this post was submitted on 11 Nov 2025
290 points (87.6% liked)

Technology

76774 readers
3574 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
290
Passkeys Explained: The End of Passwords (sentientrant.com)
submitted 2 days ago by sentientRant@lemmy.world to c/technology@lemmy.world
231 comments fedilink hide all child comments
 

Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.

But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.

I broke down how passkeys work, their strengths, and what’s still missing

you are viewing a single comment's thread
view the rest of the comments
[–] lmmarsano@lemmynsfw.com 2 points 1 day ago* (last edited 1 day ago) (1 children)

All my passwords look like @A#vVukh9c$3Kw4Cs8NP9xgazEuJ3JWE and are unique.

You're still transmitting the actual secret to the destination, so interception is a risk. Passkeys use asymmetric cryptography: no reusable secret is ever transmitted, only time-sensitive challenges that prove possession of the private key. Servers only store public keys, which aren't secret by design.

Passkeys have multifactor authentication built-in whereas passwords do not.

Passkeys can be more convenient than passwords. My password manager has my passkeys. At login, my password manager raises a passkey prompt that I simply confirm.

[–] Zak@piefed.world 2 points 1 day ago* (last edited 1 day ago) (1 children)

If they can intercept my password despite TLS, they can probably also steal my session. I'll grant that's marginally less bad since the attacker would have to do their evil immediately if I log out when finished.

I'm going to disagree that passkeys really have multifactor authentication built in. The passkey is a single factor. If it is compromised (an attacker steals the private key), that's all the attacker needs unless the service involved requires another factor like TOTP. The fact that it's usually harder to steal the private key than a password doesn't make it MFA.

I recognize the theoretical advantages, but my one attempt to use it (here, with Piefed) didn't go so well, so I'm not eager to jump in with both feet.

[–] lmmarsano@lemmynsfw.com 1 points 21 hours ago* (last edited 17 hours ago)

If they can intercept my password despite TLS, they can probably also steal my session.

That's not necessarily true: it could leak due to flaw or defect that doesn't affect the session token.

Security is all about layers & reducing risk/surface area of attack. By getting your secret, they can leak it. Leaking a secret they don't have, however, is impossible: that's secure by design.

I’m going to disagree that passkeys really have multifactor authentication built in.

Then you're disagreeing with standards & definitions. Passkeys are encrypted in an authenticator that needs a biometric or secret (ie, something you are or know) to unlock the key (something you have).

Authenticator is a multi-factor cryptographic authenticator that uses public-key cryptography to sign an authentication assertion targeted at the WebAuthn Relying Party. Assuming the authenticator uses either a facial recognition, fingerprint or PIN for user verification, the authenticator itself is something you have while the facial recognition and fingerprint (biometric) are something you are and the PIN is something you know.

my one attempt to use it

While it's fine to share, "I tried something once, it sucked" is not a great argument to generalize that the technology sucks or isn't better than your limited impression. Maybe piefed sucks: if piefed implemented password authentication wrong, would you blame password authentication?