Passkeys are rapidly gaining traction as a revolutionary authentication method. Featured prominently at W3C TPAC 2022, they've integrated into Safari 16, macOS, iOS, and are poised to become the standard for password managers like 1Password. Already supported on Android, future releases will bring passkey functionality to Chrome OS and Windows.
While often overlooked in the front-end community, passkeys' impact on user experience, particularly concerning authentication and form processing, is undeniable. This article explores passkeys and the WebAuthn API, offering a comprehensive understanding of this emerging technology.
Navigating the world of passkeys requires familiarity with specific terminology. Let's clarify some key concepts:
Before discussing passkeys, we must understand WebAuthn (FIDO2). Passkeys build upon WebAuthn, leveraging public key cryptography to replace passwords. A security device (hardware key or TPM) generates private and public keys.
The public key is openly accessible, while the private key remains securely stored on the generating device. A key limitation of WebAuthn was device dependency; losing the device meant losing access. Passkeys address this through cloud synchronization, enabling access across multiple devices. However, it's important to note that single-device credentials also exist.
Currently, iOS, macOS, and Android offer comprehensive support for cloud-synced passkeys, although browser compatibility remains a factor. Google Password Manager and Apple iCloud Keychain facilitate synchronization.
Public key cryptography employs signing. Data is processed using a private key via a signing algorithm, and then verified using the public key. Anyone can generate a key pair, but only the private key can create a signature verifiable with the corresponding public key. This signature replaces the password. The server stores the public key, and authentication involves verifying possession of the private key by signing a random challenge.
This approach eliminates the risks associated with password breaches. If a database is compromised, only public keys are exposed, rendering them useless to attackers. Forgotten passwords become a thing of the past, as browsers remember credentials, simplifying login processes. Biometrics or PINs can enhance security.
Public key cryptography utilizes private and public key pairs. Encryption uses the recipient's public key, ensuring only the recipient's private key can decrypt. This provides confidentiality. Authenticity is ensured through signing and verification. The sender's private key signs a message hash, verifiable only with the sender's public key.
Access requires key generation and storage, often facilitated by an authenticator (hardware or software). Software authenticators might use a TPM or secure enclave, while hardware authenticators include devices like YubiKeys.
The Client to Authenticator Protocol (CTAP) provides an interface for accessing authenticators via various methods (NFC, USB, Bluetooth). A unique feature is using a phone (via Bluetooth) as an authenticator for devices lacking native passkey support.
Passkeys (multi-device) differ from WebAuthn keys (single-device) in storage and login processes. WebAuthn requires a user handle and an allowCredentials list, while passkeys utilize the server's domain name to identify associated keys, streamlining the login process. Cryptographically, they are essentially identical.
Both WebAuthn and passkey generation involve receiving a server challenge and using navigator.credentials.create to generate a key pair. The public key is sent to the server. Login uses navigator.credentials.get to sign a new challenge, which is then verified by the server.
Passkey usage involves attestation (registration) and assertion (login) phases.
navigator.credentials.create is central to attestation. Options specify the desired key pair:
// ... (code snippet for PublicKeyCredentialCreationOptions) ...
The response includes the public key and clientDataJSON (containing type, challenge, and origin). The server validates this data and stores the public key, ID, and optionally the attestationObject and COSE algorithm.
navigator.credentials.get handles assertion.
// ... (code snippet for PublicKeyCredentialRequestOptions) ...
The response includes the signature and authenticatorData (containing the origin hash and signCount). The server verifies the signature, clientDataJSON, and signCount for authentication.
Current limitations include limited operating system support (particularly Windows and Linux) and lack of interoperability between Google and Apple's passkey platforms.
Widespread operating system adoption will drive increased usage. Password managers will integrate passkey support, and native support on Android and iOS will further solidify their position. Passkeys promise a passwordless future, enhancing security and user experience.
The above is the detailed content of Passkeys: What the Heck and Why?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
