this post was submitted on 04 Nov 2023
240 points (94.1% liked)

Technology

34904 readers
1244 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.

Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.

Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago
MODERATORS
[email protected]
240
What the !#@% is a Passkey? (www.eff.org)
submitted 1 year ago by [email protected] to c/[email protected]
95 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 41 points 1 year ago (49 children)

You’re still entering the password or pin for your password manager. I genuinely do not see how this is better. It’s simply an alternative, not an improvement.

[–] [email protected] 28 points 1 year ago (4 children)

The biggest difference: nothing sensitive is stored on the server. No passwords, no password hashes, just a public key. No amount of brute forcing, dictionary attacks or rainbow tables can help an attacker log in with a public key.

"But what about phising? If the attacker has the public key, they can pretend to be the actual site and trick the user into logging in." Only if they also manage to use the same domain name. Like a password manager, passkeys are stored for a specific domain name. If the domain doesn't match, the passkey won't be found.

https://www.youtube.com/watch?v=qNy_Q9fth-4 gives a pretty good introduction on them.

[–] [email protected] 1 points 1 year ago (2 children)

This is something being sold in favor of passkeys but I can't ser how "more secure" it is for me.

I use Bitwarden, the domain name matching works exactly like passkey's. How more secure a passkey is, if it has 0 changes to this domain name detection?

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

With a breach of the server then they can get your password the next time you log in and maintain persistent access until they're both kicked out and everybody has changed passwords.

With passkeys you don't need to do anything, they never had your secret.

load more comments (1 replies)
load more comments (2 replies)
load more comments (46 replies)