Reply to thread

Message

I think it's useful to consider passkey (private key) protected differently.
Passkeys stored on FIDO2 key are protected by HARDWARE. Possibly breachable by side-channel attack, but mostly considered very safe from extraction. This is the gold standard.
Passkeys stored associated with Windows Hello + TPM are protected by HARDWARE in combination with a privileged, highly protected OS component. They are likelier to be breached than the above, but it may require an unfixed OS vulnerability and/or AV/EDR ineffectiveness.
Passkeys stored in a user-space password manager. Weakest of all three, but is still a process designed for secret protection.

[QUOTE="Wrecker4923, post: 1118553, member: 110877"] I think it's useful to consider passkey (private key) protected differently. [LIST] [*]Passkeys stored on FIDO2 key are protected by [B]HARDWARE[/B]. Possibly breachable by side-channel attack, but mostly considered very safe from extraction. This is the gold standard. [*]Passkeys stored associated with Windows Hello + TPM are protected by [B]HARDWARE[/B] in combination with a [B]privileged, highly protected OS component[/B]. They are likelier to be breached than the above, but it may require an unfixed OS vulnerability and/or AV/EDR ineffectiveness. [*]Passkeys stored in a user-space password manager. Weakest of all three, but is still a process designed for secret protection. [/LIST] [/QUOTE]

Verification