Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing… that lives on my phone? What if I lose my phone? What if you steal my phone?

  • @[email protected]
    link
    fedilink
    English
    510 months ago

    Browsers can save them and extensions like, KeepassXC, can behave like a passkey provider

    • @[email protected]
      link
      fedilink
      English
      110 months ago

      That’s something, but isn’t half the benefit meant to be storing them in the TPM? Also, that won’t help if you’re logging into a game or app, surely? Would love to be wrong on that, of course.

      • @[email protected]
        link
        fedilink
        English
        610 months ago

        Many apps now do the ‘app opens the browser for login’ process instead of having the login in their actual app. They don’t have to implement all the different ways to log in then, they can just use the same system that their normal account management stuff on their site uses.

        You can get greater security with hardware-backed solutions like a TPM but the adoption rate was not great. I think the goal is to improve things over passwords, even if the credentials are then available on multiple devices via a sync or a password database file. Perfect being the enemy of good and all that. Hardware options still exist and you can still use them; they use the same WebAuthn standard that passkeys use.

      • @[email protected]
        link
        fedilink
        English
        210 months ago

        Yeah, I personally will only use hardware solutions for passkeys – YubiKeys and TPM-backed WHFB creds.

        But the other reply makes a very good point about adoption being more important than perfection since, even with software-backed passkeys, you still have the benefit of the secret never leaving the client.

      • @[email protected]
        link
        fedilink
        English
        210 months ago

        Also, that won’t help if you’re logging into a game or app, surely?

        MicroG has added support for passkeys already