All about open source! Feel free to ask questions, and share news, and interesting stuff!
Community icon from opensource.org, but we are not affiliated with them.
Sorry for being silly here, I've been kind of out of the loop with recent technology, what exactly is "passkeys"? I remember reading something when it was announcement, but all I saw was lots of buzzwords and vague "it's new and it's very good" claims.
Is it like, an alternative authorization method? Is it a second factor after I type my login/password, or does it replace passwords? What does it look like, from users perspective?
I replaces passwords with a cryptographic key. When you register at a website, you do not put in a password, instead it generates a key-pair, kinda like you would have with ssh auth. Usually to login you use biometrics, which will unlock the keys on your device. Advantage is that they are phishing resistant (the keys are bound to a specific domain), convenient and if the database of the website is leaked, it doesnt matter since they can only store your public key, which is worthless for authentication.
So pretty much same as ssh/gpg private/public keys? Do many websites support this? I don't remember seeing any that would give me an option to register using passkeys. Also, where are the private keys stored? How do I move them from device to device (for example, I signed up on android and now want to log in on desktop)? Do I back them up and restore when I'm buying a new phone?
A lot of the bigger players like Microsoft, Google and Apple support it. For small sites its a lot rarer. The keys are stored on device, but can be synced in a variety of ways, often using the cloud. There is problems with vendor lock in vecause of that, even though passkeys are an open standard by themselves. Generally nothing is stopping you from copying/synching them yourself.
But passkeys so often call for your Windows login (for those on Windows); doesn't that only give more power to Microsoft?
Absolutely. But passkeys themselves are an open standard, so the implementation is different depending on device, browser etc. I dont use Windows, I dont know how it works there. I dont even use passkeys a lot in general, mostly due to it not being used on that many sites. I still think the technology pretty interesting and will be more relevant in a few years.
I think "identities" used on Gemini (at least the way they are implemented in Lagrange browser) are the best implementation of a similar idea, but, you know, it's only supported in Gemini.
You can store passkeys in (and use them from) a password manager instead of the OSβs secret vault. I think most major password managers support this now - Bitwarden definitely does.
Pretty much as answered already, passkeys (sometimes branded like FaceID or Windows Hello but it is an open spec) are an alternative to passwords. Your public key that identifies your user is stored in VoidAuth and your private key is stored on your device. Some password managers support syncing passkeys, so you donβt have to set up a new passkey on every device.
The advantage over passwords is that they are domain and device specific, so are much harder to be leaked from the client side. VoidAuth (or other services) should only be storing your public key so a leak on the server side would not allow someone to log in as you.