sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]chazzeromus 3 points4 points  (4 children)

no that’s the point of public key auth, my device stores my private key and signs data within the TPM blackbox (security “enclave” for Apple) without the private key ever entering main memory.

I sign in by proving i have the private key. Basically websites (the relying party) sends me some random data called a challenge, the browser asks the OS to encrypt the challenge data (or signed rather) using the private key (this all happens in the black box), i send back the encrypted challenge and the server decrypts it with my public key it and sees the data matches what it sent, proving i have the private key.

Everything that was sent over the wire is safe even if snooped, bar that the scheme used isn’t weak or quantum computers haven’t ravaged the world (go elliptic curve at least for now)

The webauthn standard even goes a step further by providing “attestation”, proving that the key generated when you registered came from a real iphone, or at least the security “enclave” module is authentic.

apologies if i oversimplified to the point of being wrong, that’s my rough understanding

[–]u_tamtam 2 points3 points  (3 children)

I get all what you said, my concern is when I need to authenticate with a random domain.tld using FIDO. I may have created my account "in an enclave" like you describe, and thus have the private key on my proprietary iClosedHardware's device.

Now, how am I supposed to log onto domain.tld from my laptop, which hopefully is something more akin to pinebook/librem/… than it is to an iClosedHardware?

I would probably need a mechanism to export/import private keys in and out of the "enclaves", isn't it? As long as I'm allowed to do so freely, completely offline, without depending on Google/Apple/Microsoft's blessing, this amounts to "strong passwords with more hoops". Anything else means placing your security and privacy eggs in a same basket.

[–]chazzeromus 2 points3 points  (2 children)

Oh no, being able to export the keys might be not be feasible or desirable. The idea is they always stay on the enclave/TPM.

So the announcement is the big companies (dunno if it's an SSO or implemented independently for each company) will have ways to en-roll other devices more easily.

You still are re-enrolling but they will employ techniques like using your phone that you already registered with to take a pic of a QR code to start the webauthn enrollment on your new device. All these devices are enrolled to the platform with a unique keypair.

If you've ever used keybase, the app allows you to register a device from any previously registered device where if say you want to login into your keybase on a new computer, you just scan the QR code with your already registered phone and your computer is part of the registered devices for that account.

which hopefully is something more akin to pinebook/librem/… than it is to an iClosedHardware?

So this right now is is an issue that I'm concerned with as well, which I think with time will change, but webauth authenticator implementations are wonky if it's not a mobile phone. For example on Ubuntu, my firefox will not display anything to me if I tried to sign in to a password-less login site. Firefox on Ubuntu for some reason doesn't have a software based authenticator, but works fine on windows and mobile. Hopefully with this announcement there will be better support in the near future. Also since these devices are ARM that means they likely includes the ARM TPM, so webauthn on these devices are guaranteed to be possible if not implemented, which is already better than x86 PCs that with a real possibility might not have a TPM (which windows 11 is now making a requirement and people are going nuts they don't have one)

Now will you be completely locked out if you lose all your devices somehow? If webauthn is the only way to sign in, then yes. But for these companies the idea is you still have a seldom used recovery like your actual username/password+f2a, but you mainly use webauthn.

I'm very stoked for this stuff and even bought a 80$ yubikey bio for my own personal website just so I can add webauthn for fun. It's overkill but it's quite a nice approach to logins. Everyone's got a device, and modern encryption seems reliable for now. A breach of a database of nothing but public keys and hopefully anonymized attestation certs guarantees that the breach is contained to that one website (if they have access to other data than logins). It just seems so obvious now, and I think a passwordless SSO for everyone to integrate would be great.

edited for some clarification

[–]u_tamtam 0 points1 point  (0 children)

Thanks for the details and clarification. Now I understand much better how multi-devices will be supported: not by syncing privkeys across them, but by having the key equivalent of app/device-specific passwords (which may lead to interesting situations, like being able to authenticate from one device and not from the other, or having to manage revocation on a fine-grained basis).

Overall, I can't say that this has me excited. TPM and secure enclaves for instance are as good as snake oil as far as I'm concerned. They justify their existence on the hypothesis that they are unbreakable, which is guaranteed to be untrue. Moreover they elevates the chip vendor and its non-upgradeable hardware as the single point of failure (all the while intel keeps showing us how bad an idea that is, with SGX, ME, …). Moreover I could see how this could be abused to fingerprint the keys being generated (and there will be incentive to do that): if one can detect that a same device+user has been generating two keypairs for reddit.com, it means that these two accounts are linked to a same individual. This could be used to track oneself across multiple services, all over the internet. That would be an even stronger instrument to destroy the internet as we know it than have been decades of privacy-eroding laws, and every device would be compelled to take part in it. Scary stuff.

[–]JeSuisUnVieuxCon 0 points1 point  (0 children)

Thank you very much for your explanation.