lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
37e8274bffbd347c22b084a14454141cee746a76
hpr-knowledge-base/hpr_transcripts/hpr4160.txt
Lee Hanken 7c8efd2228 Initial commit: HPR Knowledge Base MCP Server 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00

133 lines
15 KiB
Plaintext
Raw Blame History

Episode: 4160
Title: HPR4160: Passkeys
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr4160/hpr4160.mp3
Transcribed: 2025-10-25 20:30:57
---
This is hacker public radio episode 4,160 for Friday the 12th of July 2024.
Today's show is entitled, Past Keys.
It is part of the series' privacy and security.
It is hosted by Ahukad and is about 18 minutes long.
It carries a clean flag.
The summary is, we take a look at past keys and ask if this is what you should be using.
Hello, this is Ahuka, welcoming you to hacker public radio and another exciting episode
in our ongoing series on security and privacy.
And today I want to take a look at one of the things that is starting to get some attention in the news.
And you've probably heard about it, something called past keys.
And I want to take a look at what they are and also some suggestions as to whether or not it's something you might want to get involved with at this point.
So let's see what we go.
Now as we all know by this point, I hope we all know this, there are serious problems with the model of authentication on the internet today.
Which is based on user names and passwords.
Now it seems that on a nearly daily basis, we hear of another site being hacked and user credentials being stolen.
To help guard against password thefts, we are advised to create long and random passwords that resist brute force cracking, something like capital F.
Lowercase yw, 2, 1, uppercase i, 7, uppercase v, lowercase ft, uppercase w, uppercase y, uppercase d, uppercase y, 8, lowercase t, lowercase s, capital t, capital r.
Now this is a very good password, which I had key pass x generate for me.
But such a password while resistant cracking cannot possibly be remembered, particularly when you consider that best practices dictate you have a similar but completely different password for every site you visit.
Now I appear to have something on the order of 400 passwords for different sites, so memorizing is completely out of the question.
That means we have to implement a password manager.
For a long time, last pass was a leading provider of this, but now we have reports of hackers targeting last pass and getting access to the encrypted databases of people's passwords and cracking those.
Obviously because for one reason or another the encryption was not good enough.
The main targets appear to be password vaults of people with large cryptocurrency accounts that can be stolen, but in principle any attack on password managers is bad.
Now to provide some added measure of protection, the next step generally is to employ some kind of two factor authentication, but that is an added hurdle to the consumer who just wants to log on and do some business.
And they are different in how they are implemented and how secure they are.
Many of them involve sending a text message to a phone and the message contains a code number to authenticate you, but we know the text messages are not secure and often phones are not secure, so this is not the ideal answer either.
In the final analysis, password based authentication is a bad idea and we should drop it in favor of a more secure alternative and that is where pass keys come in.
They are proposed as a better way to authenticate people over the internet, but how good are they?
Starting point for all of this comes from something called the FIDO alliances FIDO.
That is an industry group of the usual suspects.
The executive council contains representatives from Google, Microsoft, Apple and Intel among others.
And the broader board contains many executives from other companies, Amazon, IBM, you know, you can fill in the blanks on that.
You can see a complete list.
On the website, I put a link in the show notes so you can see who all these people are.
The other player here is the World Wide Web Consortium and they have something called Web Often, a UTHN.
It is in fact run by people from many of the same companies.
So, you know, is it a separate player? I don't know about that exactly, not entirely.
Now you can see the current W3C recommendation and the editors and contributors at a link that I put in the show notes.
So anyway, what did all of these industry people come up with?
Well, in my view, it is not anything revolutionary.
The basic technology is just our old friends, public and private key pairs, which we've looked at before in which are really the only reasonable technology to use for secure communication on the internet, at least at this point.
Done properly, this should be quite sufficient, but the devil is always in the details.
So, a brief recap. We've talked about this before, but public key, private key is a technology that uses some algorithm such as the RSA or elliptic curve to generate two linked files that have the property that each file can decrypt a message encrypted by the other file.
