I don't really want to replace it. It works fine. But the toolchain for other platforms is becoming difficult to manage. I use pass with PGP Yubikeys as backing for each encrypted password. But the developer of the Android version has stopped supporting it and the person who took it over has removed yubikey support because he doesn't use it himself and doesn't care about it.
Of course I need to access my passwords on Linux, Windows, Mac, Android. Only iOS is not possible because Apple doesn't allow raw APDU access to NFC tags so you can't do OpenPGP functions.
I also don't want to use a password manager with a single master password like bitwarden. I want each password to be encrypted individually with the public key from a number of hardware tags (multiple, that's also a hard requirement). This way not my whole password database is instantly leaked when my master password gets compromised. Even when my endpoint gets completely compromised, the only passwords they will have are the ones I decrypted on it since it was compromised. Yubikeys require a physical touch for every decryption so you also can't 'milk' them for credentials when they're inserted and unlocked. Also, any password manager I use must be self-hosted, I hate and don't trust the big tech companies.
I wonder if this could be a new backend. And have support on all platforms (though iOS I don't care about personally, but it would be a nice to have).
Checkout passage: https://github.com/FiloSottile/passage which has done part of this by using age instead of pgp. I used it for a while, and last I checked there was sadly no android app (the pass android app hardcoded too much PGP to be a useful base, so I was told), but the work is def there.
Nice! But I can't really use it until it works on Android too (with hardware keys). I'll definitely try it out though.
> the pass android app hardcoded too much PGP to be a useful base
The original one did not. It leveraged the OpenKeyChain external app which basically handles all the PGP stuff. So there was no PGP code in the app. Similar to how it's done on a PC with the gpg suite
But someone rewrote it with an internal library which also removed Yubikey support.
I think my dream password manager currently is a Pinephone with a special custom UI that allows for managing and securing a list of accounts/passwords that can type them out via USB HID keyboard gadget when prompted.
No way to prompt it for data, or compromise it remotely.
No other features, no OS userspace, no wifi, no adb, no nothing. Just a Linux kernel + a tiny single userspace static binary based on lvgl for UI and libsodium for encryption/storage. Normally powered off, boots in 2 seconds. :)
I made one of these a while ago in school, it was fun! I think it's a great idea. Mine really had nothing: an overly complicated MCU, since it was provided by the class, but otherwise no need for an OS or anything: https://benkettle.xyz/projects/password-keeper/
Nice. My wishlist also includes something similar looking with Luckfox Pico Mini + small OLED for displaying info about requests (via USB), to authorize various crypto operations with secret material stored on the device. :)
Tons of ways to compromise it between your computer's USB port and the server's database, though. If you already have dedicated hardware, FIDO authenticators make much more sense.
> Just a Linux kernel [...]
That's several orders of magnitude more lines of code than any FIDO authenticator implementation.
> Tons of ways to compromise it between your computer's USB port and the server's database, though. If you already have dedicated hardware, FIDO authenticators make much more sense.
I mean, if you have the amount of access needed to compromise a USB connection, you have way more than enough access than needed to just yoink the authentication token or encryption key from browser storage.
I do think though that just using a pinephone as just a password manager might make sense for some people (I think) but at the price of pinephone and the features you can get with it, this is really underselling it (I think)
Maybe I don't have enough money to buy a pinephone just for this purpose but even if I would have, I would personally look more into soldering (esp32?) or some single board chip (SOC?) with a touch screen sounds nice too.
Now I am not kidding, there was this dumb phone which I was using and its cost was like 12.5$ and it had the features of camera, mic , text , messaging, audio, file manager and so much more... Basically it just didn't had a browser or ability to add apps ofc since it wasn't android. But yeah I do believe that something niche could be developed for people like you at maybe 1/10th the price
Cheaper, with integrated display, battery, touchscreen, working software, and nice form factor for the use case, sane fully open bootloader and firmware, full documentation for everything, much more power efficient.
I follow Filippo for years and he's doing amazing job for crypto and golang communities. Excited to see your bikes adventures too. If it wasn't for you who knows, maybe golang wasn't that popular in the fields where cryptography matters.
