The "To Keep Up" Wiki

A collection of information we find useful

User Tools

Site Tools


passkey

[This page last changed 2024.03.13 08:47; visits 1 time today, 1 time yesterday, and 137 total times]

Passkey vs Password. What's the difference?

Password: alpha-numberic-special character sequence, a shared secret. Longer and more complex is better.
Passkey: Uses Public Key Cryptology.

Short video, Passwords: use and risk Marx Brothers

The following digested from https://blog.1password.com/passkeys-vs-passwords-differences/ with some embellishment

Passwords - shared secret

  1. When you create an account, you choose a password, a shared secret and give it to the website
  2. The website uses a math algorithm to encrypt/scramble the password into a hash that it saves
  3. When you login, you send the password to the website
  4. The website uses the same math to encrypt/scramble the password you entered and compares it to the hash it's saved
  5. If the two hashes match then you're in

Passwords: What does this mean

  • Passwords can be guessed
  • Passwords can be seen in transit
  • Passwords need to be complex (u/l case, #, special chars) and long so hard to guess
  • Some websites may save the password and not the hash (and passwords are compromised in a breech)
  • Best to use a password manager to create and store complex passwords different for each website (e.g., BitWarden, 1Password, Dashland, KeePass)

Passcodes - use public key cryptology

  • Each passkey is a pair of keys: a public key and a private key
  • These are mathematically linked together
  • Public key is given to and stored by the website when you sign up with the website(and it's ok if attacker sees this)
  • Private key is never shared

Public info: your public key and the algorithm used (e.g., 3DES, AES, RSA)
f( f(number, public key) , private key) = number
More info on encryption

Signing in using Passcodes

  1. Your device asks website to log you in
  2. Website encrypts some arbitrary number (a nonce) using your public key and sends it to you
  3. Your device uses your private key to decrypt this and sends back the decrypted number
  4. The website verifies that what you sent in #3 matches the arbitrary number it encrypted in #2
  5. If there's a match, you're logged in

Passcodes: What does this mean

  • Passkeys can't be guessed (unlike simple passwords)
  • Attackers can't do anything if they get your public key (it's useless without your private key that you never share)
  • Attackers can't see anything useful in transit like they can with passwords
  • You can have many public-private key pairs (I haven't seen a site say this though)

(Argument: passkeys can be guessed. Yes, you can guess a 1024-bit or ~300 digit number given enough time and computing resources. Yes, quantum computers may speed this up, which is a concern.)

1. Passkey Example

Let's try a simple public/private key and we'll use addition as an operation and 3-digit numbers to make it easier for this example. Note: it's really much more complicated than this!

  • Pick a Public key: 359; Private key will be 751.
  • Remember, everyone can know the Public key but only you know the Private key.
  • Suppose message is 246
  • Add Public key:
    • 2+3 = 5
    • 4+5 = 9
    • 6+9 = 5 (drop the carry)
  • Thus the encrypted message is 595, they send this to you
  • Anyone monitoring the communication only sees 595 and even though they know your Public key, they can't decrypt the 595
  • You receive the message 595 and decrypt it using your Private key (751), as only you know this
    • 5+7 = 2 (drop the carry)
    • 9+5 = 4
    • 5+1 = 6
  • and you have decrypted the message and see 246.

Note this is a simple example. In real life a much larger Public key and Private key would be used involving large prime numbers and complex mathematics. See: section below for 'gory math'.

2. Live Demonstration

2a. Setting up

We'll assume that you have set up your environment, you need to do this just once. For this demo I'm using Bitwarden, https://bitwarden.com

  1. install Bitwarden,
  2. create Bitwarden account,
  3. log into Bitwarden,
  4. install Bitwarden extension to Firefox.

Note that Bitwarden has OS requirements and that we are using the free version))

2b. Login using an existing passkey

On smi's Muscat using Firefox, log into Shopify.com using BitWarden.
On smi's Muscat using Firefox, log into Nintendo.com using Bitwarden.

note that I've only added the BitWarden extension to Firefox on Muscat.

2b. Creating passkey

Click to display ⇲

Click to hide ⇱

This from video this Bitwarden demo video

  1. Go to Shopify.com
  2. Create account with password. Save to Bitwarden.
  3. Verify email so account is active.
  4. Log into Shopify.com, use Bitwarden.
  5. Manage account, Security
  6. Create Passkey
  7. Save it
  8. Log out, log in. Select the icon where userID is entered, select Shopify.
  9. You're logged in.

