{"id":36372,"date":"2022-06-29T17:11:22","date_gmt":"2022-06-29T21:11:22","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=36372"},"modified":"2022-06-30T13:55:37","modified_gmt":"2022-06-30T17:55:37","slug":"passkeys","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/06\/29\/passkeys\/","title":{"rendered":"Passkeys"},"content":{"rendered":"<p><a href=\"https:\/\/developers.apple.com\/videos\/play\/wwdc2022\/10092\/\">Meet passkeys<\/a> (<a href=\"https:\/\/news.ycombinator.com\/item?id=31643917\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/developers.apple.com\/videos\/play\/wwdc2022\/10092\/\"><p>Learn how to add support for passkeys to create a quick and easy sign in experience for people, all while offering a radical increase to account security. Passkeys are simple and strong credentials built to eliminate phishing attacks. We&rsquo;ll share how passkeys are designed with security in mind, show you how people will use them, go over how to integrate passkeys in your log in flow, and explore the platform and web APIs you need to adopt this feature.<\/p><\/blockquote>\n\n<p>The developer documentation is <a href=\"https:\/\/developer.apple.com\/documentation\/authenticationservices\/public-private_key_authentication\/supporting_passkeys\">here<\/a>. I don&rsquo;t understand the slide at the end where it says that Passkey protects against device theft but a password manager (maybe) doesn&rsquo;t.<\/p>\n\n<p>Other questions:<\/p>\n<ul>\n<li>Can I get at my passkeys from Keychain Access?<\/li>\n<li>Is there a way to manually back them up or move them between devices (other than manual AirDropping one at a time)? It would be nice to have a backup in cold storage rather than rely on a small number of devices that are all in the same building and connected to the same cloud account.<\/li>\n<li>What happens if there&rsquo;s a problem with the system or the site so that it doesn&rsquo;t offer to auto-fill the passkey that I need? I&rsquo;m thinking about cases where there are multiple or changing domains. It sounds like there&rsquo;s no manual picker but that having one wouldn&rsquo;t help because if it thinks the domain is wrong the passkey wouldn&rsquo;t work, anyway.<\/li>\n<li>This requires iCloud Keychain, yet someone may not want to put all of their passwords in iCloud. Is it practical to use a local keychain for some stuff alongside iCloud Keychain?<\/li>\n<li>How well is this going to work in different browsers and across different platforms?<\/li>\n<\/ul>\n\n<p><a href=\"https:\/\/twitter.com\/kuba_suder\/status\/1533913726675390464\">Kuba Suder<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/kuba_suder\/status\/1533913726675390464\"><p>If these &ldquo;passkeys&rdquo; are stored in a safe way protected with biometrics&#8230; how do I log in using them on my 2019 iMac with no secure enclave?<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/sixcolors.com\/post\/2022\/06\/wwdc-2022-passkeys-hit-primetime\/\">Dan Moren<\/a>:<\/p>\n<blockquote cite=\"https:\/\/sixcolors.com\/post\/2022\/06\/wwdc-2022-passkeys-hit-primetime\/\">\n<p>The addition of passkeys should also remove the need for multifactor authentication&mdash;no more entering codes from an app or via SMS. That was always an additional feature provided because of passwords&rsquo; inherent insecurity, but the way in which passkeys work makes it unnecessary.<\/p>\n<p>[&#8230;]<\/p>\n<p>One additional question that has now been answered for passkeys is what happens when you&rsquo;re logging in on another device, either from Apple or another manufacturer. The FIDO Alliance that backs the passkey standard (of which companies like Apple, Microsoft, Google, and Amazon are all members) has an approved solution: a QR code that you scan with your phone, providing a secure way to log in.<\/p>\n<p>The methodology behind this process is fascinating: among other things, the authenticating device (likely your iPhone) creates a Bluetooth-based relay server which, by the very nature of Bluetooth&rsquo;s limited range, helps ensure that you are in fact in proximity to the device into which you&rsquo;re logging in. That makes it much more difficult for phishers to trick you into giving up your passkey: sending you a QR code in an email or text message won&rsquo;t work because it won&rsquo;t be able to get access to the Bluetooth connection.