this post was submitted on 11 Nov 2025
292 points (87.6% liked)

Technology

76813 readers
1994 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
292
Passkeys Explained: The End of Passwords (sentientrant.com)
submitted 4 days ago by sentientRant@lemmy.world to c/technology@lemmy.world
232 comments fedilink hide all child comments
 

Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.

But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.

I broke down how passkeys work, their strengths, and what’s still missing

you are viewing a single comment's thread
view the rest of the comments
[–] sugar_in_your_tea@sh.itjust.works 1 points 3 days ago

It is a security threat, and to claim it doesn’t count is absurd.

Oh, absolutely.

Replay attack is the wrong term, here's the threat model I'm talking about. Basically, the attacker watches the authentication flow and uses the resulting session (token?) to make web requests as you, stealing whatever data it wants. There's no attack on the authentication scheme, but on the shortcuts web services use.

It doesn't matter if you use passwords, TOTP, or webauthn, there's going to be some vector to attack the system without breaking the authentication mechanism.

The average user isn't going to see much security benefit from webauthn vs TOTP in the same way that adding a better lock to your front door is unlikely to improve your overall home security, because at a certain point, the burglar will just smash a window. TOTP is good enough because it's safe from attacks on email and SMS that worse one-time code systems use. You should definitely have a lock on your door, but at a certain point, the lock is no longer the weak point in the system.

And yes, I'm using "code generation" as a generic catchall. I group auth systems like so:

  • offline threats - e.g. passwords that can be broken by seeing the hash
  • reliant on third party service that can be attacked separately - email and SMS
  • "code generation" - uses some cryptographic mechanism to generate some unfakable code that can't be reused; seeing more examples doesn't help, and codes can't be reused

If your password manager handles the second factor, the user experience of TOTP vs webauthn is nearly identical, and the security is nearly identical to your average attacker, to the point where they won't attack the authentication mechanism itself, but something else on the website or the password manager itself.

The problem is that most people do only use plain old passwords. If we can get any kind of extra security, even TOTP, then all the better.

Exactly. The difference between TOTP and webauthn only really matters if you're a government or something else where state-level actors are part of your threat model. If your service uses one or the other, the distinction isn't important to the average user.