Stable Chrome release gets support for FIDO – Computer – News based passkeys

Maybe there are players who are interested in it My response to security.nl On this topic, which I repeat below (slightly modified).

Before: the following is as far as i know. I’ve read a lot about this topic but haven’t been able to read any practical experience into it.

Regarding the protection of private keys (as part of passkeys): The intention is that private keys are in an unencrypted state only in hardware-protected “secure enclaves” on end-user devices. In this sense, the difference with the FIDO2 hardware switch (such as Yubikey, Feitian, Google Titan, etc.) is small.

An important difference with hardware keys is that a set of credentials (your passkeys for one or more accounts) can be backed up—if the platform supports them; They can then encrypted They are exported from the hardware secure enclave, and can also be restored (in encrypted form) – after which they are decrypted in the hardware secure area.

In other words, a cloud account can be used for backup and sync on multiple devices. The conditions for this are that each device also has a sufficiently secure location (that you can access), you know the password used to encrypt the credentials – and you have access to the cloud account.

This seems to work more smoothly with Apple hardware as well as Apple software (especially Safari); If you use the same passcode on each of your Apple devices, And the Hardware + OS is not too old, And the You’ve configured the same Apple ID (the Apple cloud account for iCloud, among other things) on every device, and the goal is to automatically sync your passkeys between your devices. In addition, (at least the private keys) are unencrypted only in secure pockets (which most, if not all, applications do not have access to).

This is of course a great vendor lock, because you can’t sync Apple “secrets” (including passkeys) with other operating systems like Android, Windows, or Linux. So if you started out with Apple or Google passkeys, it’s very annoying to switch to another platform (especially when you only have one device and lose access to it due to loss, theft, or crash). So while you can back up passkeys, unlike credentials in hardware keys, there are still significant limitations.

The point is, you never do that yourself You have access to your private keys, thus malware cannot. However, the software you use must be able to digitally sign information (including a “nonce”, which is a long random number sent by the server) (into the secure enclave) with the correct private key, proving the existence of the private key. On the device you’re authenticating with. If the software used is malicious, or if the device has been compromised in some other way, you cannot rule out that malware has accessed one or more of your accounts; Nor will passkeys provide you with a “compromise with the customer”.

Regarding vendor lock: We’re of course awaiting hacks with which you can (using your device’s access token and Apple ID + 2FA password) download and decrypt encrypted “secrets” backed up in iCloud – but whether that ever It went and when, I don’t know. Once such a hack exists, of course malware can use it as well.

By the way, Apple introduced something controversial: “pass share key”. With this you can share your “secrets”. with another person Provided that the other person also has a (supported) Apple device.

Finally, 1Password also has a kind of passkey announce, called “Universal Sign On” by them. Since they claim to support any OS, I’m guessing the private keys won’t be in secure pockets of the devices in all cases, which could facilitate theft (but that’s no different than passwords in a “normal” password manager like KeePass or the current 1Password). However, the question is whether all websites will support passkeys, with private keys potentially less secure. While logged in, websites can ask (via WebAuthn) how secure it is to store the private key, eg “not exportable” on a FIDO2 machine key.

The passkeys look nice but there are quite a few obstacles (and I didn’t mention all the dangers I know of above).