Episode 151 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Dashlane: Stronger Logins with FIDO2 Security Keys

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Rew Islam, Director Product Innovation at Dashlane

Channels

• Linkedin Event
• Youtube Video

Description

Passkeys are taking off and we're seeing more and more serviced adopt them. Unlike passwords, passkeys require software, and that will be a password manager, either one shipping with the OS/browser or a 3rd party one. But what protects the passkey provider? Is the protected with phishing resistant credentials?

Homework

• A New Era of Phishing-Resistant Authentication: Securing Dashlane Access with FIDO2 Security Keys

Takeaways

• ⚡ Isn't it hyprocritical to protect all your phishing resistent passkeys with a "master password"? And yet, most of the passkey providers out there (e.g. Google Chrome, iCloud Keychain) use a password or other phishable credentials to do just that.

• ⚡ Dashlane's innovation is to use passkey support for PRF (Pseudo Random Function) to generate symmetric keys when you do a passkey ceremony. These symetric keys are used by Dashlane for the vault encryption. Most hardware keys already support PRF. Synched passkey providers (e.g. Google, Apple, Dashlane...) don't support PRF yet.

• ⚡ Hardware security keys are a simple solution with predictable user experience, and well known security characteristics. They even provide a simple way for end-of-life advanced directives, e.g. open this envelope, the pin is 1234.

• ⚡ Wallets like those developed by Siros Foundation also are using passkey support for PRF for wallet creation. What works for passkey vaults works for wallets too!

Livestream Audio Archive

here