ICloud Keychain escrows a user's keychain data with Apple without allowing Apple to read the passwords and other data it contains. Passkeys can be recovered through iCloud keychain escrow, which is also protected against brute-force attacks, even by Apple. However, it's also important that passkeys be recoverable even in the event that all associated devices are lost. Passkey synchronization provides convenience and redundancy in case of loss of a single device.
And platform vendors have worked together within the FIDO Alliance to make sure that passkey implementations are compatible cross-platform and can work on as many devices as possible. This makes passkeys very strong, easy to use credentials that are highly phishing-resistant.
No shared secret is transmitted, and the server does not need to protect the public key. On Apple devices with Touch ID or Face ID available, they can be used to authorize use of the passkey, which then authenticates the user to the app or website. The server never learns what the private key is.
The other key is private, and is what is needed to actually sign in. One of these keys is public, and is stored on the server. These keys are generated by the device, securely and uniquely, for every account. During account registration, the operating system creates a unique cryptographic key pair to associate with an account for the app or website. Passkeys are built on the WebAuthentication (or "WebAuthn") standard, which uses public key cryptography.
0 kommentar(er)
