From Newsgroup: uk.d-i-y

In order to make sure that I can continue to talk to banks, on-line
services etc into the future, I'm slowly migrating certain stuff from
my very old and very out-of-date hardware. (Updating stuff? <fx:
uk.d-i-y readers all check the headers to see if this is really Nick
writing>)

Please, jump in right away when you see I've got the wrong idea about
pass codes but it's being presented to me as a way that your software
remembers a very long string which it offers to a contact when you try
to connect with them in place of a smaller, more crackable password.

More and more I'm being told I ought to use a pass code in place of a
password. I'm concerned that further down the line there may not be
any choice anyway.

Does the pass code replace the password altogether or does it become
an alternative way of proving your identity? What does the recipient
see? If I log onto a service from more than one machine at more than
one location (I often do) do they each store the same pass codes or
does the recipient have some way of recognising the different entries
as being from the same user account?

Is there a nice, handy words-of-one-syllable-or-less Dummies Guide to
the pass code somewhere on line that you could point me to?

Many thanks,

Nick

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On 27/04/2026 17:01, Nick Odell wrote:

In order to make sure that I can continue to talk to banks, on-line
services etc into the future, I'm slowly migrating certain stuff from
my very old and very out-of-date hardware. (Updating stuff? <fx:
uk.d-i-y readers all check the headers to see if this is really Nick writing>)

Please, jump in right away when you see I've got the wrong idea about
pass codes but it's being presented to me as a way that your software remembers a very long string which it offers to a contact when you try
to connect with them in place of a smaller, more crackable password.

I think you mean passkey...

More and more I'm being told I ought to use a pass code in place of a password. I'm concerned that further down the line there may not be
any choice anyway.

Does the pass code replace the password altogether or does it become
an alternative way of proving your identity? What does the recipient
see? If I log onto a service from more than one machine at more than
one location (I often do) do they each store the same pass codes or
does the recipient have some way of recognising the different entries
as being from the same user account?

its usually an alternative to passwords.

It uses a public/private key pair, a different pair for each user. So
the server has a public key, you have a private key. When you logon to a
web site the server sends you a challenge phrase. Your "device" asks you
to verify yourself , and if you do so it signs the challenge phrase with
your private key and sends it to the server. Only someone with the
private key can do this.

If you want to logon from more than one location then its usualt to use
cloud to sync the locations, so sign into windows with a microsoft
account, they get synced.

Is there a nice, handy words-of-one-syllable-or-less Dummies Guide to
the pass code somewhere on line that you could point me to?

Not really, because they rely on public/private keys I think its hard to explain.

https://www.passkeys.com/index.html

has some info

Many thanks,

Nick

Dave
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On 27/04/2026 16:01, Nick Odell wrote:

Is there a nice, handy words-of-one-syllable-or-less Dummies Guide to
the pass code somewhere on line that you could point me to?

Pass code or passkey?

(I ask because when trying to log in to my ISP I've just been forced to
give an email address to receive a pass code (6 digit number, valid for 20 minutes); and then a landline or mobile phone number for another passcode;
and their landline rang but did not manage to give me a passcode; so give
them a mobile number and get a text with another passcode (6 digit number, valid for 20 minutes). And then I get a text reading "You've successfully enabled 2FA. If you didn't ask for this please call ... ". )
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

Nick Odell wrote:

Please, jump in right away when you see I've got the wrong idea about
pass codes but it's being presented to me as a way that your software remembers a very long string which it offers to a contact when you try
to connect with them in place of a smaller, more crackable password.

Humans are bad at picking passwords, they either use the same/similar
ones everywhere, or make them easy to remember/guess/brute-force.

So the idea of passcodes is to make the device generate long random
passwords per website, store them in such a way they are protected by fingerprint, or face recognition (either on the same device or on a
companion device) or at a push, just by a PIN.

More and more I'm being told I ought to use a pass code in place of a password. I'm concerned that further down the line there may not be
any choice anyway.

Given that they're better you shouldn't be too afraid if that is the future.