I was waiting for the prf to be implemented since a long time exactly for this type of applications (e2e encryption), but , as usual, Safari doesn't support it
Huh, iCloud Keychain supports the prf extension when used with Chrome, so I had assumed they added support to Safari as well, but I just tested it and sure enough, you're right.
Edit: well https://webauthn-passkeys-prf-demo.explore.corbado.com/ works with an iCloud Keychain passkey on Safari on macOS 15.5, but Typage doesn't work with a YubiKey 5, so there is some support (the MDN data is out of date) but also something weird.
> Note that there’s no secure way to do asymmetric encryption: we could use the PRF extension to encrypt a private key, but then an attacker that observes that private key once can decrypt anything encrypted to its public key in the future, without needing access to the credential.
IMHO, it would move the world of privacy forward significantly if someone took up championing a web API that securely pipes the output of WebAuthn's PRF into the input seed of a WebCrypto ML-KEM/X25519 implementation.
Sure, we'll still have the (unenviable) job of securing the client side JS environment, but it would make it feasible to have E2EE in the browser with passkey managed private keys exposed only up to the point of the browser/OS.
In my last job, we used a key that was stored on a user machine to sign documents... always wondered if something like PassKeys could replicate that... given documents could potentially need to be signed by multiple users on behalf of an entity, having the cert on a user's drive seemed like a security issue... It was password protected, but still.... Replacing that with PassKeys, and having that stored on a phone or even in something like 1Password would potentially solve some of those issues...Does anyone know if that is possible?
WebAuthn may be one of the most important security technology of the decade. It's a revolution in key management, which may be the hardest part of applied cryptography.
Passkeys enable phishing-resistant and 1-click authentication.
The PRF extension discussed here enables end-to-end encryption of data (with envelope encryption). Think about secure chat backups, double factor disk encryption (password + security key) and much more.
Soon we will be able to sign apps bundle (APKs, IPAs) with hardware security keys.
Great times are ahead for those who care about securing their users' data.
We've had this technology for decades, TLS client auth with X.509 certificates has been in browsers for a very long time. There just never was any interest in it, and never any investment into making the UI/UX usable beyond the most trivial use cases.
Passkeys are trumped-up certificates with a maybe-optional (depending on attestation status) hardware keystore. And lots of vendor lockin for Google, Apple and Microsoft. The only reason that there is a push right now is that big-vendor interest in lockin.
This is a pretty cool idea. Using passkeys to encrypt files means you don’t have to remember passwords but still keep things secure. What I really like is that each file gets its own key, so even if one gets exposed, the others stay safe. If this kind of setup gets integrated into tools we use every day, like photo apps or cloud storage, it could be really useful.
On this topic — how to harden security of the keychain db on the Mac? One is — keep the Mac password long and difficult to crack. What else? Is there any other way to make it harder? Like is there a way to ensure that those db files can’t be accessed even with the mac password on any other hardware?
Also — on a mac why are these files not saved in a location that requires elevated access?
Because that file has everything — password, wifi keys, passkeys; and it is not very practical to have 8-10 word long passphrases for your daily computer.
Basically — I am thinking about the scenario when the data of passwords/keychain db might be compromised but not the Mac password itself.
I recently started to plan for off-site, cloud-based storage and I have pretty much decided that I will be using Age to encrypt my backup files. It basically does everything I need.
Very cool! Clever use of WebAuthn’s PRF to reuse synced passkeys for file encryption without the hassle of managing private keys directly. The catch is credential revocation: leaked passkeys mean full rotation and bulk re-encryption of files. That works fine for casual backups, but production usage will need tooling to handle automated rotation cleanly.
Basically it works like this: You encrypt the data with a long, symmetric key. This data key can be used to decrypt the data itself, which may be large, and thus expensive to re-crypt. Now you encrypt this data key with the user key, and store that encrypted decryption key in addition to the encrypted data. You can also create multiple copies the data key encrypted with different user keys to enable shared access to the encrypted document. This way, you can decommission individual user's access by dropping their copy of the key, and efficiently re-crypt the data key because you don't have to encrypt the full data, but only the key.
