If there is an article that explains what's different about passkey under the hood, I've yet to find it. That's not entirely surprising as it's brand new. Still it's mighty frustrating when google searches just page after page of re-writes of fido/google/microsoft press releases, all saying little more than "hey! passkey replaced passwords (and it somehow involves phones and bluetooth)".
Yes, I know uses FIDO under the hood. But the there are very few ELIA5's for FIDO either. One's that start with "It starts with a super secret private key the FIDO device creates and never leaves the device, so no one ever can learn it. In fact, the security and cost effectiveness of the system rests on the fact that it's near impossible to extract that secret from a piece of cheap silicon. The system works because it's possible for the device to prove it knows that one thing only it could know, without ever revelling what the secret is. ..." From there it goes on to explain the techniques use to ensure despite using the same secret for every server, no two servers (from different domains) will know the same key was used to log into each. And on it goes with mutal auth, and immunity to MITM attacks and on and on. Now I think about it, maybe 5 is a little too young.
Then people say disturbing things about Passkey, like https://www.hanko.io/blog/on-passkeys : "Passkeys = (synced) WebAuthn credentials". Hang on. Is that saying this super secret key never escaped the FIDO token is now synced???
And were is this super secret key stored on the phone? Storing it in a hardware token that receive a backdoor'ed firmware upgrade is one thing. Storing it in a device that accepts firmware upgrades, when governments such as Australia's have passed laws allowing them to compel manufacturers to backdoor firmware upgrades is quite another. But storing that secret on an Android or iOS phone, that are so complex they have proved impossible to make them secure, which we know because many can still be root'ed today - surely that's insanity?
But who knows maybe that's all been thought of and mitigated. Given Google's involvement, that almost seems likely. But you could never learn if it was true from dumbed down to the point of uselessness "hey! we've invented (ye another) replacement for passwords" press releases I've seen so far.
Yes, I know uses FIDO under the hood. But the there are very few ELIA5's for FIDO either. One's that start with "It starts with a super secret private key the FIDO device creates and never leaves the device, so no one ever can learn it. In fact, the security and cost effectiveness of the system rests on the fact that it's near impossible to extract that secret from a piece of cheap silicon. The system works because it's possible for the device to prove it knows that one thing only it could know, without ever revelling what the secret is. ..." From there it goes on to explain the techniques use to ensure despite using the same secret for every server, no two servers (from different domains) will know the same key was used to log into each. And on it goes with mutal auth, and immunity to MITM attacks and on and on. Now I think about it, maybe 5 is a little too young.
Then people say disturbing things about Passkey, like https://www.hanko.io/blog/on-passkeys : "Passkeys = (synced) WebAuthn credentials". Hang on. Is that saying this super secret key never escaped the FIDO token is now synced???
And were is this super secret key stored on the phone? Storing it in a hardware token that receive a backdoor'ed firmware upgrade is one thing. Storing it in a device that accepts firmware upgrades, when governments such as Australia's have passed laws allowing them to compel manufacturers to backdoor firmware upgrades is quite another. But storing that secret on an Android or iOS phone, that are so complex they have proved impossible to make them secure, which we know because many can still be root'ed today - surely that's insanity?
But who knows maybe that's all been thought of and mitigated. Given Google's involvement, that almost seems likely. But you could never learn if it was true from dumbed down to the point of uselessness "hey! we've invented (ye another) replacement for passwords" press releases I've seen so far.