Differences

This shows you the differences between two versions of the page.

--- passkey [2024.03.13 04:35] – Steve Isenberg
+++ passkey [2024.03.13 05:47] (current) – Steve Isenberg
@@ Line 1: / Line 1: @@
 ~~NOCACHE~~ <fc #a0a0a0><fs small>[This page last changed ~~LASTMOD~~;
 visits {{counter|today| time| times}} today, {{counter|yesterday| time| times}} yesterday, and {{counter|total| time total| total times}}]</fs></fc>
-Presentation can be include [[https://blog.1password.com/passkeys-vs-passwords-differences/]]
@@ Line 11: / Line 9: @@
 [[https://www.youtube.com/watch?v=IhuBZOgWbIg|Short video, Passwords: use and risk]] <fc #ffffff>Marx Brothers</fc>
-====Using passwords====
+The following digested from [[https://blog.1password.com/passkeys-vs-passwords-differences/]] with some embellishment
-  - Sign up with a website, eg, buystuff.com
-  - Buystuff accepts a password you create, Buystuff needs to remember this password
-  - You need to remember this password, using a password manager like KeePassXC or others or writing it down
-  - When you log in, you need to send the password to buystuff.com
-  - Buystuff makes sure you entered the correct password and if so lets you in
-====Using passkeys====
+===Passwords - shared secret===
-  - You are using a password manager that supports Passkeys
+  - When you create an account, you choose a password, a ''shared secret'' and give it to the website
-  - Sign up with a website that supports Passkeys, eg, betterstuff.com
+  - The website uses a math algorithm to encrypt/scramble the password into a hash that it saves
-  - Betterstuff may first require that you create a password to log in
+  - When you login, you send the password to the website
-  - You tell Betterstuff that you want to use Passkeys
+  - The website uses the same math to encrypt/scramble the password you entered and compares it to the hash it's saved
-  - Your password manager creates a Public and Private key that's unique for you
+  - If the two hashes match then you're in
-  - You give the Public key to betterstuff.com
-  - The Private key never leaves your device (stays in password manager)\\
+===Passwords: What does this mean===
-  - When you want to log into betterstuff.com, the website creates a secret number or character string and encrypts it using your Public key, sends it to you
+  * Passwords can be guessed
-  - Only you can decrypt the message as only you have the Private key
+  * Passwords can be seen in transit
-  - You decrypt the message and send back the secret number or character string to betterstuff.com
+  * Passwords need to be complex (u/l case, #, special chars) and long so hard to guess
-  - The website betterstuff.com receives this, compares it to the number or string that they encrypted and sent, and if matches they know it is you, and you're logged in
+  * Some websites may save the password and not the hash (and passwords are compromised in a breech)
-//A lot of this happens behind the scenes.//
+  * Best to use a password manager to create and store complex passwords different for each website (e.g., BitWarden, 1Password, Dashland, KeePass)
+===Passcodes - use public key cryptology===
+  * Each passkey is a pair of keys: a public key and a private key
+  * These are mathematically linked together
+  * Public key is given to and stored by the website when you sign up with the website(and it's ok if attacker sees this)
+  * Private key is never shared
+Public info: your public key and the algorithm used (e.g., 3DES, AES, RSA)\\
+f( f(number, public key) , private key) = number\\
+[[https://www.comparitech.com/blog/information-security/encryption-types-explained/|More info on encryption]]
+===Signing in using Passcodes===
+  - Your device asks website to log you in
+  - Website encrypts some arbitrary number (a ''nonce'') using your public key and sends it to you
+  - Your device uses your private key to decrypt this and sends back the decrypted number
+  - The website verifies that what you sent in #3 matches the arbitrary number it encrypted in #2
+  - If there's a match, you're logged in
+===Passcodes: What does this mean===
+  * Passkeys can't be guessed (unlike simple passwords)
+  * Attackers can't do anything if they get your public key (it's useless without your private key that you never share)
+  * Attackers can't see anything useful in transit like they can with passwords
+  * You can have many public-private key pairs (I haven't seen a site say this though)
+(Argument: passkeys can be guessed. Yes, you can guess a 1024-bit or ~300 digit number given enough time and computing resources.  Yes, quantum computers may speed this up, which is a concern.)
 ===1. Passkey Example===
@@ Line 67: / Line 86: @@
 ==2b. Creating passkey==
+<hidden>
 This from video [[https://bitwarden.com/passwordless-passkeys/|this Bitwarden demo video]]
@@ Line 78: / Line 98: @@
   - Log out, log in.  Select the icon where userID is entered, select Shopify.
   - You're logged in.
+</hidden>
+At Nintendo
+  - In BitWarden, create login for Nintendo(name, user name=email, pw)
+  - Go to nintendo.com (the website)
+  - Sign-up
+  - Select the login info f/BitWarden
+  - Get verification email w/code, enter 4-digit code on Nintendo
+  - Log out, log in using new acct
+  - Account settings > Sign-in and security settings
+  - Scroll to Passkey, Edit
+  - Register a New Passkey
+  - Follow verification process: Submit to start it
+  - Enter 6-digit code
+  - Register
+  - BitWarden: select the login you just created to save the passkey
+Let's try it
+  - Sign out
+  - Sign in ''Passkey Sign-In''
+  - BitWarden: select the login you just created to use its saved passkey
+You're in.