In scenarios where you don't have multiple users, you can also just prepend the encrypted data key to the payload (as in, `<encrypted data key>.<encrypted payload>`), so effectively you'll only have to store an encrypted blob and the user key.
Passkeys use a challenge response protocol where the server sends a challenge to the browser for a specific public key and the browser signs the challenge with the corresponding private key. Keys aren't re-used across domain names which makes the credentials phishing-resistent
The user is required to enter a pin or password to unlock the private key (e.g. stored on their Yubikey or in their password manager) but that's a local decision. Also because a Yubikey and implement local rate limiting you don't need to have a long complicated password but a simple pin might suffice. Or you can use biometrics . This makes a passkey an authentication method with two factors. You provide something you know or are, and something you have.
OPAQUE instead is a key exchange protocol where you establish a secure session with only your password without ever disclosing that password to the server.
However, it's a single factor. You only provide your password as input.
The other problem with OPAQUE is that unlike passkeys there is no anti-phishing guarantee. A user might be tricked into entering their password into another website .
I guess this could be mitigated with browser support that derives a unique key from your password for each domain. But that browser support doesn't exist whilst passkeys do.
In my opinion passkeys are more pragmatic than OPAQUE as the security doesn't rely on the user having to pick a secure password and because there is browser support today
This enables a few cool use cases, like uploading sensitive, client-side encrypted documents, and storing them on behalf of the user—without even being able to peek inside—all with the convenience of passkeys!
This could simplify things a bit for website owners since they don’t need to protect a database where they store encryption keys. Bugs or supply-chain attacks on client-side software are still a vulnerability, though.
For the customer, they are unlikely to be able to audit the client-side software and any updates to it, so it still requires trust. The software could still have a lot of telemetry baked in.
Maybe someday there will be something like certificate transparency for software?
Sometimes the company cares more about not having access than the end user does. If you physically don't have the decryption keys, you can't get hacked and have user data leaked. You can also respond to government data requests with "Sorry we don't have access to that"
Only way to upload sensitive data is to encrypt it yourself, while handling all the secret key material yourself, and then upload the result. You can't trust the website, when it has access to the secret key, regardless of whether it was derived from FIDO2 HMAC or whatever.
Deploying a malicious version of a given webapp is still harder (and much more visible) than just silently dumping a backend database, so I'd trust an implementation that client-side encrypts my data using PRF and passkeys significantly more than one just uploading everything in plaintext.
Huh? But that’s the entire point. The website only knows your public key. The encryption happens locally, within the secure code of the authenticator, far away from the website.
The decrypted data is stored in a JavaScript variable. The JavaScript is under full control of the website owner. Adding telemetry to a website is pretty easy.
It would simplify website operations and eliminate some kinds of security bugs, though.
Well, okay, sure. But everything that is exfiltrated happens in plain sight, since all crypto operations are performed client-side. This offers way better guarantees than plaintext or SSE for many use cases IMHO.
No it does not. Website knows the secret key, it just is not supposed to store it (user has to trust that the website stores just salt and not the derived secret key):
What good timing. I am gearing up for a 1.0 release of a tool I wrote that stores secrets on disk (sort of like a local hashicorp vault/aws secrets manager) that uses age internally.
It has a tiered architecture where several different types of “unlockers” can access the main vault key. I haven’t added passkey support yet but it does do gpg and macOS keychain, and secure enclave support is planned (but delayed due to the fact that you cannot use the secure enclave even on a local device you own without a paid/doxxed Apple Developer Program membership for the correct entitlements).
Say you wanted to share sign in details with someone and the only way to sign in to a website or service was a magic email link (tied to an IP address) or a passkey (tied to the physical user).
How do you do it without the service implementing guest sign in as a feature? I’m asking as someone who has implemented auth.
iOS allows sharing passkeys via Airdrop, I believe, and presumably 1Password also allows storing them in shared vaults?