Does the pass code replace the password altogether or does it become
an alternative way of proving your identity?

At the moment they don't replace, so e.g. if my laptop has a passcode
for amazon that requires me to touch a fingerprint sensor, I can still
logon to amazon from A.N.Other computer using my password instead of the passcode, if I have two laptops, each of them can have a separate
passcode for amazon, no need to sync between them.

What does the recipient see?

Nothing. Well nothing other than cryptographic proof that your computer
has has the private bit of the passcode that was previously sent to you
by them, and matches the public bit they kept. Because amazon only sees
their own private bit, they can't even accidentally leak anything what
might be useful for a bent amazon employee to login to your ebay account
with.

If I log onto a service from more than one machine at more than
one location (I often do) do they each store the same pass codes or
does the recipient have some way of recognising the different entries
as being from the same user account?

The passcodes are per website, per user account, per client device.

Is there a nice, handy words-of-one-syllable-or-less Dummies Guide to
the pass code somewhere on line that you could point me to?

Beware, several sites trying to explain passcodes are actually just
explaining PINs.

The "problem" [TINP] with passcodes is that they're being pushed onto
people, with very little explanation, on the basis that Joe Public won't understand, so don't bother explaining.

I will admit the first time Amazon in their sneaky bastard way tricked
me into creating a passcode without realising I'd done it, I was upset
at being tricked and deleted it, I've since purchased a hardware
fingerprint token and recreated a new passcode using it.


--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On 27/04/2026 19:13, Andy Burns wrote:

Nick Odell wrote:

Please, jump in right away when you see I've got the wrong idea about
pass codes but it's being presented to me as a way that your software
remembers a very long string which it offers to a contact when you try
to connect with them in place of a smaller, more crackable password.

Humans are bad at picking passwords, they either use the same/similar
ones everywhere, or make them easy to remember/guess/brute-force.

So the idea of passcodes is to make the device generate long random passwords per website, store them in such a way they are protected by fingerprint, or face recognition (either on the same device or on a companion device) or at a push, just by a PIN.

More and more I'm being told I ought to use a pass code in place of a
password. I'm concerned that further down the line there may not be
any choice anyway.

Given that they're better you shouldn't be too afraid if that is the
future.

Does the pass code replace the password altogether or does it become
an alternative way of proving your identity?

At the moment they don't replace, so e.g. if my laptop has a passcode
for amazon that requires me to touch a fingerprint sensor, I can still
logon to amazon from A.N.Other computer using my password instead of the passcode, if I have two laptops, each of them can have a separate
passcode for amazon, no need to sync between them.

What does the recipient see?

Nothing.-a Well nothing other than cryptographic proof that your computer has has the private bit of the passcode that was previously sent to you
by them, and matches the public bit they kept.-a Because amazon only sees their own private bit, they can't even accidentally leak anything what
might be useful for a bent amazon employee to login to your ebay account with.

If I log onto a service from more than one machine at more than
one location (I often do) do they each store the same pass codes or
does the recipient have some way of recognising the different entries
as being from the same user account?

The passcodes are per website, per user account, per client device.

Is there a nice, handy words-of-one-syllable-or-less Dummies Guide to
the pass code somewhere on line that you could point me to?

Beware, several sites trying to explain passcodes are actually just explaining PINs.

The "problem" [TINP] with passcodes is that they're being pushed onto people, with very little explanation, on the basis that Joe Public won't understand, so don't bother explaining.

I will admit the first time Amazon in their sneaky bastard way tricked
me into creating a passcode without realising I'd done it, I was upset
at being tricked and deleted it, I've since purchased a hardware
fingerprint token and recreated a new passcode using it.

This article (well, the comments, really) from TheRegister make some
good points...

