 |
| Image from Pixabay |
As
early as the time of Asterix and Obelix, passwords have been around, and they
have been used in computers since time immemorial (Wikipedia mentions 1961 as
the year in which they were used in a system at MIT). And now, some two
thousand years after our Gallic friends, we are tired of them. There are too
many of them, they are inconvenient and they are unsafe – even long, complex
passwords are unsafe if someone phishes them. But there is hope: the passkey is
coming!
Passkeys
are not yet widely available, but the word is popping up more and more and that
is enough reason to take a closer look. Passkeys are fundamentally different
from passwords, with the biggest advantage being that they are many times more
secure. And they are easy to handle. Who would not want that?
To
explain the difference, I'll start with the ancient password. Its operation is
based on what is called a shared secret: both you and the
site/app/application/computer know the password. About the only difference with
the way the ancient Romans worked is that computer passwords, are not stored on
a server as they are, but in the form of a hash value (a mathematically
calculated 'distortion' of the original). On the other hand, the others must be
able to check whether the combination of username and password entered matches
with their data on file, so the credentials of all users are stored in a large
file. That's gold for hackers if it isn’t protected. And that is why hashing is
so important. Hashing is irreversible; the password 'badexample' becomes ‘833f25dab798cb9b3ff1952ccb461751’
and there is no way back: you cannot recover the original password from the
hash value. When you enter your password, it is hashed again and if the result
matches the stored hash value, you are allowed to enter. Just like anyone else
who knows your password. Moreover, a patient hacker who stole a password file can
try passwords all day long and if the calculated hash value eventually matches
the value in the file, he knows your password.
Enter
the passkey. It doesn’t involve a shared secret, but serious cryptography. The
ancient Romans already did that. At that time it was mainly a matter of using
different symbols, or shifting (a becomes d, b becomes e and so on). This
involves a key: when using other characters you use a kind of legend, when shifting
it’s a number (in the example the key is +3). Modern cryptography is much more
complex, especially the kind used for passkeys: asymmetric cryptography.
Characteristic of this is that it doesn’t use a single key (which must be
shared between the parties involved, just like a password), but two keys. Those
keys have a mathematical relationship. One is called the public key, the other
is the secret key. The gist of the story is that the secret key remains on your
device and the public key goes to the other party. If you do something with
your secret key on your device, the other side can check whether it was you,
using the corresponding public key. That public key does not need to be
secured, as its name suggests.
Suppose
you want to log in on your laptop to a site that works with passkeys. That
passkey can be on your smartphone, for example. Your laptop and your phone know
via Bluetooth that they are in close proximity and therefore, that no one is
trying to log in remotely. You unlock the requested passkey on your phone with
your fingerprint, facial scan or a code. And hey, you're logged in to that
site.
Because
the passkey does not leave the device, you as a user cannot leak credentials -
so you are not susceptible to phishing. In my opinion, that is the big
advantage of passkeys: an attacker simply cannot get in between. You can
synchronize your passkeys with different devices and have them at hand on your
laptop, tablet and smartphone. This synchronization is encrypted (end-to-end,
so no one can break into it).
Passkeys
are currently supported by major tech companies (Google, Apple, Microsoft). But
some password managers, such as Bitwarden, can also handle them.
Are
you curious yet? Log in to your Google account (create one if necessary), go to
Settings > Security > Access keys and Security keys and create
your access key here. A Bitwarden plugin runs in the browser on my PC, and it asked
if I wanted to store the passkey there. From now on, when I want to log in to
Google on my PC, the password manager asks whether I want to use the passkey.
So it actually works the same as before, but without any secrets involved.
Let's hope that passkeys become popular and we’ll familiarize ourselves with
them and will soon - for the next two millennia or so - not know any better.
And in the big bad world...
This section contains a selection of news articles I came across in the
past week. Because the original version of this blog post is aimed at readers
in the Netherlands, it contains some links to articles in Dutch. Where no
language is indicated, the article is in English.
- hackers can often read your chats with AI bots, despite encryption.
- Some entrepreneurs have two faces.
- Google pays attention to Post Quantum Cryptography.
- some physical electronic locks have a secret backdoor.
- Meta previously had to pay a privacy fine of five billion dollar, but the same lawsuit has now been reopened. [DUTCH]
- criminals appear to be unreliable after all.
- Europe will have relatively strong AI legislation.
- In France, they no longer find it logical to periodically change all passwords. [DUTCH]
- the European Commission was reprimanded for the use of Microsoft 365.
- the Dutch police increase the cyber resilience of youth with a game. [DUTCH]
- Dutch people are becoming increasingly critical of their privacy. [DUTCH]
No comments:
Post a Comment