![]() This means they can't rely on just a USB security key to login, because a lost or damaged key would lock users out, and they deliberately don't have the ability to reset user account credentials. ![]() Nearly all password managers operate differently they employ zero-knowledge architecture so they cannot remotely reset your login and won't sync private keys between devices. But neither Microsoft nor Google are claiming to be zero-knowledge services.īecause Microsoft doesn't use a zero-knowledge security model, they can Ī) synchronise passkeys across devices within their own ecosystem, and,ī) reset customer login credentials if lost. Microsoft and Google don't follow the standard for cryptographic passkeys, they follow the standard for authentication passkeys, which does allow synchronisation of passkeys between devices. Like I said before, you won't find any password manager handling passkeys differently LastPass are implementing passkeys according to the FIDO2 standard for cryptographic passkeys. They're just following the industry standards that have been created with security in mind. LastPass does plenty wrong from a security standpoint their passkey implementation actually isn't one of them. If the same service was also syncing your private passkey, that'd be game over the hacker would have everything. Your private passkey is what prevents your data being accessed if the service was hacked. Syncing the private key of your passkey would be Ī) outside the scope of the FIDO2 standard, as per previous postī) a massive security fail. Since users typically only set up new devices occasionally, but access the service frequently, this results in a massively reduced window of opportunity for would-be attackers. This means the attack surface for stealing credentials is massively reduced instead of every log-in being an opportunity for credential theft, only the very first log-in requires your password. The primary benefit is that you're only entering your password once the very first time you log-in prior to setting up a passkey. You'll never need to remember a passkey, but that doesn't mean you'll never need a password ever again. The 'passwordless' aspect of passkeys has been oversold in the tech media to some extent passkeys are predominantly about creating an alternative to passwords that are unique, un-phishable, and unguessable. You won't find any password manager doing it differently any implementation that synced a cryptographic passkey across devices would be outside the spec of the standard, and thus wouldn't be FIDO2 compliant ![]() That's why you need to enable passkeys separately on each device, and obviously that means having a password to authenticate yourself on each device before enabling passkeys. The FIDO2 specification for cryptographic passkeys dictates:Ĭryptographic login credentials are unique across every website, never leave the user's device and are never stored on a server. That's how passkeys work you create a private/public key pair for each device the first time you log-in on a specific device for the first time.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |