A new login technique is becoming available in 2023: the passkey. The passkey promises to solve phishing and prevent password reuse. But lots of smart and security-oriented folks are confused about what exactly a passkey is. There’s a good reason for that. A passkey is in some sense one of two (or three) different things, depending on how it’s stored.
    • jet@hackertalks.comEnglish
      3·
      1 year ago

      Wow! I had no idea. I assumed the yubikey bioseries didn’t work with passkeys. But I read the documentation that you linked, and I just tested it out on the demo site. It works.

      That’s amazing! Thanks

      Can only store 25 keys but hey that’s still something.

        • jet@hackertalks.comEnglish
          21·
          1 year ago

          I prefer the yubikey webauthn fido2 non passkey approach. It’s not limited to 25 slots. And if your key gets compromised, or you’re forced to unlock it, there isn’t a list of sites that it works on.

          With passkeys, if somebody compromises you, physically, they can see everything you can log into. That makes me feel icky

          • tippl@lemmy.world
            4·
            1 year ago

            if somebody compromises you, physically, they can see everything you can log into

            Can they though? I own a few yubikeys with passkeys stored inside and i cannot query stored logins without entering a pin.

            • jet@hackertalks.comEnglish
              12·
              1 year ago

              Right, so they coerce you to unlock the yubi key (threats, torture, finger removal, etc) and now they see all your passkeys and what they belong to. It’s a menu of your activity.