(Synced) Passkey Is Weak(yourpasskeyisweak.com)

4 pointsby T3OU-7367 hours ago2 comments

ifh-hn3 hours ago
What about offline stores passkeys? I've a keepasxc database. Just having the database isn't enough because you need the keyfile and my password to open it.
I get what they're saying but device bound keypasses are brittle. List device lost account. So you need multiple devices. Passkeys are just a bad solution to a valid problem.
- T3OU-7362 hours ago
  That is what I was thinking, too, but rather than the keyfile being an actual file, it is, instead, on the USB-C HW token. So, to decrypt your KeePassXC db, you'd need the physical token to do the decryption, and ask it to be, effectively, an HSM.
  https://keepass.info/help/kb/yubikey.html talks of different ways of doing something like that, but I've not played with it yet.
  Another option is just to store passkeys natively on the token itself?
T3OU-7366 hours ago
There's a [DEFCon 33 talk](https://youtu.be/xdl08cPDgtE?si=SwZ-87jzDbNeP1Mx) on this, too.
I... Am not sure how I feel about it. On tech merits, this absolutely makes sense - the tech is slinging private keys around, and their secure storage is a hard problem.
On the practical merits - maybe? Token-backed decryption of the password manager's database seems like a devent solution? But does this happen? Is there a password manager which uses the public key derived from FIDO2 token's on-chip private key to decrypt the database?
On-token storage is limited (though 100 passkeys on a YK 5 Nano is fairly generous) - but what if we just used the YK as the "Private key is here and ONLY here" setup?
I kinda like the OFFOAD+ design - it promises to show me to where I am authenticating. With origin binding should be a nobrainer, but still, it speaks to me.
- T3OU-736an hour ago
  D'oh. Typo. OFFPAD not OFFOAD.