Regarding email, nothing prevents somebody wanting to share an account from just forwarding the magic link to the intended recipient without clicking on it, right?
I wonder if this can replace the PGP backend from "pass": https://www.passwordstore.org/
I don't really want to replace it. It works fine. But the toolchain for other platforms is becoming difficult to manage. I use pass with PGP Yubikeys as backing for each encrypted password. But the developer of the Android version has stopped supporting it and the person who took it over has removed yubikey support because he doesn't use it himself and doesn't care about it.
Of course I need to access my passwords on Linux, Windows, Mac, Android. Only iOS is not possible because Apple doesn't allow raw APDU access to NFC tags so you can't do OpenPGP functions.
I also don't want to use a password manager with a single master password like bitwarden. I want each password to be encrypted individually with the public key from a number of hardware tags (multiple, that's also a hard requirement). This way not my whole password database is instantly leaked when my master password gets compromised. Even when my endpoint gets completely compromised, the only passwords they will have are the ones I decrypted on it since it was compromised. Yubikeys require a physical touch for every decryption so you also can't 'milk' them for credentials when they're inserted and unlocked. Also, any password manager I use must be self-hosted, I hate and don't trust the big tech companies.
I wonder if this could be a new backend. And have support on all platforms (though iOS I don't care about personally, but it would be a nice to have).
Checkout passage: https://github.com/FiloSottile/passage which has done part of this by using age instead of pgp. I used it for a while, and last I checked there was sadly no android app (the pass android app hardcoded too much PGP to be a useful base, so I was told), but the work is def there.
> Checkout passage: https://github.com/FiloSottile/passage which has done part of this by using age instead of pgp.
Nice! But I can't really use it until it works on Android too (with hardware keys). I'll definitely try it out though.
> the pass android app hardcoded too much PGP to be a useful base
The original one did not. It leveraged the OpenKeyChain external app which basically handles all the PGP stuff. So there was no PGP code in the app. Similar to how it's done on a PC with the gpg suite
But someone rewrote it with an internal library which also removed Yubikey support.
Android pass+[yubi|nitro]key work fine through openkeychain:
https://f-droid.org/app/org.sufficientlysecure.keychain
I think my dream password manager currently is a Pinephone with a special custom UI that allows for managing and securing a list of accounts/passwords that can type them out via USB HID keyboard gadget when prompted.
No way to prompt it for data, or compromise it remotely.
No other features, no OS userspace, no wifi, no adb, no nothing. Just a Linux kernel + a tiny single userspace static binary based on lvgl for UI and libsodium for encryption/storage. Normally powered off, boots in 2 seconds. :)
I made one of these a while ago in school, it was fun! I think it's a great idea. Mine really had nothing: an overly complicated MCU, since it was provided by the class, but otherwise no need for an OS or anything: https://benkettle.xyz/projects/password-keeper/
Nice. My wishlist also includes something similar looking with Luckfox Pico Mini + small OLED for displaying info about requests (via USB), to authorize various crypto operations with secret material stored on the device. :)
Check out Precursor (FPGA device with softcore CPU running on it for trustability).
Xous (microkernel OS for Precursor) has an application called Vault that does FIDO2/U2F as well as password management and USB HID emulation.
https://www.crowdsupply.com/sutajio-kosagi/precursor/updates...
Much more on the dev board side and probably overkill for just this purpose but a really cool device.
Yeah, very cool!
Interestingly, Pinephone is in the almost good intersection of hackable and portable: :)
https://www.crowdsupply.com/sutajio-kosagi/precursor
Tons of ways to compromise it between your computer's USB port and the server's database, though. If you already have dedicated hardware, FIDO authenticators make much more sense.
> Just a Linux kernel [...]
That's several orders of magnitude more lines of code than any FIDO authenticator implementation.
> Normally powered off, boots in 2 seconds. :)
Yubikeys boot even faster!
Yeah and also it's huge for just a password manager.
> Tons of ways to compromise it between your computer's USB port and the server's database, though. If you already have dedicated hardware, FIDO authenticators make much more sense.
