1

I understand the concept of passkey use - a digital cert stored on and bound to the local device, accessed via biometrics, screen lock, or some other locally-defined token. I also understand how, once created, passkeys are stronger than passwords since they are not prone to replay attacks from other devices.

What I don't understand is the security around passkey creation itself. Doesn't that involve your password? So how is the security of the resulting system of passkeys stronger than the password used when creating the passkey? Why can't an attacker, knowing your password, just create a new passkey on a new device to access your account?

BobDoolittle
  • 357

2 Answers2

4

Just to be clear, passkeys do not involve certificates or passwords at all.

When you set up a passkey between your client device and some website, your client device uses a random number generator to generate a very strong public-private key pair from scratch. Your new private key is kept secure on your device (requiring biometrics, etc. to get access to, as you noted), and your new matching public key is sent to the website and stored as a new authentication credential for your account.

So the security does not depend on the user coming up with a good password, and there's nothing stored on the website that could allow a web server security breach to expose a password or any other authentication/encryption secret. Public keys are meant to be public; they are not secrets; it doesn't matter if the whole world knows all of your public keys.

Now, if you allow your account on that website to continue to let you log in using just a password (as opposed to always requiring passkey authentication from now on), then your account on that website still has all the traditional risks of passwords. So, yes, a data breach of that website could still expose your password to the world. Or if a hacker got your password for that site another way, they could still log into your account using that password. So if you want to be more secure by using a passkey on a website, you need to disable normal (old, insecure) password-based authentication after you set up your passkey.

I do see from your comment on another Answer that you have questions around how the website would authenticate you before allowing you to establish a passkey. The answer is, if you have an existing account, the website authenticates you the way it always did (e.g. via password), and then after you establish your passkey, you can delete your password or otherwise disable password-based authentication for your account. If you are registering a brand new account, then you establish a passkey, instead of a password, when you initially register the account. There's nothing special about establishing a passkey instead of a password when you first create an account.

Ramhound
  • 44,080
Spiff
  • 110,156
0

I guess you are talking about ssh-keygen or the like.

So you are asking why the passpharse (password) that generate the key make it more secure than using password itself.

Because the passphrase is used as a seed to generate the key once and no more, while putting the password everytime is less secure.

Why? Because the supposed hacker has to:

  • Know the passphrase.
  • Find the exact random number used in generating the key.
  • Being granted by the host.

Using only password he just need to be granted by the host, if any control is made.

Probably there are other aspects too, check the doc(umentation) if curious.

Giacomo1968
  • 58,727
Jorel
  • 92