You are viewing a single thread.
View all comments View context
8 points

Do any of the iOS or Android apps support passkeys? I looked into this a couple days ago and didn’t find any that did. (KeePassXC does.)

permalink
report
parent
reply
3 points

Keepass2Android doesn’t have it yet, but seems to be working on it
https://github.com/PhilippC/keepass2android/issues/2099

Strongbox seem to have their implementation done for iPhone
https://strongboxsafe.com/updates/passkeys/

permalink
report
parent
reply
2 points
*

I don’t use passkeys so I don’t know. Maybe I should research into passkeys, what’s the benefit over plain old (long, randomly generated) passwords?

permalink
report
parent
reply
-1 points
*

Ok, from a quick search, it seems passkeys rely on some trusted entity (your browser, OS, …) to authenticate you, so, yeah, I’m not sure if I like that. The FIDO alliance website is all about how easy, convenient and secure passkeys are, and nothing about how they actually work under the hood, which is another red flag for me.

I’ll stick to old-fashioned, long, secure, randomly generated passwords, thanks.

permalink
report
parent
reply
4 points

Passkeys rely on you holding a private key. The initial design was that a device (like a browser or computer/phone) stored the private key in a TPM-protected manner, but you can also store it in a password manager.

This is more secure than a password because of the way private/public key encryption works. Your device receives a challenge encrypted with the public key, decrypts with the private key and then responds. The private key is never revealed, so if attackers get the public key they can’t do shit with it.

Just be sure that your private key is safe (use a strong master password for your PM vault) and your passkey can’t be stolen by hacking of a website.

permalink
report
parent
reply
1 point

I was finally able to find some technical detail on passkeys on FIDO website, and yeah, it actually looks like it’s a real improvement over passwords: it’s simple, uses proven technology (public/private keys), and should be much more secure than passwords.

Also, nothing in the “specs” says I need to entrust my private key with the OS or a third party, which is good.

That said, it seems some OS support is required nonetheless, to show the pin / biometrics prompt (or is it?), and on android at least, I’d need to buy a new device with Android 14 to use a non-Google passkey provider…

permalink
report
parent
reply
5 points

I’m no expert in this but the passkeys really on some sort of public key, cryptographic pair. Your device will only send your encrypted cryptographic secret when it gets the correct encrypted cryptographic secret from the destination. This makes it much harder to steal credentials with a fake website or other service.

permalink
report
parent
reply
5 points
*

From a quick search, Keepass2Android doesn’t have it, not clear if they’re working on it: https://github.com/PhilippC/keepass2android/issues/2099

KeePassDX similarly has an open issue, not clear when/if it will be implemented: https://github.com/Kunzisoft/KeePassDX/issues/1421

Good to know about Strongbox on iOS, though I’m on android so no bueno for me.

permalink
report
parent
reply

Technology

!technology@lemmy.world

Create post

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


Community stats

  • 15K

    Monthly active users

  • 6.7K

    Posts

  • 153K

    Comments