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/sixcolors.com\/link\/2022\/06\/how-do-you-recover-passkeys-if-you-lose-all-your-devices\/\">Dan Moren<\/a> (also <a href=\"https:\/\/www.schneier.com\/blog\/archives\/2022\/06\/__trashed-2.html\">Bruce Schneier<\/a>):<\/p>\n<blockquote cite=\"https:\/\/sixcolors.com\/link\/2022\/06\/how-do-you-recover-passkeys-if-you-lose-all-your-devices\/\"><p>Andrew pointed me to a blog post by Terence Eden, which contains <a href=\"https:\/\/shkspr.mobi\/blog\/2022\/06\/ive-locked-myself-out-of-my-digital-life\/\">a bit of a thought experiment<\/a> on what happens if you have a catastrophic accident (say, a house fire) and lose access to all your devices[&#8230;]<\/p>\n<p>[&#8230;]<\/p>\n<p>Well, there are recovery methods in place, as you might suspect. Apple talks broadly about them <a href=\"https:\/\/support.apple.com\/en-us\/HT213305\">in a support article<\/a>[&#8230;]<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/support.apple.com\/en-us\/HT213305\">Apple<\/a>:<\/p>\n<blockquote cite=\"https:\/\/support.apple.com\/en-us\/HT213305\"><p>To recover a keychain, a user must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number. After they authenticate and respond, the user must enter their device passcode. iOS, iPadOS, and macOS allow only 10 attempts to authenticate. After several failed attempts, the record is locked and the user must call Apple Support to be granted more attempts. After the tenth failed attempt, the escrow record is destroyed.<\/p><\/blockquote>\n\n<p>It sounds like anyone who can get into your Apple ID account and either see your phone notifications or redirect an SMS message can delete all your passkeys.<\/p>\n\n<p><a href=\"https:\/\/tidbits.com\/2022\/06\/27\/why-passkeys-will-be-simpler-and-more-secure-than-passwords\/\">Glenn Fleishman<\/a>:<\/p>\n<blockquote cite=\"https:\/\/tidbits.com\/2022\/06\/27\/why-passkeys-will-be-simpler-and-more-secure-than-passwords\/\">\n<p>A passkey replaces two-factor authentication, and it&rsquo;s worth breaking down why, as it seems counter-intuitive: how can a single code held on a device provide distinct aspects of confirmation? The rubric for multiple security factors is usually stated as at least two of &ldquo;something you know, something you have, or something you are.&rdquo; A passkey incorporates at least two of those:<\/p>\n<ul>\n<li><b>Something you know:<\/b> While commonly thought of as a password, the &ldquo;know&rdquo; part is really any fixed piece of information you possess. Think of a 20-character randomly generated password stored in your password manager. Do you &ldquo;know&rdquo; that? Yes, in the sense that it&rsquo;s retrievable exactly as entered.<\/li>\n<li><b>Something you have:<\/b> Because passkeys are locked to devices, you prove your possession of a device by unlocking the passkey: no device, no passkey.<\/li>\n<li><b>Something you are:<\/b> Although passkeys don&rsquo;t require biometric authentication using Face ID or Touch ID, it&rsquo;s an option. Apple always lets you use a device passcode to backstop Face ID or Touch ID, so it&rsquo;s a blurred line with &ldquo;something you know&rdquo; compared to a dedicated biometric device with no fallback option.<\/li>\n<\/ul>\n<\/blockquote>\n<p>In what sense are passkeys locked to a device if they are syncing via iCloud Keychain? Is the idea that they must be on one of <em>your<\/em> devices because there is no way to export them?<\/p>\n\n<p id=\"passkeys-update-2022-06-30\">Update (2022-06-30): <a href=\"https:\/\/twitter.com\/meekgeek\/status\/1542478768769404930\">Meek Geek<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/meekgeek\/status\/1542478768769404930\">\n<p>What if something was broken with your Apple Card and Apple says you owe them money, or if you&rsquo;re a developer who ran afoul of Apple&rsquo;s App Store rules?<\/p>\n<p>Would a suspension of your iCloud account mean that you lose access to all your passkeys?<\/p>\n<\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/03\/04\/apple-account-locked-due-to-failed-trade-in\/\">Apple Account Locked Due to Failed Trade-in<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Meet passkeys (Hacker News): Learn how to add support for passkeys to create a quick and easy sign in experience for people, all while offering a radical increase to account security. Passkeys are simple and strong credentials built to eliminate phishing attacks. We&rsquo;ll share how passkeys are designed with security in mind, show you how [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2022-06-29T21:11:25Z","apple_news_api_id":"31f2414d-7708-4d5d-867a-bfd39b66ef15","apple_news_api_modified_at":"2022-06-30T17:55:41Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAQ==","apple_news_api_share_url":"https:\/\/apple.news\/AMfJBTXcITV2Ger_Tm2bvFQ","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[707,146,422,1417,31,2185,1583,30,2223,2222,981,1200,71,1679,48],"class_list":["post-36372","post","type-post","status-publish","format-standard","hentry","category-technology","tag-apple-id","tag-backup","tag-bluetooth","tag-icloud-keychain","tag-ios","tag-ios-16","tag-keychain","tag-mac","tag-macos-13-ventura","tag-passkeys","tag-passwords","tag-phishing","tag-programming","tag-secure-enclave","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/36372","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=36372"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/36372\/revisions"}],"predecessor-version":[{"id":36385,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/36372\/revisions\/36385"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=36372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=36372"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=36372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}