this post was submitted on 14 Feb 2024
263 points (88.8% liked)

Technology

59148 readers
2338 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing... that lives on my phone? What if I lose my phone? What if you steal my phone?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 54 points 8 months ago (12 children)

Can somebody help me understand the advantages of passkeys over a password manager? Googling just brings up tons of advertising and obvious self promotion, or ELI5s that totally ignore best passwords practices using managers.

[–] [email protected] 43 points 8 months ago* (last edited 8 months ago) (6 children)

Passkeys work like a public/private key pair you’d use to secure SSH access to a server. You give the website a public key that corresponds to a private key generated on your local device. Unlike a password it’s not feasible to brute force and there’s nothing you have to remember which makes it more convenient for you to use. If a site is hacked and they gain access to the public passkey you use to authenticate, it can’t be used to authenticate anywhere.

It’s not really an alternative to a password manager, because you can use a password manager to generate and sync a single passkey between all your devices. In fact 1Password is a big proponent of passkeys and even maintain a big directory of sites that use passkeys.

[–] [email protected] 1 points 8 months ago (5 children)

there’s nothing you have to remember which makes it more convenient for you to use

Unlike my devices, I always have my brain on me. Devices are much more easily lost or stolen than memories. I often might want to access sites using my account from third party devices which I don't want to be able to use my accounts when I'm not using them.

I just can't understand how using passkeys (or password managers, for that matter, massive single points of failure that they are) is supposed to be in any way shape or form more convenient than simply remembering a passphrase (which can easily be customisable for each site using some simple formula so that no two sites will share the same but it'll still be trivial to remember).

Both password managers and passkeys seem like colossal inconveniences and security risks to me when compared to passphrases, frankly. And if you want extra security there's always two factor authentication (with multiple alternatives in case you don't have access to one of them, of course; otherwise you might as well delete your account).

[–] [email protected] 2 points 8 months ago (1 children)

The benefit of passkeys over passwords is that they're phishing resistant and use strong encryption. They're effectively an iteration on yubikeys meaning you can have as many (or as few) passkeys associated with a given login as you'd like. So, you can easily prevent there being a single point of failure in the system.

Passkeys are tied to accounts and devices and those devices are the only devices used for authentication. This means you can access your account form a public device without that device ever knowing your credentials provided you and your secure device are physically present so it avoids the whole keylogger issue.

[–] [email protected] 1 points 8 months ago

This means you can access your account form a public device without that device ever knowing your credentials provided you and your secure device are physically presen

My secure device is in my other pants, though. I misplace my brain much less often.

load more comments (3 replies)
load more comments (3 replies)
load more comments (8 replies)