this post was submitted on 14 Feb 2024
257 points (88.6% liked)

Technology

59111 readers
5621 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
257
Passkeys might really kill passwords (www.theverge.com)
submitted 8 months ago by [email protected] to c/[email protected]
169 comments fedilink hide all child comments
 

Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing... that lives on my phone? What if I lose my phone? What if you steal my phone?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 156 points 8 months ago (36 children)

Until someone can explain to me how I can transfer, manage and control my passkeys without syncing them to some hostile corporation's cloud infrastructure, passkeys will remain a super hard sell for me.

[–] [email protected] 3 points 8 months ago (1 children)

Browsers can save them and extensions like, KeepassXC, can behave like a passkey provider

[–] [email protected] 0 points 8 months ago (3 children)

That's something, but isn't half the benefit meant to be storing them in the TPM? Also, that won't help if you're logging into a game or app, surely? Would love to be wrong on that, of course.

[–] [email protected] 5 points 8 months ago

Many apps now do the 'app opens the browser for login' process instead of having the login in their actual app. They don't have to implement all the different ways to log in then, they can just use the same system that their normal account management stuff on their site uses.

You can get greater security with hardware-backed solutions like a TPM but the adoption rate was not great. I think the goal is to improve things over passwords, even if the credentials are then available on multiple devices via a sync or a password database file. Perfect being the enemy of good and all that. Hardware options still exist and you can still use them; they use the same WebAuthn standard that passkeys use.

[–] [email protected] 2 points 8 months ago

Also, that won’t help if you’re logging into a game or app, surely?

MicroG has added support for passkeys already

[–] [email protected] 2 points 8 months ago

Yeah, I personally will only use hardware solutions for passkeys -- YubiKeys and TPM-backed WHFB creds.

But the other reply makes a very good point about adoption being more important than perfection since, even with software-backed passkeys, you still have the benefit of the secret never leaving the client.

load more comments (34 replies)