A new login technique is becoming available in 2023: the passkey. The passkey promises to solve phishing and prevent password reuse. But lots of smart and security-oriented folks are confused about what exactly a passkey is. There’s a good reason for that. A passkey is in some sense one of two (or three) different things, depending on how it’s stored.
    • lemmyvore@feddit.nlEnglish
      16·
      1 year ago

      TOTP generated on the same device as the passkey is not a secondary factor. It will have been compromised together with the passkey.

      For passkeys, the secondary factors are used to access the passkey vault, not auth to the server. And these secondary factors should be a master password, biometrics, or physical keys. TOTP and SMS are out.

        • 0xD@infosec.pub
          5·
          1 year ago

          I’m not sure I follow you - if someone can compromise the key material on my phone that is protected by a different factor, then it doesn’t matter whether the 2FA is server-side or not, it’s compromised either way.

            • ghterve@lemmy.world
              3·
              1 year ago

              It seems like you are trying to protect against a compromise of the user’s device. But if their device is compromised then their session is compromised after auth anyway and you aren’t solving much with extra auth factors.

                • Natanael@slrpnk.net
                  2·
                  1 year ago

                  If the user can perform all steps on the same device then it doesn’t make sense to assume only specific set of keys will be disclosed, you have to assume everything on the device can be compromised

    • Natanael@slrpnk.net
      1·
      1 year ago

      Passkey plus TOTP doesn’t really make sense (they’re both client side cryptographic keys, you don’t need two protocols), at least use a PAKE algorithm with a PIN instead if you want the server to be able to check the user’s knowledge of a secret without sending it in a readable form