Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won’t work on another device.

Now I don’t know if that key can be stolen or not, or if it’s really more secure or not, as people have really unsecure pins.

  • MeanEYE@lemmy.world
    link
    fedilink
    English
    arrow-up
    16
    arrow-down
    3
    ·
    1 year ago

    Am not buying the idea. It sounds great on paper but in reality it doesn’t feel better. So idea is you have private and public keys, like many other forms of encryption out there. Private is stored on your device, and public is stored on account holder, like Google. Since keys are mathematically linked anything signed with private key can be verified by public key and vice-versa.

    This is great technology and has been proven for decades now. It essentially means your device and account holder can exchange data without anyone ever finding out your private key since it never leaves your device.

    However, issues. Keys are backed up somewhere and still depend on password, be it pin or regular old password. Recovering lost key means using password still. That means attack vector has just shifted and they won’t try to steal your key but social engineer their way into phishing your original password, making the whole thing a bit pointless.

    Another things that worries me is the possibility each device will have its own key, although they claim transferable. Depending on what data is used to authenticate and prove device is owned properly this can be used to fingerprint users. For example IMEI or some other unique id, etc. Something that’s not easily done with passwords.

    Biggest one is the fact it will negate two factor authentication. Verifying code on your phone and knowing password is difficult to exploit since it requires a lot of effort… possession of the device and knowledge of password. But with passkeys, there’s no password to remember and everything boils down to owning a device. They are then relying on the OS and device itself not to leak sensitive information. Not something I’d rely on.

    Also, private key being backed up on Google means should they ever leak data someone can get everything they need to access your account. Private keys being protected by simple pin or password means nothing and would probably be easily broken due to simple nature of the protection.

    Am not convinced this will see such high adoption as so many are claiming it will have.

    • surewhynotlem@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      2
      ·
      1 year ago

      Most hardware today has what’s called a TPM. It’s a physical hardware chip that can store certificates in a way that can’t be extracted.

      It’s way more secure than someone stealing a cer file.

      • MeanEYE@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        2
        ·
        1 year ago

        I know what TPM is, am not talking out of my ass here. But chain is only as strong as its weakest link, which is backup certificates somewhere protected by a pin or simple password. If it still requires password to access certificate, than you have moved issues from one place to another. What good is iron front door when you leave your windows open.

    • confusedbytheBasics@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      10
      ·
      1 year ago

      It doesn’t feel better? Good thing security doesn’t care about feelings. The fact is it is more secure no matter what it feels like. Privacy is maintained since you use a new key with each site. There is no IMEI or anything like that in the passkey spec. Social engineering ranges from more difficult to impossible depending on if you use a synced, local software based, or hardware based passkey system.

      You have a lot of incorrect assumptions. Read https://support.apple.com/en-us/102195 and https://fidoalliance.org/passkeys/#faq.