• @[email protected]
    link
    fedilink
    English
    13
    edit-2
    4 months ago

    Tying a password to a browser or device isn’t going to make it any easier. Use a password manager and set unique string passwords for everything. If the app supports it, use FIDO physical keys instead of Passkeys

    • @[email protected]
      link
      fedilink
      English
      84 months ago

      Even better would be to use certificates instead of passwords. What if every website gave you a certificate signed by them, and you store that in your password manager automatically.

      Maybe that’s what passkeys are… Haven’t read up on them at all.

      • @[email protected]
        link
        fedilink
        English
        64 months ago

        Basically with passkeys you have a public/private key pair that is generated for each account/each site and stored somewhere on your end somehow (on a hardware device, in a password manager, etc). When setting it up with the site you give your public key to the site so that they can recognize you in the future. When you want to prove that it’s you, the website sends you a unique challenge message and asks you to sign it (a unique message to prevent replay attacks). There’s some extra stuff in the spec regarding how the keys are stored or how the user is verified on the client side (such as having both access to the key and some kind of presence test or knowledge/biometric factor) but for the most part it’s like certificates but easier.

      • @[email protected]
        link
        fedilink
        English
        14 months ago

        I really wish SQRL had taken off. It’s a lot like pass keys, but it used a central certificate to mint per-site certificates (along with per user per site certs if memory serves) and had proper methods of rolling it in and rotating the keys assigned to your account.

    • @[email protected]
      link
      fedilink
      English
      54 months ago

      … passkeys basically do all this without you having to know how. Your device /is/ the physical key and /you/ are the secondary auth. It honestly doesn’t get any easier for the user.

      • @[email protected]
        link
        fedilink
        English
        14 months ago

        What options are there for migrating passkeys to a new device? Easy to lock you into that iPhone and you must use their migration tool when you upgrade. Or I just carry it on my keychain, no vendor lock in.

        • @[email protected]
          link
          fedilink
          English
          1
          edit-2
          4 months ago

          3rd party password managers are already adding passkey support. Passkeys isn’t an Apple only security technology. FIDO has its place but passkeys is the future for most people like it or not.

          • @[email protected]
            link
            fedilink
            English
            14 months ago

            Do I need a subscription service for this passkey supported password manager? Or I can just buy a hardware key that can be used on my phone or any device, password manager supported or not. Seems like the freedom and portability of a physical key, like a key to your home or car makes a ton of sense.

            Passkeys are based on and supported by the FIDO alliance.

            https://fidoalliance.org/passkeys/