key storage for persons with hanko

[gedw99]

love what Hanko is.

The gatekeepers are slowly become also the key keepers ...

I was wondering how the Hanko server and Client relate to where a person or perhaps org should keep their keys.

https://github.com/keybase/client is an open source way to store your keys and so i am really curious what the Hanko teams vision would be for where this might fit in.

I know that on your devices the key storage is in the enclave of whatever the fancy name for it is on each OS.

[FlxMgdnz]

One of the main reasons why we think FIDO, WebAuthn, and passkeys are so good is because the private keys stay in the hands of the user, but key management is abstracted and taken care of by the operating system and there's no need for the user to install and configure anything for that to happen.

With the introduction of passkey sync through the platform's cloud fabrics, it may feel as if passkeys are becoming an instrument to create a lock-in effect. But clearly, passkeys are designed for cross-platform usage:

1. There's the cross-device hybrid/QR code flow already supported by both iOS and Android, allowing you to use your passkeys freely on other devices (as long as they support Bluetooth).
2. Additionally, it is expected that the platforms will provide system APIs that allow 3rd-party applications to hook into the passkey infrastructure and take care of passkey backup and sync. It is almost certain that current password management providers will extend their products to support passkey sync through those APIs. At that point, users will be able to decide if they want to let their platform (Apple, Google, MS) take care of their passkeys or if they want to use another service for that. This other service can most likely even be a local client application that may or may not connect to a self-hosted instance of a password/passkey management product.

All of the above is not directly related to Hanko, as we only provide the authentication infrastructure for relying parties, or in other words the counterpart to the passkey infrastructure that is available on the user's devices and where the keys are stored.

[gedw99]

thanks @FlxMgdnz for the explanation.

I was definitely not understanding the Architecture of how hanko works...

So the data is on the hanko server ( and postres ) and the clients make a call to the server ?

The clients ( like the android example at https://github.com/teamhanko/hanko-android-example/blob/main/app/src/main/java/io/hanko/hanko_mobile_example/repository/WebauthnRepo.kt ), get the data back and do the auth. I assume the call to the Native OS package stores the data in the TMP chip, so that its cached ?

If the above is correct then this architecture is designed such that developers have to specifically integrate with Hanko.
Which tends to suggest that this is going to be used by Orgs that want their employes and their own apps to use it and keep the auth aspects using hanko servers ?

thanks in advance...