<https://www.theregister.com/2025/12/06/multifactor_authentication_passkeys/>


--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On 27 Apr 2026 at 16:01:51 BST, Nick Odell wrote:

In order to make sure that I can continue to talk to banks, on-line
services etc into the future, I'm slowly migrating certain stuff from
my very old and very out-of-date hardware. (Updating stuff? <fx:> uk.d-i-y readers all check the headers to see if this is really Nick
writing>)

Please, jump in right away when you see I've got the wrong idea about
pass codes but it's being presented to me as a way that your software remembers a very long string which it offers to a contact when you try
to connect with them in place of a smaller, more crackable password.

More and more I'm being told I ought to use a pass code in place of a password. I'm concerned that further down the line there may not be
any choice anyway.

Does the pass code replace the password altogether or does it become
an alternative way of proving your identity? What does the recipient
see? If I log onto a service from more than one machine at more than
one location (I often do) do they each store the same pass codes or
does the recipient have some way of recognising the different entries
as being from the same user account?

Is there a nice, handy words-of-one-syllable-or-less Dummies Guide to
the pass code somewhere on line that you could point me to?

Don't think the 'how' is that simple - the 'what' passkeys are is a simpler, easier and more secure way of logging in to apps and web sites. The big difference to 2FA and plain old user names and passwords is that it adds a device only you use in that moment of logging on (typically a phone or computer) as an extra layer of security. IIUC - probably not :-) . . .

I found this to be a decent summary:

https://www.theguardian.com/technology/2026/apr/24/what-is-a-passkey-how-does-it-work-and-why-is-it-better-than-a-password?CMP=share_btn_url
--
Cheers, Rob
Sheffield, UK
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

The older I get, the more complicated life becomes. Bring back postal
orders, I say!
--

Chris
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On Tue, 28 Apr 2026 10:17:33 +0100
Chris Hogg <me@privacy.net> wrote:

The older I get, the more complicated life becomes. Bring back postal
orders, I say!

How about Traveller's Cheques? Or do they still exist?
All this Passcode stuff, it seems to assume your PC has fingerprint or eye-scanning devices. What if it doesn't? Bear in mind I don't have a
'smart' phone, I have a PC and a mobile 'phone.
--
Davey.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

Davey wrote:

All this Passcode stuff, it seems to assume your PC has fingerprint or eye-scanning devices.

It doesn't require it, just works better if you have it, if not you can
enter a PIN instead of using biometrics.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On 2026-04-28 10:48, Andy Burns wrote:

Davey wrote:

All this Passcode stuff, it seems to assume your PC has fingerprint or
eye-scanning devices.

It doesn't require it, just works better if you have it, if not you can enter a PIN instead of using biometrics.

Maybe I'm not getting it, but it seems to me that the passkey validates if:

a) You have access to the private cryptographic key for that site,
account and user, and
b) You have access to the device it is paired with, and
c) You have the unlock code for that device.

With a different private key for each device you use to access that account.

nib
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On 28/04/2026 10:17, Chris Hogg wrote:

The older I get, the more complicated life becomes. Bring back postal
orders, I say!

Actually I get on just fine with password, key sent to my phone as a
text or pin sentry.

beats writing out a cheque every time
--
"In our post-modern world, climate science is not powerful because it is
true: it is true because it is powerful."

Lucas Bergkamp

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On 28/04/2026 10:48, Andy Burns wrote:

Davey wrote:

All this Passcode stuff, it seems to assume your PC has fingerprint or
eye-scanning devices.

It doesn't require it, just works better if you have it, if not you can enter a PIN instead of using biometrics.

My phone isn't even locked.
Horrid thing
--
"In our post-modern world, climate science is not powerful because it is
true: it is true because it is powerful."

Lucas Bergkamp

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

nib wrote:

Maybe I'm not getting it, but it seems to me that the passkey validates if:

a) You have access to the private cryptographic key for that site,
account and user, and
b) You have access to the device it is paired with, and
c) You have the unlock code for that device.

With a different private key for each device you use to access that
account.

Sounds like you /do/ get it, why don't you think that amounts to a good
thing?
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

The Natural Philosopher wrote:

Andy Burns wrote:

Davey wrote:

All this Passcode stuff, it seems to assume your PC has fingerprint or
eye-scanning devices.

