it to you - Your device uses your private key to decrypt this and sends back the decrypted number
- The website verifies that what you sent in #3 matches the arbitrary number it encrypted in #2
- If there's a match, you're logged in
Passcodes: What does this mean
- Passkeys can't be guessed (unlike simple passwords)
- Attackers can't do anything if they get your public key (it's useless without your private key that you never share)
- Attackers can't see anything useful in transit like they can with passwords
- You can have many public-private key pairs (I haven't seen a site say this though)
(Argument: passkeys can be guessed. Yes, you can guess a 1024-bit or ~300 digit number given enough time and computing resources. Yes, quantum computers may speed this up, which is a concern.)
1. Passkey Example
Let's try a simple public/private key and we'll use addition as an operation and 3-digit numbers to make it easier for this example. Note: it's really much more complicated than this!
- Pick a Public key:
359
; Private key will be751
. - Remember, everyone can know the Public key but only you know the Private key.
- Suppose message is 246
- Add Public key:
- 2+
3
= 5 - 4+
5
= 9 - 6+
9
= 5 (drop the carry)
- Thus the encrypted message is 595, they send this to you
- Anyone monitoring the communication only sees 595 and even though they know your Public key, they can't decrypt the 595
- You receive the message 595 and decrypt it using your Private key (751), as only you know this
- 5+
7
= 2 (drop the carry) - 9+
5
= 4 - 5+
1
= 6
- and you have decrypted the message and see 246.
Note this is a simple example. In real life a much larger Public key and Private key would be used involving large prime numbers and complex mathematics. See: section below for 'gory math'.
2. Live Demonstration
2a. Setting up
We'll assume that you have set up your environment, you need to do this just once. For this demo I'm using Bitwarden, https://bitwarden.com
- install Bitwarden,
- create Bitwarden account,
- log into Bitwarden,
- install Bitwarden extension to Firefox.
Note that Bitwarden has OS requirements and that we are using the free version))
2b. Login using an existing passkey
On smi's Muscat using Firefox, log into Shopify.com using BitWarden.
On smi's Muscat using Firefox, log into Nintendo.com using Bitwarden.
note that I've only added the BitWarden extension to Firefox on Muscat.
2b. Creating passkey
At Nintendo
- In BitWarden, create login for Nintendo(name, user name=email, pw)
- Go to nintendo.com (the website)
- Sign-up
- Select the login info f/BitWarden
- Get verification email w/code, enter 4-digit code on Nintendo
- Log out, log in using new acct
- Account settings > Sign-in and security settings
- Scroll to Passkey, Edit
- Register a New Passkey
- Follow verification process: Submit to start it
- Enter 6-digit code
- Register
- BitWarden: select the login you just created to save the passkey
Let's try it
- Sign out
- Sign in
Passkey Sign-In
- BitWarden: select the login you just created to use its saved passkey
You're in.
Password Managers Supporting Passkeys as of 04 March 2024
App | Passkeys | What's for free? |
---|---|---|
Bitwarden | Browser only | Free: 2 users, 2 collections, Unlimited devices & passwords, passkeys, username and password generator. Online vault only but you can back it up elsewhere. pricing and details Bitwarden and passkeys (search) |
1Password | on Android | Free for 14 days. Individual plan $2.99/mo: 1 user, unlimited devices & passwords Passkey support on Android |
Dashlane | yes, mobile only | Free: 1 device at a time, 25 passwords. Paid=“Premium” $4.99/mo, many devices, no limit on passwords, VPN. plan comparison |
KeepassXC | using browser extension | Vault where you want it. 1 user, unlimited collections, devices, passwords. Password generator. Not sure passkey details. Note: you save your encrypted 'vault' where you want, eg: your computer, memory stick, cloud storage. |
Apple | requires iOS & iPadOS 16, MacOS 13 or later. | No charge. Details on use |
yes | about and link for setting up |
References
- passkeys directory has info on sites supporting (and not supporting) passkeys