I mean, if you have the amount of access needed to compromise a USB connection, you have way more than enough access than needed to just yoink the authentication token or encryption key from browser storage.
None of this is a problem.
FIDO2 works only with websites that support it.
I do think though that just using a pinephone as just a password manager might make sense for some people (I think) but at the price of pinephone and the features you can get with it, this is really underselling it (I think)
Maybe I don't have enough money to buy a pinephone just for this purpose but even if I would have, I would personally look more into soldering (esp32?) or some single board chip (SOC?) with a touch screen sounds nice too.
Now I am not kidding, there was this dumb phone which I was using and its cost was like 12.5$ and it had the features of camera, mic , text , messaging, audio, file manager and so much more... Basically it just didn't had a browser or ability to add apps ofc since it wasn't android. But yeah I do believe that something niche could be developed for people like you at maybe 1/10th the price
Why a phone, though? The device doesn’t need any connectivity other than to act as a USB “keyboard,” right? Maybe a raspberry pi zero could do it.
Cheaper, with integrated display, battery, touchscreen, working software, and nice form factor for the use case, sane fully open bootloader and firmware, full documentation for everything, much more power efficient.
I follow Filippo for years and he's doing amazing job for crypto and golang communities. Excited to see your bikes adventures too. If it wasn't for you who knows, maybe golang wasn't that popular in the fields where cryptography matters.
keep up, Filippo!
I was waiting for the prf to be implemented since a long time exactly for this type of applications (e2e encryption), but , as usual, Safari doesn't support it
https://developer.mozilla.org/en-US/docs/Web/API/Web_Authent...
Huh, iCloud Keychain supports the prf extension when used with Chrome, so I had assumed they added support to Safari as well, but I just tested it and sure enough, you're right.
Edit: well https://webauthn-passkeys-prf-demo.explore.corbado.com/ works with an iCloud Keychain passkey on Safari on macOS 15.5, but Typage doesn't work with a YubiKey 5, so there is some support (the MDN data is out of date) but also something weird.
I'm pretty sure Safari supports it since iOS 18! See for example https://www.corbado.com/blog/ios-18-passkeys-automatic-passk... and https://www.corbado.com/blog/passkeys-prf-webauthn.
> Note that there’s no secure way to do asymmetric encryption: we could use the PRF extension to encrypt a private key, but then an attacker that observes that private key once can decrypt anything encrypted to its public key in the future, without needing access to the credential.
IMHO, it would move the world of privacy forward significantly if someone took up championing a web API that securely pipes the output of WebAuthn's PRF into the input seed of a WebCrypto ML-KEM/X25519 implementation.
Sure, we'll still have the (unenviable) job of securing the client side JS environment, but it would make it feasible to have E2EE in the browser with passkey managed private keys exposed only up to the point of the browser/OS.
In my last job, we used a key that was stored on a user machine to sign documents... always wondered if something like PassKeys could replicate that... given documents could potentially need to be signed by multiple users on behalf of an entity, having the cert on a user's drive seemed like a security issue... It was password protected, but still.... Replacing that with PassKeys, and having that stored on a phone or even in something like 1Password would potentially solve some of those issues...Does anyone know if that is possible?
For a simple web app that encrypts files with passkeys, check out https://filekey.app
Does this have a cli version ?
WebAuthn may be one of the most important security technology of the decade. It's a revolution in key management, which may be the hardest part of applied cryptography.
Passkeys enable phishing-resistant and 1-click authentication.
The PRF extension discussed here enables end-to-end encryption of data (with envelope encryption). Think about secure chat backups, double factor disk encryption (password + security key) and much more.
Soon we will be able to sign apps bundle (APKs, IPAs) with hardware security keys.
Great times are ahead for those who care about securing their users' data.
No, it won't.
We've had this technology for decades, TLS client auth with X.509 certificates has been in browsers for a very long time. There just never was any interest in it, and never any investment into making the UI/UX usable beyond the most trivial use cases.