It doesn't require it, just works better if you have it, if not you
can enter a PIN instead of using biometrics.

My phone isn't even locked.
Horrid thing

The PIN doesn't have to be on your phone, it can be on your password
manager (many of which can also act as passkey managers).
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On Mon, 27 Apr 2026 17:33:24 +0200, David Wade <dave@g4ugm.invalid>
wrote:

On 27/04/2026 17:01, Nick Odell wrote:

In order to make sure that I can continue to talk to banks, on-line
services etc into the future, I'm slowly migrating certain stuff from
my very old and very out-of-date hardware. (Updating stuff? <fx:
uk.d-i-y readers all check the headers to see if this is really Nick
writing>)

Please, jump in right away when you see I've got the wrong idea about
pass codes but it's being presented to me as a way that your software
remembers a very long string which it offers to a contact when you try
to connect with them in place of a smaller, more crackable password.

I think you mean passkey...

I think I do. This shows you right away the level of understanding in
me that you are dealing with

More and more I'm being told I ought to use a pass code in place of a
password. I'm concerned that further down the line there may not be
any choice anyway.

Does the pass code replace the password altogether or does it become
an alternative way of proving your identity? What does the recipient
see? If I log onto a service from more than one machine at more than
one location (I often do) do they each store the same pass codes or
does the recipient have some way of recognising the different entries
as being from the same user account?

its usually an alternative to passwords.

It uses a public/private key pair, a different pair for each user. So
the server has a public key, you have a private key. When you logon to a
web site the server sends you a challenge phrase. Your "device" asks you
to verify yourself , and if you do so it signs the challenge phrase with >your private key and sends it to the server. Only someone with the
private key can do this.

If you want to logon from more than one location then its usualt to use >cloud to sync the locations, so sign into windows with a microsoft
account, they get synced.

I know that whenever I use my bank card or bus pass the information
goes off to The Cloud but as far as possible I try to keep all my
personal writing, pictures, finance and stuff away from
intermediaries' servers. I father and grandfather my backups onto
separate external drives - originally because when these companies
were start-ups you could never be sure when they would shut down again
without warning. These days because you never know when somebody
else's government is going to tell them to shut country x, y. or z
down without warning. Paranoid, moi? I may have to think through this
pass code thing again.

Is there a nice, handy words-of-one-syllable-or-less Dummies Guide to
the pass code somewhere on line that you could point me to?

Not really, because they rely on public/private keys I think its hard to >explain.

https://www.passkeys.com/index.html

has some info

That's very interesting. Thanks Dave.


Nick
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On Mon, 27 Apr 2026 19:13:49 +0100, Andy Burns <usenet@andyburns.uk>
wrote:

Nick Odell wrote:

Please, jump in right away when you see I've got the wrong idea about
pass codes but it's being presented to me as a way that your software
remembers a very long string which it offers to a contact when you try
to connect with them in place of a smaller, more crackable password.

Humans are bad at picking passwords, they either use the same/similar
ones everywhere, or make them easy to remember/guess/brute-force.

So the idea of passcodes is to make the device generate long random >passwords per website, store them in such a way they are protected by >fingerprint, or face recognition (either on the same device or on a >companion device) or at a push, just by a PIN.

More and more I'm being told I ought to use a pass code in place of a
password. I'm concerned that further down the line there may not be
any choice anyway.

Given that they're better you shouldn't be too afraid if that is the future.

Does the pass code replace the password altogether or does it become
an alternative way of proving your identity?

At the moment they don't replace, so e.g. if my laptop has a passcode
for amazon that requires me to touch a fingerprint sensor, I can still
logon to amazon from A.N.Other computer using my password instead of the >passcode, if I have two laptops, each of them can have a separate
passcode for amazon, no need to sync between them.

What does the recipient see?

Nothing. Well nothing other than cryptographic proof that your computer
has has the private bit of the passcode that was previously sent to you
by them, and matches the public bit they kept. Because amazon only sees >their own private bit, they can't even accidentally leak anything what
might be useful for a bent amazon employee to login to your ebay account >with.

