I have decided to play around with passkey. As a test, I will attempt to enable passkey on Best Buy. I didn’t want to use one of the test sites like passkey.io because I want to have a real site for experience.
What is Passkey
Passkey is an alternate way of logging in designed to replace passwords. Passkey uses a private/public key for security. The website retains the public key while you hold the private key. The increase in security comes from the key pairs. If someone breaches the website, they only have half of the key pair, and won’t be able to use it to break into your account. Passkey also validate URL and so is resistant to phishing.
Test Platform
* Mac Air M1 running Ventura
* Iphone 14 Pro Max running IOS 16
* Linux running PopOS
* Windows machine running Windows 10 with a fingerprint reader
* Lenovo Flex 5i Chromebook
Sorry I do not have a recent Android device.
Passkey on Apple Eco-system
Apple’s implementation of stores the passkey stores the passkey in the icloud Keychain. Once stored, the passkey are usable on any device that can employ the icloud keychain for password management. I believe this mean you need to have iOS 16 and Mac OS Ventura.
As an experiment, I attempted to add a passkey on my iphone.
1. On my iphone, open up Safari.
2. Log into Best Buy using the user name and password method.
3. Go into Account Settings and then Passkey.
4. Click on Create a Passkey button. The Passkey is saved to keychain. If you log into icloud, you should see the new key.
Well, how did it work?
* On IOS, I attempted to log into the Best Buy app but did not see an option to for Passkey. I ended up having to login using the old fashion way.
* On IOS, I attempted to log into Best buy website using Safari. I am show up option for passkey. Once I press it, I get a Face ID authentication and is able to login.
* On Mac OS, I attempted to log into Best Buy Website using Safari. I also see an option for passkey and when press I was able to get in using the keychain.
* On Wiindows, I attempt to log into Best Buy website using Chrome. I click on the option for passkey and is prompted with a list of devices. I click on the option for other phone and get a QR code, which I can scan using my iphone’s camera and press approve.
* On Linux, there does not appear to be an option for passkey.
* On ChromeOS, Chrome has a button for Passkey. When press, you get a QR code which you can scan with the Iphone’s camera. The camera screen will display a sign in button, which when click will sign the Chrome OS in.
Passkey on Microsoft Windows
Microsoft has allow passwordless login for several years. Despite being an early adopter, it seems to be less developed due to lack of syncing. Access appear to be through the Edge browser. Setup is similar to IOS
1. Open Edge.
2. Log into Best Buy.
3. Go into account settings. Add a passkey. You are prompted to by authenticate using the fingerprint reader. Once you press the finger print, the passkey is stored in Windows Hello.
When you login, you can press the fingerprint reader and it will log you in. However, one issue I see is that the the passkey is stored in Window Hello and lives on that device only. The other issue I have is that the windows device I used had neither encryption nor TPM, which poses some security issues.
Passkey on Google eco-system
I only tried this one in Chrome OS and Windows because I don’t really have Chrome install on Mac OS or Linux. I tried the following on Windows.
1. Open Chrome.
2. Log into Best Buy.
3. Go into account settings. Add a passkey. You are prompted to by authenticate using the fingerprint reader. Once you press the finger print, the passkey is stored in Windows Hello.
Note that it immediately notice that I already have a pre-existing key I created earlier using Edge. One issue I have notice a lack of syncing between different groups of devices.
* All passkey created in Windows are stored in Windows Hello and lives only on that device.
* All passkey created on IOS and Mac are stored in the icloud keychain and are sync.
* You can’t create a passkey using Chrome OS.
Passkey on Yubikey
Yubikey provide a method of storing the passkey on the Yubikey. I believe there is a limit of 25 entries. However, I have not been able to figure out how to set it up. I have however in the past setup Yubikey to do passwordless login to Microsoft accounts.
What I have learned.
* Passkey is a pretty good replacement for password and is easy to use. Currently, it’s a bit tricky to maintain.
* Each ecosystem has its own implementation. The apple one stores the passkey in icloud keychain and can be sync across devices that can use keychain. Google’s stores the passkey in Windows Hello for Windows, on Android, it is store in the google password manager. For IOS, the icloud keychain. Window stores the passkey into Windows Hello and do not sync. This mean crossplatform syncing is not a thing right now.
* On website that does support passkey, you can use a QR code to login using another devices. This is why they are discoverable.
* There does not appear to be linux support.
* Firefox does not support passkey because does not yet support CTAP.
* On most sites, passkey are implemented as another alternate method to login. This mean that the other method of login, including password is still available. If you lose your passkey device is destroy, you should be able to login using your user/password. The passkey technically does not add any protection since the old login method still exists but provide a phish resistant method of logging in.
Trying out the new Passkey technology
-
freakyfriday
- Posts: 167
- Joined: Tue Aug 23, 2022 10:00 am
Re: Trying out the new Passkey technology
Thanks for doing all that experimentation!
I'm fairly sure Firefox supports passkeys on windows at least (I have been using it for my Google account with windows Hello for some time). That said I do use the "nightly" build of Firefox so I couldn't say it's in the stable version.
I'm fairly sure Firefox supports passkeys on windows at least (I have been using it for my Google account with windows Hello for some time). That said I do use the "nightly" build of Firefox so I couldn't say it's in the stable version.
Re: Trying out the new Passkey technology
CTAP support appears to be experimental. I did try to enable but the version I have still do not support it.freakyfriday wrote: ↑Thu May 25, 2023 1:34 am Thanks for doing all that experimentation!
I'm fairly sure Firefox supports passkeys on windows at least (I have been using it for my Google account with windows Hello for some time). That said I do use the "nightly" build of Firefox so I couldn't say it's in the stable version.
Re: Trying out the new Passkey technology
Thanks for sharing your experience.
Here are a couple articles about passkeys, more about using them in Google ecosystem. Many of the same lessons that gavinsiu noted.
Google passkeys are a no-brainer. You’ve turned them on, right?
subtitled "The passkey ecosystem is far from complete, but Google's implementation is now ready to use."
Passkeys may not be for you, but they are safe and easy—here’s why subtitled "Answering common questions about how passkeys work."
Here are a couple articles about passkeys, more about using them in Google ecosystem. Many of the same lessons that gavinsiu noted.
Google passkeys are a no-brainer. You’ve turned them on, right?
subtitled "The passkey ecosystem is far from complete, but Google's implementation is now ready to use."
Passkeys may not be for you, but they are safe and easy—here’s why subtitled "Answering common questions about how passkeys work."