This is basically what passkeys are, right? Except the autogenerated password isn't even shown to the user, just stored immediately in the user’s password manager.
(I recognize that it’s a bit
more involved, eg if i get it right, passkeys add some public key encryption to the mix to avoid sending the “password” over the wire needlessly often etc, but those are just icing on the cake as far as I’m concerned)
There isn’t encryption nor a generated password involved with passkeys. Rather, your device generates a private key and stores it in your password manager - and only the public key is sent to the server.
When you log in later, the server uses an API to give your client a random unique challenge (just some bytes), you unlock and approve and the pwm signs some stuff including the challenge and sends the signature back. The server verifies with the public key, and is satisfied because only your private key could’ve generated that signature.
But you are exactly right - this is detail and the UX is essentially the same as having the pwm generate random passwords that you never get to see or copy.
There isn't encryption involved? I mean how can you use public and private keys without encryption?
Anyways yes, I agree otherwise. That said for all intents and purposes, the private key is a password. It’s the thing you store that gives you access to the service. That it’s not transmitted, but instead the whole public key / challenge response dance is done, is IMO sufficiently well summarized as “well, it’s a special kind of autogenerated password, which can’t be insecurely transmitted or badly stored by the service”.
If we really want people to adopt passkeys we gotta begin talking about them in terms people understand. I consider myself pretty tech savvy and it took me like 6 articles until I finally grokked that a passkey is just an autogenerated password (plus some free automatic bonus security that doesn’t affect my UX)
Important to emphasize that passkeys are phishing resistant. Unlike passwords that allow you to copy and paste them to a website (hmm, auto complete isn’t working on this broken website, I can just go find it and paste it in — boom phished).
While you can't memorize it (memorizing a fair amount of entropy would take an intelligent human quite some time), you can of course store them offline (it's just a key). Today's initial implementation on macOS restricts exporting, but that is supposed to be added according to reliable Apple devs: https://hachyderm.io/@rmondello/110329118270492669
> memorizing a fair amount of entropy would take an intelligent human quite some time
Everyone who has seen it remembers correct horse battery staple and intelligent humans find it relative straightforward to reroll diceware until they can imagine a story for the words they see.
Permute case, use symbols and digits as word dividers, and most HN readers can remember 'uncrackable' amounts of entropy.
(I recognize that it’s a bit more involved, eg if i get it right, passkeys add some public key encryption to the mix to avoid sending the “password” over the wire needlessly often etc, but those are just icing on the cake as far as I’m concerned)