Every time I see a long inscrutable discussion about Passkeys, I see a weird avoidance of the "something you know" part of security. Here in the US, courts and law enforcement have every right to get your username, fingerprint, retina scan, face ID, whatever. But they don't have the right to extract something from your brain. Unless I'm missing something basic (which at this point, I don't think is my fault since this whole thing appears incredibly difficult to explain), Passkeys skips past that whole thing in favor of making it a heck of a lot easier to replace "something you know" with "something you have". Which is a security nightmare.
PINs and passwords on HSM keys like this are typically very secure as they will wipe themselves or at least lock themselves after a small number of failed attempts. For example if you only allow 5 failed attempts a 4 digit random PIN has a 0.05% chance of being guessed and a 6 digit PIN is 0.0005%.
So the only real risk is key extraction, hardware key extraction is always possible but likely incredibly expensive, so for most threat models it is not an issue. (Software key extraction or side channels is a different problem which may be easier but in theory is not possible.)
PIN+limit is still a much worse user experience than a password:
- a PIN is hard to memorize, so people are more likely to use personally-relevant or common numbers, whereas a password can be easily be both complex and memorable
- it's easy to burn through even 10 login attempts through any combination of temporary/permanent disability, stress, being drunk, damaged device...
- a wipe-after-failed-attempts system is trivial to abuse, be it by a prankster or a real adversary
- it's much easier to see someone's PIN over their shoulder or film them entering it
No, because passwords are just something-you-know (one factor) while a passkey that’s protected with a password is both something-you-have and something-you-know (two factors)
No, because a password manager still just stores passwords (one factor!); if someone got that password they can get in
The whole point of a passkey is that it’s something you have, not know:
- you can’t guess it because it’s a really long encryption key
- you can’t phish it because using a passkey does not give the passkey to the site, it just proves that you have the key (typical priv/pub key auth)
- you can’t steal it because passkeys are meant to never be moved from the device — it’s supposed to be impossible to extract them, as they’re supposed to live on a secure enclave type chip that is impossible to extract from
Which is exactly where your passkeys can be stored too. Put them in a password manager like 1Password, disable biometrics, and law enforcement would have to enter a password to access them
password managers are growing, but I'm not sure that 'most' people use them. Maybe 'most' software engineers or techies, but the average person probably has no idea what a password manager is.
>”the average person probably has no idea what a password manager is.”
In my experience, that’s a notebook or piece of scrap paper next to the PC with all their usernames and passwords scribbled on it.
That being said, all of the friends and extended family members that I have helped with computer issues have chosen to save several passwords in their browser’s autofill. Yet, none of them knew that they could view and edit these passwords.
Which is a bad idea. Right? That counterpoint defends a bad idea. We should be against the practice of permanently-unlocked password managers, and password managers that are only locked by "something you have". People also create ssh keys with null passwords, but it's also a bad idea and we should be opposed to that.
The State of Utah instructed the jury in State vs. Valdez to infer that a suspect was guilty because he refused to provide his password to the police. On appeal, the Utah Supreme Court ruled that he had the right to withhold his password according to the 5th Amendment, and he shouldn't face negative consequences for doing so. The state appealed that ruling to the U.S. Supreme Court, citing various other state and Federal courts which have made conflicting rulings on this same issue.
Sixteen states (Indiana, Alabama, Alaska, Delaware, Iowa, Kansas, Louisiana, Maine, Michigan, Mississippi, Nebraska, North Dakota, Ohio, Oregon, South Carolina, South Dakota, and Texas) just filed a motion asking the Court to hear the case: https://www.supremecourt.gov/DocketPDF/23/23-1020/307804/202...
Quoting that brief:
"[C]ourts have issued orders requiring persons to unlock devices or provide passcodes. But courts across the country are divided as to whether the Fifth Amendment bars such orders. [...] The Court should grant certiorari to provide guidance on how the Fifth Amendment’s guarantee against self-incrimination applies in the modern context of electronic devices."
Historically, US courts have declared that giving a password is proof that you control the given asset and that this can be incriminating.
In practice, juries will take a refusal to divulge a password as evidence of guilt, the cops will use it as an excuse for even greater brutality, the FBI is perfectly willing to hold you without trial for years on end, and in most cases they don't need it anyway because everything lives on someone else's computer and they're perfectly willing to hand your data over if they haven't already. Furthermore, because the defense is founded on the principle that the password serves as evidence that you owned the encrypted data, if the prosecution is able to prove that you owned the encrypted data in any other way, that protection goes away.
> In Boucher, production of the unencrypted
> drive was deemed not to be a self-incriminating
> act, as the government already had
> sufficient evidence to tie the encrypted
> data to the defendant
I am, of course, not a lawyer. I'm just summarizing easily available information, i.e. wikipedia.
Maybe it's slightly more nuanced than I thought. This (https://crsreports.congress.gov/product/pdf/LSB/LSB10416) seems to be an interesting report on the issue, although in most cases a defendant cannot be compelled to unlock their password-protected device. Biometrics might be different, but honestly, don't use a fucking fingerprint unlock if you've got "sensitive shit" on your device. Duh...
