https://community.isc2.org/t5/Welcome/Password-LESS-Era/m-p/75744#M2771 <BLOCKQUOTE><HR /><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/933057045">@cosminm</a>&nbsp;wrote:<BR /><P>... passkey access relies on a simple 12345 PIN &nbsp;</P></BLOCKQUOTE><P>The PIN is local to the device, greatly shrinking the attack surface and making it trivial to level-up to a more secure credential after too many failed attempts.&nbsp; Similar to how your phone requires a password instead of pin/face-ID after a reboot.</P><P>&nbsp;</P><P>The real beauty of passkeys is that they rely on public-key cryptography, rather than a user-chosen shared-secret.&nbsp; This offers a bunch of benefits:</P><P>&nbsp;</P><OL><LI>Users do not have the opportunity to use the same password across multiple sites, nor can they chose weak passwords.</LI><LI>It frees users from <A href="https://pages.nist.gov/800-63-3/sp800-63b.html#appA" target="_blank" rel="noopener">ineffective</A>&nbsp;and inconsistent password complexity rules.</LI><LI>The private key is not transmitted over the Internet, making it impractical for an adversary-in-the-middle to harvest credentials for later use.</LI><LI>The private key is never on the (web-) server, rendering its account database an insufficient place to steal credentials.</LI><LI>The passkey itself is "something you have", meaning that if access to the passkey is protected by a PIN, password or biometrics, one has achieved multi-factor-authentication.&nbsp;</LI><LI>The private key can be stored in hardware, making the passkey compliant with <A href="https://pages.nist.gov/800-63-3/sp800-63b.html#sec4:~:text=4.3%20Authenticator%20Assurance%20Level%203" target="_blank" rel="noopener">AAL3</A>, NIST's strongest authentication level.</LI></OL> Thu, 19 Dec 2024 16:59:19 GMT denbesten 2024-12-19T16:59:19Z https://community.isc2.org/t5/Welcome/Password-LESS-Era/m-p/58248#M2319 <P>With the daily familiarity in the use of fingerprint login method, do you think the use of password as a login method will be eradicated completely in nearest future?</P> Mon, 09 Oct 2023 10:29:25 GMT https://community.isc2.org/t5/Welcome/Password-LESS-Era/m-p/58248#M2319 Agunlex 2023-10-09T10:29:25Z https://community.isc2.org/t5/Welcome/Password-LESS-Era/m-p/58249#M2320 <P>"the daily familiarity in the use of fingerprint login method"<BR /><BR />what's that??&nbsp; I don't use that and never have.<BR /><BR />Everything I access wants a password and often a secure code (texted or from an app).</P><P>&nbsp;</P><P>So, yeah, I don't think passwords are going away in the short term.&nbsp; Maybe at some point.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 03 Apr 2023 15:25:30 GMT https://community.isc2.org/t5/Welcome/Password-LESS-Era/m-p/58249#M2320 emb021 2023-04-03T15:25:30Z https://community.isc2.org/t5/Welcome/Password-LESS-Era/m-p/58714#M2325 <P>You can hear a lot of voices on the internet praising passkeys as the future and the end of all/most passwords. As longs as they are seen as secure, I suppose.</P> Wed, 26 Apr 2023 09:11:18 GMT https://community.isc2.org/t5/Welcome/Password-LESS-Era/m-p/58714#M2325 dschimanski 2023-04-26T09:11:18Z https://community.isc2.org/t5/Welcome/Password-LESS-Era/m-p/75709#M2769 <P>Agreed. Then you realise for Microsoft passkey access relies on a simple 12345 PIN that people usually set (for convenience), at which point the whole security crumbles <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 17 Dec 2024 17:17:04 GMT https://community.isc2.org/t5/Welcome/Password-LESS-Era/m-p/75709#M2769 cosminm 2024-12-17T17:17:04Z https://community.isc2.org/t5/Welcome/Password-LESS-Era/m-p/75744#M2771 <BLOCKQUOTE><HR /><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/933057045">@cosminm</a>&nbsp;wrote:<BR /><P>... passkey access relies on a simple 12345 PIN &nbsp;</P></BLOCKQUOTE><P>The PIN is local to the device, greatly shrinking the attack surface and making it trivial to level-up to a more secure credential after too many failed attempts.&nbsp; Similar to how your phone requires a password instead of pin/face-ID after a reboot.</P><P>&nbsp;</P><P>The real beauty of passkeys is that they rely on public-key cryptography, rather than a user-chosen shared-secret.&nbsp; This offers a bunch of benefits:</P><P>&nbsp;</P><OL><LI>Users do not have the opportunity to use the same password across multiple sites, nor can they chose weak passwords.</LI><LI>It frees users from <A href="https://pages.nist.gov/800-63-3/sp800-63b.html#appA" target="_blank" rel="noopener">ineffective</A>&nbsp;and inconsistent password complexity rules.</LI><LI>The private key is not transmitted over the Internet, making it impractical for an adversary-in-the-middle to harvest credentials for later use.</LI><LI>The private key is never on the (web-) server, rendering its account database an insufficient place to steal credentials.</LI><LI>The passkey itself is "something you have", meaning that if access to the passkey is protected by a PIN, password or biometrics, one has achieved multi-factor-authentication.&nbsp;</LI><LI>The private key can be stored in hardware, making the passkey compliant with <A href="https://pages.nist.gov/800-63-3/sp800-63b.html#sec4:~:text=4.3%20Authenticator%20Assurance%20Level%203" target="_blank" rel="noopener">AAL3</A>, NIST's strongest authentication level.</LI></OL> Thu, 19 Dec 2024 16:59:19 GMT https://community.isc2.org/t5/Welcome/Password-LESS-Era/m-p/75744#M2771 denbesten 2024-12-19T16:59:19Z