ARPASS
→ Open Arpass
ARPASS
→ Open Arpass
"Passkey," "public key," "AES," "PWA"… the security world is full of acronyms. Here they are in plain English, with the full spellings written out and an everyday analogy where useful.
A pair of keys. The public key is safe to share — think of it like a padlock anyone can use. The private key is the only one that opens that padlock, and you never give it out. With this pair, you can exchange things securely without ever sending the key itself.
A passwordless way to log in. A key lives inside your phone, your PC, or a security key like a YubiKey. How you prove it's you depends on the device — phones and PCs use fingerprint or face recognition, while a YubiKey uses "touch the metal contact" plus a PIN if asked (note: ordinary YubiKeys do not have a fingerprint sensor). Nothing to memorize, and very hard to phish.
The standards that make passkeys work in browsers. They define how a website asks the browser to "verify this user with their device or key." FIDO2 is the broader family of specs underneath.
A way to pull "the same secret value, but unique to this key" out of a YubiKey on demand. Arpass uses this to derive a separate encryption key for each registered YubiKey.
Asking for one extra check on top of a password — a code on your phone, a YubiKey tap, etc. "Two locks on the door." MFA is the more general term and means two or more factors combined.
A throwaway numeric code that changes every 30 seconds or so. Even if stolen, it expires quickly. Commonly used for 2FA.
Encryption turns data into something unreadable using a key. Decryption reverses it with the key. That's it.
The most widely used encryption method today. The same key both encrypts and decrypts ("symmetric encryption"). "AES-256" means the key is 256 bits — very strong.
Both are public-key encryption methods. RSA is the long-standing classic (named after its three inventors). ECC is newer and uses shorter keys for the same strength, so it's becoming dominant on phones and YubiKeys. The math is intricate; you don't need to understand it to use it.
Turns data into a fixed-length "fingerprint" string. The same input always produces the same fingerprint, but you can't reverse-engineer the input from the fingerprint. Used to detect tampering and to compare items.
A way to safely produce purpose-specific keys from one underlying secret. The discipline of not reusing the same secret directly for everything.
Future ultra-powerful computers that could, in theory, break today's public-key crypto (RSA, ECC). PQC is the next generation of crypto designed to resist them. Not a practical threat today.
A small USB / NFC physical device that holds login keys. YubiKey is the best-known brand. Because the key physically lives in your hand, it's very strong.
You use it by touching the metal contact, plus a PIN when prompted. Ordinary YubiKeys (the 5 series and the Security Key series) do not have a fingerprint sensor. (Yubico does also make a separate "YubiKey Bio" line that has fingerprint, but that's a different product line.)
Very short-range wireless. The "tap your phone with a YubiKey" sort of communication. Same family of tech as contactless transit cards.
An isolated, dedicated area inside a phone or PC that stores keys with extra protections. Your fingerprint / face data and device keys live here and don't come out. (This is built into phones and PCs — not the same thing as a YubiKey.)
A dedicated piece of hardware that handles keys without ever letting them out. Used on the server side by banks and big services.
A long-standing standard for encrypting and signing emails and files. Based on the original "PGP" (Pretty Good Privacy). YubiKey can hold these keys.
A "smart card" style identity-verification standard, originally for US government employees. Used for enterprise PC login among other things. YubiKey supports it.
A way to make a website behave like an app. "Add to Home Screen" creates an icon that launches the site full-screen. Doesn't go through an app store.
A small program that runs in the background for a web page. Used for offline support and to make a site qualify as a PWA.
A small "config file" for a PWA. Lists the app name, icons, and how it should launch. Lets the browser treat the site like an app.
A way to wrap a website in an Android "app shell" so it can be listed on Google Play.
Buying digital goods inside an app using Apple's / Google's billing. Those stores take a commission.
A safety setting that tells a web page "you may only load scripts and images from these places." Helps stop injected, malicious scripts from running.
A design where the service operator cannot see (and cannot get to) the contents of your data. Encryption happens entirely in your browser; the operator only ever sees encrypted bytes. Arpass uses this design.
"Blockchain" is a way of storing data so that it's distributed and very hard to alter or delete. Arweave is a specific kind of blockchain storage where what you write stays written, permanently. Arpass stores your encrypted data here.
In Arpass, the master key that actually encrypts your data. The MEK itself is then wrapped (encrypted) by your password, YubiKey, and other "factors," so it's never naked.
Arpass's recovery code. The last-resort way to recover if you lose all your devices and keys. Printed on paper and kept safely. (The YubiKey-only mode does not use a Recovery Secret.)