Now, one of these files is usually designated as public and the other as private. That part's pretty arbitrary. Either one will work in either role.
Now, we first looked at this in the context of email, and I put links in the show notes to some of the past shows and things where we've talked about that.
It underlies TLS connections to websites, SSH log-in stream-out servers among other uses. In other words, this is very fundamental technology for secure communication at this time.
So, the idea that this underlies the proposed Paskey solution is not a particularly surprising thing.
Now, as to how it all works, this is where it can get tricky. Now, when we talked about a Paskey, we're not talking about anything physical, like a USB security dongle.
Now, these do exist, and Ubiqui is a good example of one. I put a link in the show notes if you are interested in getting a Ubiqui. They cost around 50 to $60 right now.
It works well. You would insert it in the USB port of your computer when you want to log into a website. Now, this means you have to have that Ubiqui with you at all times, and that means you're in danger of losing it.
So, it's not an unvarnished good, but it can in some circumstances be a good idea.
Now, the thing is, though, it is cumbersome, and the mass audience is not interested, and it's very clear that the Fido Alliance has given up on physical dongles, good as that may be for security.
Instead, a Paskey is a blob of random data generated on your device, and then registered with the website.
This is a unique blob for each site and each device, in general. So, it improves security because Paskeys cannot be reused the way passwords frequently are.
But you potentially have a problem here. The original specification for this was it was device to site.
So, if you had a smartphone, a laptop, a tablet, and a desktop, well, you'd actually need to create four separate Paskeys, because the link is not between you and the website, but between the device and the website.
Now, they've come up with multi-site, multi-device Paskeys, but those have issues as well. And that has to do with storing it in the cloud. We'll talk about that in a moment.
Now, this process is really designed around phones, and that's very clear from, you know, when you start reading how all this is supposed to work.
Now, if your phone is the only thing that you use to interact with the internet, this is actually not a bad solution, although still with some problems.
Now, the username password model, we have all been using for decades, is about something you know, which is, of course, your username and password.
Now, you can memorize this, keep it in a physical notebook, store it in a password manager, or whatever. It has its drawbacks, of course, since that information can be obtained by hackers, such as through an exploit against a website that stored this information.
But it also has advantages.
One of my trips, I needed to print out a ticket to a show, and that ticket existed only as a PDF file in my email account.
Now, what was I to do? I was traveling in an RV at the time, so, you know, I didn't have a printer. I didn't have a desktop computer.
So, what happens is, I went into a library, this was in Tucson, Arizona, because these days most libraries have computers for the use of the public.
I could log into my email on this computer, bring up the PDF file, and for about 10 cents, I printed it out. Problem solved.
With a passkey, it's a little bit different. With the passkey, I'm supposed to hit the log in for the site, and the site will then send me a message encrypted with the public side of the key pair.
Then my private side of the key pair decrypts the message, and I'm in. I never need to enter a username or a password.
I may be asked to provide a second factor, such often like a fingerprint or face recognition, and again, you see how this is implicitly assuming a phone.
All of this works great on a phone, but I would hit a wall trying to get that print out in the library.
Now, there are, as I mentioned, multi-device passkeys, but they have to be stored in the cloud if they're going to be of any use.
So, that much should be obvious, but what kind of cloud service? The first answer is password manager.
Now, I looked up, and I've put links in the show notes to all three of these. One password, this word, bitwarden, and last pass all support the storing of multi-device passkeys.
And if you want to read up on any of those, again, link in the show notes.
Now, Apple and Google also do so in a way that is somewhat convenient, but it also involves vendor lock-in, which of course both companies love to do.
How much of a problem this is maybe debatable, since in my experience, a large number of people tend to sort themselves into one or the other ecosystem.
There may be a few people who are using iPhones and Chromebooks together, but I suspect that if you use an iPhone, you'll use a MacBook, and similarly for people in the Android Chrome ecosystem.
Now, I'm someone who has an Android phone in a Chromebook, and I know it's just much more convenient to stick within one camp. I can use all of the same apps for instance.
Now, there are definite advantages to passkeys.