Passkeys are trumped-up certificates with a maybe-optional (depending on attestation status) hardware keystore. And lots of vendor lockin for Google, Apple and Microsoft. The only reason that there is a push right now is that big-vendor interest in lockin.
https://filekey.app/
This is a pretty cool idea. Using passkeys to encrypt files means you don’t have to remember passwords but still keep things secure. What I really like is that each file gets its own key, so even if one gets exposed, the others stay safe. If this kind of setup gets integrated into tools we use every day, like photo apps or cloud storage, it could be really useful.
On this topic — how to harden security of the keychain db on the Mac? One is — keep the Mac password long and difficult to crack. What else? Is there any other way to make it harder? Like is there a way to ensure that those db files can’t be accessed even with the mac password on any other hardware?
Also — on a mac why are these files not saved in a location that requires elevated access?
Because that file has everything — password, wifi keys, passkeys; and it is not very practical to have 8-10 word long passphrases for your daily computer.
Basically — I am thinking about the scenario when the data of passwords/keychain db might be compromised but not the Mac password itself.
I recently started to plan for off-site, cloud-based storage and I have pretty much decided that I will be using Age to encrypt my backup files. It basically does everything I need.
My appreciation to the creator.
Very cool! Clever use of WebAuthn’s PRF to reuse synced passkeys for file encryption without the hassle of managing private keys directly. The catch is credential revocation: leaked passkeys mean full rotation and bulk re-encryption of files. That works fine for casual backups, but production usage will need tooling to handle automated rotation cleanly.
> Clever use of WebAuthn’s PRF to reuse synced passkeys for file encryption
Agreed on the clever part, but arguably that's exactly what PRF was designed for :)
> The catch is credential revocation: leaked passkeys mean full rotation and bulk re-encryption of files.
That's where the PRF input of key derivation comes in. The idea is to have that input be rotate-able.
That's also why there is two of them: So you can "atomically" (or at least using only one WebAuthN interaction) rotate the derived keys.
I feel like only one extra layer of indirection (encrypt a symmetric key with the age key) would enable rotation.
Yeah, envelope encryption is the only sane solution. That also allows decryption with multiple passkeys, for example.
could you please elaborate on envelope encryption in this case. I encrypt one key with another, how does it enable rotation?
The first key is now safer, but now I have to manage 2 keys, master key and a the one I use per files group X.
Basically it works like this: You encrypt the data with a long, symmetric key. This data key can be used to decrypt the data itself, which may be large, and thus expensive to re-crypt. Now you encrypt this data key with the user key, and store that encrypted decryption key in addition to the encrypted data. You can also create multiple copies the data key encrypted with different user keys to enable shared access to the encrypted document. This way, you can decommission individual user's access by dropping their copy of the key, and efficiently re-crypt the data key because you don't have to encrypt the full data, but only the key.
In scenarios where you don't have multiple users, you can also just prepend the encrypted data key to the payload (as in, `<encrypted data key>.<encrypted payload>`), so effectively you'll only have to store an encrypted blob and the user key.
Edit: The AWS docs explain this way better than I do: https://docs.aws.amazon.com/encryption-sdk/latest/developer-...
Can someone sum up the difference between "passkeys" and "SRP, PAKE (like OPAQUE), and ZKPs"?
Besides being related to the web (only?), it seems.
Passkeys use a challenge response protocol where the server sends a challenge to the browser for a specific public key and the browser signs the challenge with the corresponding private key. Keys aren't re-used across domain names which makes the credentials phishing-resistent
The user is required to enter a pin or password to unlock the private key (e.g. stored on their Yubikey or in their password manager) but that's a local decision. Also because a Yubikey and implement local rate limiting you don't need to have a long complicated password but a simple pin might suffice. Or you can use biometrics . This makes a passkey an authentication method with two factors. You provide something you know or are, and something you have.
OPAQUE instead is a key exchange protocol where you establish a secure session with only your password without ever disclosing that password to the server.
However, it's a single factor. You only provide your password as input.
