Episode 0: Passkeys

Show Notes

Show notes:

There are many scams, some to get your password(s), some just for money.  Here's a sample list: https://www.experian.com/blogs/ask-experian/the-latest-scams-you-need-to-aware-of/

Lists of login methods:

• https://testdriven.io/blog/web-authentication-methods/ 
• https://www.logintc.com/types-of-authentication/

Who implements Passkeys?

• https://www.passkeys.com/websites-with-passkey-support-sites-directory
• https://fidoalliance.org/passkeys-directory/
• https://www.keepersecurity.com/passkeys-directory/

The three things that come together to make passkeys:

• Using key pairs, like SSH: https://www.ssh.com/academy/ssh/public-key-authentication
• Biometric authentication, you're already used to it from your phone
• New User Interface "ceremonies"

Which password managers support passkeys?

• 1Password (our personal favorite)
• Bitwarden
• Dashlane
• Google Password Manager
• Keeper
• NordPass
• RoboForm

A little about password managers:

Almost any password manager is better than no password manager at all so do your research. Find the best one for you. Make sure it answers these questions:

• Does it run on all the platforms you care about?
• Does it have a pricing model you like?
• Does it use a cloud service, or not, or of your choice, in a way that you like?
• Does the password service itself have access to your keys?
• What kind of secrets can it keep?
• Passkey descriptions and implementation documents
  • The FIDO alliance: https://fidoalliance.org/passkeys/
  • Google (for developers): https://developers.google.com/identity/passkeys/developer-guides
  • Apple (for developers): https://developer.apple.com/passkeys/

Wolf's top three personal digital security recommendations

• Use a password manager (it should support passkeys).  See above.
  • Once you create a passkey for a specific service; change your previous password. The new one should be generated by your password manager and you should never use it unless you absolutely must.
• Make sure your device is secure
  • Use biometric authentication
  • Have a strong password.  Your password manager can generate one made from words.  Easy to remember; hard to guess.
  • Make sure you know how to force your device to require a password.  You can be tricked or forced to authenticate biometrically.  Law enforcement can't force you to reveal a password; and if you're careful, you can't be tricked out of it.
• Be aware of your surroundings.  Bad actors can "shoulder surf" and get your password, or cameras. It's just like the old days at the ATM.  You don't want a person right behind you to see your PIN.

Hosts:

Jim McQuillan can be reached at jam@RuntimeArguments.fm
Wolf can be reached at wolf@RuntimeArguments.fm

Follow us on Mastodon: @RuntimeArguments@hachyderm.io

Theme music:

Dawn by nuer self, from the album Digital Sky