If I log onto a service from more than one machine at more than
one location (I often do) do they each store the same pass codes or
does the recipient have some way of recognising the different entries
as being from the same user account?

The passcodes are per website, per user account, per client device.

Is there a nice, handy words-of-one-syllable-or-less Dummies Guide to
the pass code somewhere on line that you could point me to?

Beware, several sites trying to explain passcodes are actually just >explaining PINs.

The "problem" [TINP] with passcodes is that they're being pushed onto >people, with very little explanation, on the basis that Joe Public won't >understand, so don't bother explaining.

I will admit the first time Amazon in their sneaky bastard way tricked
me into creating a passcode without realising I'd done it, I was upset
at being tricked and deleted it, I've since purchased a hardware
fingerprint token and recreated a new passcode using it.

Thanks Andy. Appreciated.

Nick
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On Mon, 27 Apr 2026 20:32:50 +0100, jkn <jkn+nin@nicorp.co.uk> wrote:

On 27/04/2026 19:13, Andy Burns wrote:

Nick Odell wrote:

Please, jump in right away when you see I've got the wrong idea about
pass codes but it's being presented to me as a way that your software
remembers a very long string which it offers to a contact when you try
to connect with them in place of a smaller, more crackable password.

Humans are bad at picking passwords, they either use the same/similar
ones everywhere, or make them easy to remember/guess/brute-force.

So the idea of passcodes is to make the device generate long random
passwords per website, store them in such a way they are protected by
fingerprint, or face recognition (either on the same device or on a
companion device) or at a push, just by a PIN.

More and more I'm being told I ought to use a pass code in place of a
password. I'm concerned that further down the line there may not be
any choice anyway.

Given that they're better you shouldn't be too afraid if that is the
future.

Does the pass code replace the password altogether or does it become
an alternative way of proving your identity?

At the moment they don't replace, so e.g. if my laptop has a passcode
for amazon that requires me to touch a fingerprint sensor, I can still
logon to amazon from A.N.Other computer using my password instead of the
passcode, if I have two laptops, each of them can have a separate
passcode for amazon, no need to sync between them.

What does the recipient see?

Nothing.a Well nothing other than cryptographic proof that your computer
has has the private bit of the passcode that was previously sent to you
by them, and matches the public bit they kept.a Because amazon only sees
their own private bit, they can't even accidentally leak anything what
might be useful for a bent amazon employee to login to your ebay account
with.

If I log onto a service from more than one machine at more than
one location (I often do) do they each store the same pass codes or
does the recipient have some way of recognising the different entries
as being from the same user account?

The passcodes are per website, per user account, per client device.

Is there a nice, handy words-of-one-syllable-or-less Dummies Guide to
the pass code somewhere on line that you could point me to?

Beware, several sites trying to explain passcodes are actually just
explaining PINs.

The "problem" [TINP] with passcodes is that they're being pushed onto
people, with very little explanation, on the basis that Joe Public won't
understand, so don't bother explaining.

I will admit the first time Amazon in their sneaky bastard way tricked
me into creating a passcode without realising I'd done it, I was upset
at being tricked and deleted it, I've since purchased a hardware
fingerprint token and recreated a new passcode using it.

This article (well, the comments, really) from TheRegister make some
good points...

<https://www.theregister.com/2025/12/06/multifactor_authentication_passkeys/>

Berloimey! Those commentards at El Reg are none too keen, are they?

Thanks,

Nick
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On Tue, 28 Apr 2026 04:26:32 -0000 (UTC), RJH <patchmoney@gmx.com>
wrote:

On 27 Apr 2026 at 16:01:51 BST, Nick Odell wrote:

In order to make sure that I can continue to talk to banks, on-line
services etc into the future, I'm slowly migrating certain stuff from
my very old and very out-of-date hardware. (Updating stuff? <fx:> uk.d-i-y >> readers all check the headers to see if this is really Nick
writing>)

Please, jump in right away when you see I've got the wrong idea about
pass codes but it's being presented to me as a way that your software
remembers a very long string which it offers to a contact when you try
to connect with them in place of a smaller, more crackable password.

