A new login technique is becoming available in 2023: the passkey. The passkey promises to solve phishing and prevent password reuse. But lots of smart and security-oriented folks are confused about what exactly a passkey is. There’s a good reason for that. A passkey is in some sense one of two (or three) different things, depending on how it’s stored.
  • jet@hackertalks.comEnglish
    61·
    1 year ago

    They are fine, just ssh public private keypairs but for “the web”… worse than fido2… so not really sure why they are being pushed so much above fido2

      • jet@hackertalks.comEnglish
        3·
        1 year ago

        Wow! I had no idea. I assumed the yubikey bioseries didn’t work with passkeys. But I read the documentation that you linked, and I just tested it out on the demo site. It works.

        That’s amazing! Thanks

        Can only store 25 keys but hey that’s still something.

          • jet@hackertalks.comEnglish
            21·
            1 year ago

            I prefer the yubikey webauthn fido2 non passkey approach. It’s not limited to 25 slots. And if your key gets compromised, or you’re forced to unlock it, there isn’t a list of sites that it works on.

            With passkeys, if somebody compromises you, physically, they can see everything you can log into. That makes me feel icky

            • tippl@lemmy.world
              4·
              1 year ago

              if somebody compromises you, physically, they can see everything you can log into

              Can they though? I own a few yubikeys with passkeys stored inside and i cannot query stored logins without entering a pin.

              • jet@hackertalks.comEnglish
                12·
                1 year ago

                Right, so they coerce you to unlock the yubi key (threats, torture, finger removal, etc) and now they see all your passkeys and what they belong to. It’s a menu of your activity.