Being built around encryption, they are inherently safer.
We recently discussed the hack of last pass that gave hackers access to people's password vaults.
Those vaults are encrypted, of course, but this is an arms race. What served as good encryption five years ago is now a lot weaker as the technology of decryption has advanced.
But if you had passkeys in your last pass account, decrypting the vault is only the very first hurdle. All of the passkeys themselves would then have to be decrypted.
And in the scenario they were designed for, they are definitely very convenient to illustrate. Right now, if I go to a website on my phone, I have to put in a username and a password.
Now, I may remember the username, I don't always, but let's assume I do.
But being security conscious, I have created long strong and random passwords, like the one I started this episode with.
So that means I have to use my password manager.
But it seems that whenever this comes up for me, my password manager, which is last pass, is not already open.
So I have to use my last pass password to unlock my password vault.
So that has to be one that I've memorized.
But I have set up two factor authentication for added security, and that is also on my phone.
So the first thing last pass is going to do is hand me go to another app to get my two factor authentication code, copy it, and return the last pass to paste it in.
And then if everything went well, I might be able to log into that website.
With pass keys, if I'm logged into my phone, whether by my fingerprint, face recognition or a pin code, the pass key automatically logs me in.
It really could not be simpler.
Another benefit of pass keys. There are no shared secrets.
Many websites do not handle passwords the right way.
To illustrate, a fundamental property of good encryption is that the hashed binary blob created bears no traceable resemblance to the input.
But how many times have you encountered a site that says certain characters are not allowed in a password?
To me, that is a strong indication that they are not hashing the passwords, which means there are definite security problems with the site.
And that is frequently the case when you hear stories about a site getting attacked and millions of passwords getting stolen.
It's to why that happens, you know, sometimes the answer is, well, it's legacy systems, or I think as often as not security is just not something companies care about.
With pass keys, there is nothing shared.
The website only has the public side of the key pair, and that was always intended to be publicly accessible.
People print public keys on their websites so that other people can communicate with them securely.
So the hackers are welcome to it. It's useless to them. Your private key is still with you.
Now, pass keys are getting pushed strongly by Fido and the major internet companies, so we're definitely headed in a direction like this, but there's still a lot of obstacles.
When you bring in corporate accounts, it gets even hairier. For instance, does your pass key to a corporate account live in your password manager, or other online account?
Or in a corporate supplied wallet? And what if one of your private pass keys, like, say, Facebook gets added to the corporate wallet?
There's still a lot of issues to work through here, and our support lines ready for calls from people who lost their pass keys.
That's a different kettle of fish from resetting your password.
In a scenario like this, dropping your phone in the toilet could mean a lot more than you're just out of pile of cash. It could mean you are locked out if every account you have.
Now, for this reason, even the places that support pass keys generally support user name and password as a backup.
Right now, for an individual user, what I plan to do, and what I recommend to people, is to use a password manager, configure it to be secure, have long strong passwords, and employ two-factor authentication. That's still pretty good security.
Now, when I say configure it to be secure, I've already discussed this in the context of last pass, which is what I use.
In other words, you can't just sign up to a password manager and say, okay, I've solved that problem.
What I do with last pass, I dug into the documentation and figured out, oh, I can start making changes to the default.
Every change you make to the default increases your security. I can do things like say, how many rounds of encryption it's going to take to encrypt my file and stuff like that.
Getting away from the default multiplies your security, but you've got to actually take the effort to get in there and figure some of that stuff out.
Anyway, this is Ahuka for Hacker Public Radio, signing off, and is always encouraging you to support free software. Bye-bye.
You have been listening to Hacker Public Radio at HackerPublicRadio.org. Today's show was contributed by a HBR listener like yourself.
If you ever thought of recording podcasts, then click on our contribute link to find out how easy it leads.
Hosting for HBR has been kindly provided by an honesthost.com, the internet archive, and our sings.net.
On this advice status, today's show is released under Creative Commons Attribution 4.0 International License.
Reference in New Issue View Git Blame Copy Permalink