More and more I'm being told I ought to use a pass code in place of a
password. I'm concerned that further down the line there may not be
any choice anyway.

Does the pass code replace the password altogether or does it become
an alternative way of proving your identity? What does the recipient
see? If I log onto a service from more than one machine at more than
one location (I often do) do they each store the same pass codes or
does the recipient have some way of recognising the different entries
as being from the same user account?

Is there a nice, handy words-of-one-syllable-or-less Dummies Guide to
the pass code somewhere on line that you could point me to?

Don't think the 'how' is that simple - the 'what' passkeys are is a simpler, >easier and more secure way of logging in to apps and web sites. The big >difference to 2FA and plain old user names and passwords is that it adds a >device only you use in that moment of logging on (typically a phone or >computer) as an extra layer of security. IIUC - probably not :-) . . .

I found this to be a decent summary:

https://www.theguardian.com/technology/2026/apr/24/what-is-a-passkey-how-does-it-work-and-why-is-it-better-than-a-password?CMP=share_btn_url

Thanks, Rob.

Nick
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On 28/04/2026 11:30, Andy Burns wrote:

The Natural Philosopher wrote:

Andy Burns wrote:

Davey wrote:

All this Passcode stuff, it seems to assume your PC has fingerprint or >>>> eye-scanning devices.

It doesn't require it, just works better if you have it, if not you
can enter a PIN instead of using biometrics.

My phone isn't even locked.
Horrid thing

The PIN doesn't have to be on your phone, it can be on your password
manager (many of which can also act as passkey managers).

I have found passkey explanations very unclear, but came across a
website which explains it much more clearly because it refers to the generation of *two* cryptographic keys and how they are used. From <https://www.dashlane.com/blog/what-is-a-passkey-and-how-does-it-work>:

"In order for passkeys to work, an authenticator, such as a mobile
device or password manager that supports passkeys, generates two
cryptographic keys for each account you create. One key is public and
stored on the site where you create the account, and the other is
private and stored in your authenticator. When you sign in to your passkey-enabled account, your authenticator and the website communicate
to authenticate your login without exchanging any actual secrets that a
hacker could exploit."

Isn't this a bit like how PGP works?
--
Jeff
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On 28/04/2026 14:53, Jeff Layman wrote:

On 28/04/2026 11:30, Andy Burns wrote:

The Natural Philosopher wrote:

Andy Burns wrote:

Davey wrote:

All this Passcode stuff, it seems to assume your PC has fingerprint or >>>>> eye-scanning devices.

It doesn't require it, just works better if you have it, if not you
can enter a PIN instead of using biometrics.

My phone isn't even locked.
Horrid thing

The PIN doesn't have to be on your phone, it can be on your password
manager (many of which can also act as passkey managers).

I have found passkey explanations very unclear, but came across a
website which explains it much more clearly because it refers to the generation of *two* cryptographic keys and how they are used. From <https://www.dashlane.com/blog/what-is-a-passkey-and-how-does-it-work>:

"In order for passkeys to work, an authenticator, such as a mobile
device or password manager that supports passkeys, generates two cryptographic keys for each account you create. One key is public and
stored on the site where you create the account, and the other is
private and stored in your authenticator. When you sign in to your passkey-enabled account, your authenticator and the website communicate
to authenticate your login without exchanging any actual secrets that a hacker could exploit."

Isn't this a bit like how PGP works?

Its how almost every secure connection works, its called public key encryption. So its used in SSL session establishment to exchange a key
for symmetric encryption, (you could use asymmetric public/private for
the whole session, but its very CPU intensive)

https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

in PGP or S/mime to sign and encrypt e-mails.

If you make a contactless transaction it uses the same technique.

It relies on the fact that given the public key its very hard to
discover the matching private key. There are fears that quantum
computing may render this assumption false.

