this post was submitted on 03 Nov 2023
302 points (87.0% liked)

Technology

59390 readers
2960 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 1 year ago

There are lots of advantages:

  • No need to worry about password encoding, like this emoji debacle for example. Actually there's no need to worry about passwords in general anymore, no more worries about lenghts, encoding, character space, remembering them etc.
  • It eliminates that scam where attackers set up a site on a domain that looks like the correct one, because the domain is part of the protocol.
  • It eliminates phishing for 2FA because login only works on your device anyway and there's nothing you can be tricked into giving away to an attacker.
  • If attackers break into a site and steal the public keys they can't use them for anything.
  • Since the whole process is automated between servers and browsers and also standardized, it can be upgraded seamlessly and continously, you can upgrade the protocol, the key lengths, the encryption cyphers etc. with zero impact for the user. New upgraded versions can be distributed to both servers and browsers and they'll just use the highest version they both have.
  • 2FA is a core part of the protocol, but again in a way that eliminates phishing: it's basically a way to unlock access temporarily to one specific key in your key vault. You can use a master password, or an USB key, or TOTP codes, or biometrics (fingerprint or face) etc., but NOT cellular texts (SMS) anymore because the vault stays on your devices, no need for another party to send you anything.
  • Syncing your vault online and over multiple devices, as well as backup, are also a core part of the approach and will eliminate the worry that you drop your phone and you're screwed forever.

The downside is that there's been a whole bunch of tools and apps and services built around passwords for decades and converting all that mass to passkey tools will take a bit.

There are some other tradeoffs like, right now for example I can reasonably print all my passwords and TOTP codes on a few sheets of paper and achieve an "offline" backup in case of untimely death and so on, it's going to be a bit more cumbersome with passkeys. But I expect there will be ways to optimize that as the technology evolves.