The other problem with OPAQUE is that unlike passkeys there is no anti-phishing guarantee. A user might be tricked into entering their password into another website .
I guess this could be mitigated with browser support that derives a unique key from your password for each domain. But that browser support doesn't exist whilst passkeys do.
In my opinion passkeys are more pragmatic than OPAQUE as the security doesn't rely on the user having to pick a secure password and because there is browser support today
What devices support the prf extension? Been waiting for it to get support for years
This enables a few cool use cases, like uploading sensitive, client-side encrypted documents, and storing them on behalf of the user—without even being able to peek inside—all with the convenience of passkeys!
This could simplify things a bit for website owners since they don’t need to protect a database where they store encryption keys. Bugs or supply-chain attacks on client-side software are still a vulnerability, though.
For the customer, they are unlikely to be able to audit the client-side software and any updates to it, so it still requires trust. The software could still have a lot of telemetry baked in.
Maybe someday there will be something like certificate transparency for software?
Sometimes the company cares more about not having access than the end user does. If you physically don't have the decryption keys, you can't get hacked and have user data leaked. You can also respond to government data requests with "Sorry we don't have access to that"
Nothing that the user can trust, though.
Only way to upload sensitive data is to encrypt it yourself, while handling all the secret key material yourself, and then upload the result. You can't trust the website, when it has access to the secret key, regardless of whether it was derived from FIDO2 HMAC or whatever.
Trust isn't absolute.
Deploying a malicious version of a given webapp is still harder (and much more visible) than just silently dumping a backend database, so I'd trust an implementation that client-side encrypts my data using PRF and passkeys significantly more than one just uploading everything in plaintext.
Huh? But that’s the entire point. The website only knows your public key. The encryption happens locally, within the secure code of the authenticator, far away from the website.
The decrypted data is stored in a JavaScript variable. The JavaScript is under full control of the website owner. Adding telemetry to a website is pretty easy.
It would simplify website operations and eliminate some kinds of security bugs, though.
Well, okay, sure. But everything that is exfiltrated happens in plain sight, since all crypto operations are performed client-side. This offers way better guarantees than plaintext or SSE for many use cases IMHO.
No it does not. Website knows the secret key, it just is not supposed to store it (user has to trust that the website stores just salt and not the derived secret key):
https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-cl...
What good timing. I am gearing up for a 1.0 release of a tool I wrote that stores secrets on disk (sort of like a local hashicorp vault/aws secrets manager) that uses age internally.
https://git.eeqj.de/sneak/secret
It has a tiered architecture where several different types of “unlockers” can access the main vault key. I haven’t added passkey support yet but it does do gpg and macOS keychain, and secure enclave support is planned (but delayed due to the fact that you cannot use the secure enclave even on a local device you own without a paid/doxxed Apple Developer Program membership for the correct entitlements).
out of curiosity, why do you host your repos?
Explanation here:
https://github.com/sneak
https://sneak.berlin/20200307/the-case-against-microsoft-and...
Say you wanted to share sign in details with someone and the only way to sign in to a website or service was a magic email link (tied to an IP address) or a passkey (tied to the physical user).
How do you do it without the service implementing guest sign in as a feature? I’m asking as someone who has implemented auth.
iOS allows sharing passkeys via Airdrop, I believe, and presumably 1Password also allows storing them in shared vaults?
Regarding email, nothing prevents somebody wanting to share an account from just forwarding the magic link to the intended recipient without clicking on it, right?
Depends on the magic link implementation, really. Some tie the login request to specific request details.
Many (most?) sites that I have used passkeys on allow having multiple passkeys linked to the same account.
Sounds like a rhetorical question? Maybe you could explain the usage context instead?
Now do one for signing Linux packages with <insert anything else but GnuPG>...
You'll never believe what I (and a bunch of folks) have been working on for years :)
https://www.sigsum.org
https://github.com/FiloSottile/torchwood/tree/main/cmd/apt-t...
https://www.youtube.com/watch?v=SOfOe_z37jQ
https://c2sp.org/tlog-tiles
sigstore, lol