A new login technique is becoming available in 2023: the passkey. The passkey promises to solve phishing and prevent password reuse. But lots of smart and security-oriented folks are confused about what exactly a passkey is. There’s a good reason for that. A passkey is in some sense one of two (or three) different things, depending on how it’s stored.
  • jet@hackertalks.comEnglish
    3·
    1 year ago

    Wow! I had no idea. I assumed the yubikey bioseries didn’t work with passkeys. But I read the documentation that you linked, and I just tested it out on the demo site. It works.

    That’s amazing! Thanks

    Can only store 25 keys but hey that’s still something.

      • jet@hackertalks.comEnglish
        21·
        1 year ago

        I prefer the yubikey webauthn fido2 non passkey approach. It’s not limited to 25 slots. And if your key gets compromised, or you’re forced to unlock it, there isn’t a list of sites that it works on.

        With passkeys, if somebody compromises you, physically, they can see everything you can log into. That makes me feel icky

        • tippl@lemmy.world
          4·
          1 year ago

          if somebody compromises you, physically, they can see everything you can log into

          Can they though? I own a few yubikeys with passkeys stored inside and i cannot query stored logins without entering a pin.

          • jet@hackertalks.comEnglish
            12·
            1 year ago

            Right, so they coerce you to unlock the yubi key (threats, torture, finger removal, etc) and now they see all your passkeys and what they belong to. It’s a menu of your activity.