At Nintendo

  1. In BitWarden, create login for Nintendo(name, user name=email, pw)
  2. Go to nintendo.com (the website)
  3. Sign-up
  4. Select the login info f/BitWarden
  5. Get verification email w/code, enter 4-digit code on Nintendo
  6. Log out, log in using new acct
  7. Account settings > Sign-in and security settings
  8. Scroll to Passkey, Edit
  9. Register a New Passkey
  10. Follow verification process: Submit to start it
  11. Enter 6-digit code
  12. Register
  13. BitWarden: select the login you just created to save the passkey

Let's try it

  1. Sign out
  2. Sign in Passkey Sign-In
  3. BitWarden: select the login you just created to use its saved passkey

You're in.

Click to see gory math public/private key example

Click to hide ⇱

this should be hidden Passkey internals – example

Key Generation This is done once, when we sign up with a website.

  1. Select two large prime numbers, p and q. For simplicity let's use p = 13 and q = 17.
  2. Compute the modulus, n, by multiplying p and q: n = p * q = 13 * 17 = 221
  3. Compute the Euler's totient function, φ(n), which is the number of positive integers less than n that are coprime to n:
    • φ(n) = (p - 1) * (q - 1) = (13 - 1) * (17 - 1) = 192
  4. Choose a public exponent, e. It must be relatively prime to φ(n) or 192, meaning it has no common factors other than 1. For simplicity, let's choose e = 5.
  5. Calculate the private exponent, d, such that (e * d) mod φ(n) = 1:
    • d = e^(-1) mod φ(n)
    • In this case, d = 77

Now that this is done, Alice has her Public Key (e, n) which is (5, 221) and her private key (d, n) which is (77, 221)

Encryption Here's how the website uses this passkey to authenticate us. Website wants to send a message to us, with passkey our job is to decode this and return the decrypted message to the website so the website will know we are who we claim.

Let's say the website encrypts the string “HELLO”, and will send it to us, we'll decrypt using our private key and return the string to the website.

The website does:

  1. Convert the message HELLO to numerical representation: 8 5 12 15
  2. Using the public key (5, 221), the website computes
    • H = 8^5 mod 221 = 32768 mod 221 = 119
    • E = 5^5 mod 221 = 3125 mod 221 = 197
    • L = 12^5 mod 221 = 248831 mod 221 = 35
    • L = 12^5 mod 221 = 248831 mod 221 = 35
    • O = 15^5 mod 221 = 759375 mod 221 = 65
  3. Website sends the encrypted message (119, 197, 35, 35, 65) to us

Decryption We receive the encrypted message (119, 197, 35, 35, 65) from the website.
we use our private key to decrypt the message using our private key (d, n) = (77, 221)
Applying modular exponentiation we get

  • 119^77 mod 221 = 8 which is 8th letter or H
  • 197^77 mod 221 = 5 which is 5th letter or E
  • 35^77 mod 221 = 12 which is 12th letter or L
  • 35^77 mod 221 = 12 which is 12th letter or L
  • 65^77 mod 221 = 15 which is 15th letter or O

We have decrypted the message to the string HELLO.

We then send the plaintext HELLO back to the website. Since we're the only ones with the private key that can decode a message sent with our public key, the website knows it is really us.

In this example, we chose small prime numbers for simplicity, but in practice, much larger prime numbers are used to enhance security. The modulus (n) is derived from the product of these primes, and the public exponent (e) is chosen such that it is coprime to φ(n). The private exponent (d) is calculated using modular arithmetic. This ensures that only the possessor of the private key can decrypt messages encrypted with the corresponding public key.

Password Managers Supporting Passkeys as of 04 March 2024

App Passkeys What's for free?
BitwardenBrowser onlyFree: 2 users, 2 collections, Unlimited devices & passwords, passkeys, username and password generator. Online vault only but you can back it up elsewhere.
pricing and details Bitwarden and passkeys (search)
1Passwordon Android Free for 14 days. Individual plan $2.99/mo: 1 user, unlimited devices & passwords
Passkey support on Android
Dashlane yes, mobile only Free: 1 device at a time, 25 passwords. Paid=“Premium” $4.99/mo, many devices, no limit on passwords, VPN.
plan comparison
KeepassXCusing browser extensionVault where you want it. 1 user, unlimited collections, devices, passwords. Password generator. Not sure passkey details. Note: you save your encrypted 'vault' where you want, eg: your computer, memory stick, cloud storage.
Applerequires iOS & iPadOS 16, MacOS 13 or later.No charge. Details on use
Googleyes about and link for setting up

References

passkey.txt · Last modified: 2024.03.13 08:47 by Steve Isenberg