Sadly, the support for passkeys is still lacking.

7 points
permalink
report
reply
5 points

looks interesting, a bit like all this “login with google” but without a third party needed.

I’ve never heard of it before, and the idea is more than 10 years old, so it is probsbly very niche.

permalink
report
parent
reply
4 points

It ends up being a lot like FIDO or Passkeys but without having to store a separate key for each site. Each key is derived from your master key and the domain so they are all unique, to prevent tracking, but you still don’t have to save a separate private key blob for each site. There is also a recovery key built into the spec so that if your master key somehow gets out, you can use your recovery key to prove you’re the real person and regain your account to change the signin public key.

permalink
report
parent
reply
10 points
*

Dear google, can I have custom passkey provider on my Android <13?

Google:


Spoiler: There’s no option to change the passkey provider nor even mention of passkeys in settings

permalink
report
reply
5 points

While annoying it’s understandable that they don’t backport everything from newer updates.

permalink
report
parent
reply
1 point

We haven’t reached the level of passwords yet because of their restrictive policies leading to users storing copies of their passwords near the computer.

We basically just have usernames with slightly more steps.

permalink
report
reply
18 points

Na, the biggest brain move is using an EICAR test string as a password.

First off, if your password is stored in plain text any AV will quarantine the file, including database files.

Secondly, if the password is leaked, any file containing it will be quarantined.

permalink
report
reply
7 points

Nothing more secure than using a widely known string as your password for everything.

permalink
report
parent
reply
7 points

That’s the fun thing test string can be anything as long as it is in the right format.

permalink
report
parent
reply
38 points

I still have no idea how passkeys work. All the explanations I’ve seen so far were less than helpful.

permalink
report
reply

Imagine SSH Key but for Website

permalink
report
parent
reply
9 points

The (over?) simplified version is they’re basically the same as the key/certificate pairs you use to connect to a website securely while also proving its identity to you.

Some key benefits of passkeys are:

  • Your private key doesn’t leave your device (or your password manager). You no longer have to worry about if the website you’re using is incompetent and storing your password in plain text waiting to be stolen in a breach. The only one who can expose your passkey is you (or your password manager)
  • Your passkey isn’t something you have to remember so for the unwashed masses it’s more idiot proof because they’re more secure by default
permalink
report
parent
reply
25 points

As I understand it, instead of the website or online service storing your password (in a, supposedly secured way), with passkey your password manager stores a private key and the online service stores a public key (or rather a lock). The key and the lock are paired together cryptographically (mathematical functions that are non-reversible). Now when you login with passkey, the service sends a challenge generated from the lock, that can be solved only with the matching private key, your password manager solves the challenge and your authenticated. Locks and keys were not exchanged during the process, and services never store your key. Everything happens automagically.

It actually uses the same protocol used is some hardware security keys such as Yubikey and Solokeys. The problem remains the same as with hardware security keys, adoption and support, compatibility. It’s very rare that a service supports these options, although they exist for a while.

Anyone feels free to correct me if I wrote something wrong. I am by no mean an expert.

permalink
report
parent
reply
16 points

Your explanation is correct.

For me, the critical issue is still compatibility. Not all password managers support passkeys, not many sites support passkeys etc.

permalink
report
parent
reply
2 points

Yes, I have my Solokey for a while. I can count the compatible services I use on the fingers of one hand. Passkey, as of today, even fewer…

permalink
report
parent
reply

Cybersecurity - Memes

!cybersecuritymemes@lemmy.world

Create post

Only the hottest memes in Cybersecurity

Community stats

  • 205

    Monthly active users

  • 78

    Posts

  • 1.1K

    Comments