99 points by pabs3
10 days ago
At BlinkShell we recently added support for WebAuthn for SSH keys. WebAuthn signatures have been a part OpenSSH for a while now, but it looks like we are the first client to do so. You can check out a few cool flows here https://twitter.com/BlinkShell/status/1570427813819486212?s=...
IMO, the best part of Apple adding Passkeys support over WebAuthn is that we are finally able to use Secure Keys as well across all devices. If this takes off, I wonder if it would somehow end up replacing FIDO2 for Secure Keys scenarios as wel.
For anyone else familiar with WebAuthn but confused about the generic term 'passkey' like I was: the author is probably talking about some new Apple feature for IOS. It looks just like regular WebAuthn from what I can tell.
This is a joint development announced by Apple, FIDO, Google, and Microsoft. Passkeys follow the WebAuthn standard but add the functionality of working cross-device without needing to re-enroll and allow one device to authenticate for another near by device (ie phone authenticating log in attempt on laptop).
If you’re familiar with U2F and FIDO2 MFA, Adam Langley’s interview on the “Security, Cryptography, Whatever” podcast is worth listening to for the discussion of what’s happened since and the thinking behind many of the decisions:
Yes, it is WebAuthn + iCloud storage of the client credentials.
Note that Microsoft and Google also agreed to the Passkey terminology and will be adopting it in all their Webauthn-related UIs
Also, there is a draft being working on for credentials transfer:
This document describes a mechanism to transfer digital credentials
securely between two devices. Secure credentials may represent a
digital key to a hotel room, a digital key to a door lock in a house
or a digital key to a car. Devices that share credentials may belong
to the same or two different platforms (e.g. iOS and Android).
Secure transfer may include one or more write and read operations.
Credential transfer needs to be performed securely due to the
sensitive nature of the information.
Being very pedantic: "passkey" is spelt with a lowercase "p" like with "password".
Checkout this webauthn (passkey) implementation helpful for your web projects: https://github.com/authcompanion/authcompanion2
This looks really useful. Thank you.
Seems like there is no standard for a HTTP protocol for Webauthn logins, like there is for Basic Auth, Kerberos Negotiate, etc?
Unfortunately not. But recently serialisation and deserialisation _has_ been added to the standard. So it's something:
Github maintains a Ponyfill for browsers that don't support this standardised serialisation format yet: https://github.com/github/webauthn-json
The author of the pull request wrote a tool to deal with the serialisation/deserialisation which works great and has a passkey option:
Found some possibly related issues:
This is a great tutorial. thanks!