this post was submitted on 11 Nov 2025
290 points (87.6% liked)

Technology

76799 readers
3867 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
290
Passkeys Explained: The End of Passwords (sentientrant.com)
submitted 2 days ago by sentientRant@lemmy.world to c/technology@lemmy.world
232 comments fedilink hide all child comments
 

Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.

But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.

I broke down how passkeys work, their strengths, and what’s still missing

you are viewing a single comment's thread
view the rest of the comments
[–] laranis@lemmy.zip 26 points 1 day ago (3 children)

Why do you have the 4-digit PIN? Well, it’s just to unlock the part of your device where the private key is stored.

And there is the problem I have with passkeys. With a password it is me authenticating to the service I'm using. Pretty straight forward (if you ignore the operating system, web browser, network protocols, etc., but that's part of using the tech).

With passkeys you've got this third party storing your keys that increases your attack surface. It could be your web browser, your OS, or some cloud provider that you're now relying on to keep your data safe. I get that for people whose password is "password123" or who aren't savvy enough to avoid phishing maybe this helps. But with decent opsec this overly complicates authentication, IMO.

To my point, later in the article:

Securing your cloud account with strong 2FA and activating biometrics is crucial.

What's that now? The weak point is the user's ability to implement MFA and biometrics? The same users who couldn't be bothered to create different passwords for different sites? You see how we've just inserted another layer into the authentication process without solving for the major weakness?

With my tinfoil hat on I suspect this push toward passkeys is just another corporate data and/or money grab -- snake oil for companies to get their tentacles tighter around your digital existence.

Happy to be proven wrong.

[–] needanke@feddit.org 10 points 1 day ago* (last edited 1 day ago)

How do you currently store your passwords? I would also consider that a third party with an adittional atack surface if you are considering the passkey location one.

Also your argument

(if you ignore the operating system, web browser, network protocols, etc., but that's part of using the tech).

is faulty. That is because passkeys exist in part to mitigate those atack vectors. Mitm, a compromised browser or client, etc. is less of an issue with passkeys. The information transmitted during an authentication can not be reused on another authentication attempt.

I don't agree on passkeys complicating things either. For me the authentication-flow is not more complicated then KeePasses autofill.

Assuming one can be 'tech savy' enough to not fall for fishing is bad. There are quite advanced attacks or you might even just be tired one day and do something stupid by accident.

What's that now? The weak point is the user's ability to implement MFA and biometrics? The same users who couldn't be bothered to create different passwords for different sites?

You don't expext the user to 'implement' mfa or biometrics. You expect them to use it. And most places where a novice would store passkeys don't just expect but enforce it. It is also way simpler to set up biometrics on one device compared to keeping with a good password strategy.

[–] Evotech@lemmy.world 11 points 1 day ago* (last edited 1 day ago)

Passkeys can't be phished.

That's the main point.

Phishing is a reeeeal pain. And something that needs to be solved. Not through training but with technology.

[–] sentientRant@lemmy.world 4 points 1 day ago (1 children)

Today we use lots of accounts with unique passwords. Obviously these passwords have to be stored somewhere. So I disagree with you when you say it's a unique passkey thing.

Passkey has an advantage when it comes to phishing because it doesn't totally rely on human intelligence or state of mind.

From a personal experience my data was leaked online, not because of phishing or I was careless. but it was leaked from a well known third party site which I used. They were affected by a very serious breach. Many unlike me use the same passwords for their emails and stuffs. But in case of passkeys there isn't a shared secret. A breach will be useless.

[–] laranis@lemmy.zip 3 points 1 day ago (1 children)

I think you're making my point. First, you're right that passkeys can't be phished. But access to the passkey manager can be. And now you've doubled your exposure to leaky third parties, once with the service you're accessing and another with the passkey manager.

[–] sentientRant@lemmy.world 2 points 1 day ago

But the third parties actually have no access to your passkeys. The passkey stored are end to end encrypted blobs. So even if anyone gets hold of it, its useless. But a password for instance when leaked from 3rd party can be used easily as the server will have to decrypt the password at one point. So the means to decrypt the password will be at the server but passkeys aren't like that. The private passkey can be decrypted only on your device for signing the challenge. Basically your exposure was basically halved.