Replying to Avatar semisol

At its core it’s actually just an extension of the FIDO specification, with now “resident” credentials.

Security keys have no memory. What actually happens is the website sends you back a list of possible security keys, and the encrypted version of the private key. The security key decrypts it and signs with it.

With resident credentials, the security key keeps track of which sites etc. the key was registered on, and when you go to example.com it can tell you “would you like to log in with x account”

That and “emulated” security keys, which use the TEE/TPM/SE in your phone or desktop
Avatar
frphank 5mo ago

Security keys very much do have memory and the memory does keep the per website key.

Passkeys do not just allow "password-less" login, much more they all "username-less" login.

If the web site had to send the encrypted private key it would have to know at least the username to send the correct private key.

Reply to this note

Please Login to reply.

Discussion

Avatar
frphank 5mo ago

Example: "Up to 100 discoverable credentials"

There's your memory.

https://support.yubico.com/hc/en-us/articles/360013656980-YubiKey-5-NFC

Avatar
semisol 5mo ago

What I meant there was security keys before resident credentials. The paragraph after that explains it.