Dave




--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

Nick Odell <nickodell49@yahoo.ca> wrote:

In order to make sure that I can continue to talk to banks, on-line
services etc into the future, I'm slowly migrating certain stuff from
my very old and very out-of-date hardware. (Updating stuff? <fx:
uk.d-i-y readers all check the headers to see if this is really Nick writing>)

Please, jump in right away when you see I've got the wrong idea about
pass codes but it's being presented to me as a way that your software remembers a very long string which it offers to a contact when you try
to connect with them in place of a smaller, more crackable password.

More and more I'm being told I ought to use a pass code in place of a password. I'm concerned that further down the line there may not be
any choice anyway.

Does the pass code replace the password altogether or does it become
an alternative way of proving your identity? What does the recipient
see? If I log onto a service from more than one machine at more than
one location (I often do) do they each store the same pass codes or
does the recipient have some way of recognising the different entries
as being from the same user account?

Is there a nice, handy words-of-one-syllable-or-less Dummies Guide to
the pass code somewhere on line that you could point me to?

Let me have a go...

Passkeys use public key cryptography, in that you have private and public
keys. This means you can sign messages where the other side can check the signature, but couldn't forge your signature themselves.

As a rough analogy, think about writing a cheque. A cheque says:
"Dear Barclays, please pay Bill Smith ten pounds. Yours J. Jones"

and it's based on something you have (a chequebook - nobody should be able
to forge it) and a signature (something that another person can't
reproduce). If somebody steals one piece they can't reproduce the other
piece - if someone steals your blank cheques they can't forge your signature, and if they copy your signature they don't have your chequebook to make
valid cheques. (in theory, anyway)

With public key crypto, 'signing' means using your private key to provide checkable proof that you are who you say you are, in a way that the
recipient can check but can't forge.

Doing that with passkeys has two steps:
1. Unlock the passkey with something (fingerprint, PIN, passphrase, face, etc) 2. Use the unlocked passkey to sign a challenge from the website.

So what happens is you set up a passkey with a certain website. To login,
your computer then prompts for (let's say) a PIN. This PIN is only used to unlock the passkey stored on your machine - it's not sent to the other end.
If successfully unlocked, you can sign the challenge with your passkey in a
way that the other end can safely check, and if the checks pass you're
logged in.

The other thing that passkeys do is they are specific to a particular
website. You can't ask Lloyds to pay a cheque that's drawn on a Barclays account. For passkeys, the cryptography will fail if used on the wrong website, and a fake website can't use that failed login to try to login to
the real website so phishing is stopped. This also prevents password sharing between different websites (even if you use the same PIN, the websites don't see it).

Therefore what you're doing is storing perhaps one key pair for every
website on your computer, rather than a bit of paper with a password for
that website. Each key pair has a way to 'unlock' it on your machine before you can use it. Sometimes this 'unlock' mechanism involves a second device
- eg most desktops don't have fingerprint readers, but there's a way for the desktop browser to talk to the fingerprint reader on your phone to unlock. This stuff is optional - you can just use a PIN to lock your keys if you
don't mind the reduced security.

The next problem comes when you have multiple machines - perhaps a desktop,
a laptop, a phone, a tablet. If you login on your desktop you'd quite like
to be able to login on your tablet as well. This means there are various methods to sync passkeys between different devices. To begin with this was heavily cloud-based: if you have passkeys in your Apple Keychain then you
can use them on your Mac and on your iPhone. Microsoft and Google have
similar systems for their 'ecosystems'.

This caused some lockin: you couldn't extract the key from your iPhone to
use on your Android. Sometimes websites would let you set up multiple
passkeys for your account (one for login from iPhone, one for Android), but
not always. But more recently sync protocols have developed that allow
syncing between different platforms (I'm not up to date where that stands currently). Another way to do it is to use a password manager that can be installed across your devices of different brands, that keeps hold of your passkeys and permits syncing between the devices.

Finally, passkeys work like better passwords. But not all websites are
using them that way. For example, some are removing the credential reset procedures (sending an email with a link to reset your password) 'because it makes it more secure and you should backup your passkeys', but that puts the onus on the user to do that. If you lose your passkeys you may find that
some websites lock you out because they don't have a way to verify you. In
the case of Barclays there would always be a 'visit a branch with your passport' kind of fallback if you lose your login details, but some Big Tech companies don't want to implement that kind of flow (physical identity
checking costs money) - no passkey and no recovery codes means you are
locked out of your account forever. This is something to watch out for when enabling passkeys.

Theo
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On 28/04/2026 10:48, Andy Burns wrote:

Davey wrote:

All this Passcode stuff, it seems to assume your PC has fingerprint or
eye-scanning devices.

It doesn't require it, just works better if you have it, if not you can enter a PIN instead of using biometrics.

Thus replacing a password (usually minimum 8 characters including
alphas, digits and symbols) with a 4 (or 6) digit PIN?
Not an improvement in security.

I mention this because my main PC lacks both camera and fingerprint
reader (which is my preferred situation).
--
Sam Plusnet
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On Tue, 28 Apr 2026 19:33:11 +0100
Sam Plusnet <not@home.com> wrote:

On 28/04/2026 10:48, Andy Burns wrote:

Davey wrote:

All this Passcode stuff, it seems to assume your PC has
fingerprint or eye-scanning devices.

It doesn't require it, just works better if you have it, if not you
can enter a PIN instead of using biometrics.

Thus replacing a password (usually minimum 8 characters including
alphas, digits and symbols) with a 4 (or 6) digit PIN?
Not an improvement in security.

The trick is that the PIN/whatever never leaves the client computer, it
is only used locally to decrypt the private key. Secure Shell has done
this for decades, using a key decryption password as long as you like.

I mention this because my main PC lacks both camera and fingerprint
reader (which is my preferred situation).

I've always wondered about biometrics: what do you do when (*not* 'if')
you get hacked? Get a fingerprint transplant?

The other thing that isn't clear to me: who generates the
public/private key pair, and if it isn't done on your computer, how is
the private key transmitted to you securely? It would seem obvious that
you should generate the keys and send the public key, as SSH does, but I haven't seen that explicitly stated.
--
Joe

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

Sam Plusnet wrote:

Andy Burns wrote:

Davey wrote:

All this Passcode stuff, it seems to assume your PC has fingerprint or
eye-scanning devices.

It doesn't require it, just works better if you have it, if not you
can enter a PIN instead of using biometrics.

Thus replacing a password (usually minimum 8 characters including
alphas, digits and symbols) with a 4 (or 6) digit PIN?
Not an improvement in security.

Depends what you're using, Windows Hello PINs can be alphanumeric and
longer than 4 symbols, it's only protecting the local request to agree
the passkey request, not usable by remote hackers.

I mention this because my main PC lacks both camera and fingerprint
reader (which is my preferred situation).

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

Joe wrote:

The other thing that isn't clear to me: who generates the
public/private key pair, and if it isn't done on your computer

It is.

how is
the private key transmitted to you securely? It would seem obvious that
you should generate the keys and send the public

<https://www.passkeycentral.org/introduction-to-passkeys/how-passkeys-work#:~:text=the%20password%20manager%20%28or%20security%20key%29%20creates%20a%20cryptographic%20keypair>
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: uk.d-i-y

On Tue, 28 Apr 2026 20:59:06 +0100
Andy Burns <usenet@andyburns.uk> wrote:

Joe wrote:

The other thing that isn't clear to me: who generates the
public/private key pair, and if it isn't done on your computer

It is.

how is
the private key transmitted to you securely? It would seem obvious
that you should generate the keys and send the public

<https://www.passkeycentral.org/introduction-to-passkeys/how-passkeys-work#:~:text=the%20password%20manager%20%28or%20security%20key%29%20creates%20a%20cryptographic%20keypair>

Thanks.
--
Joe

--- Synchronet 3.21f-Linux NewsLink 1.2