81
Passkeys are generally available on GitHub
(github.blog)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 24 Sep 2023
81 points (94.5% liked)
Programming
16210 readers
162 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities !webdev@programming.dev
founded 1 year ago
MODERATORS
Can someone tell me why I should care about this rather than just continuing to use my password and 2FA?
I’m stealing this from another comment:
The main advantage comes with phishing resistance. Standard MFA (time based codes) is not phishing resistant. Users can be social engineered into giving up a password and MFA token. Other MFA types, such as pop up notifications, are susceptible to MFA fatigue. Similar to YubiKeys, Passkeys implement a phishing resistant MFA by storing an encryption key, along with requiring a biometric. The benefit here is that these are far easier for the average user, and the user does not need to carry a physical device. Sure, fingerprints could possibly be grabbed with physical presence, but there is far less risk that a users fingerprint is stolen, than a user being social engineered over the phone into giving creds. For most organizations and users, this is far more secure.
I kind of don't like to store my fingerprints with Google. Even FBI collects them when you are indicted.
What about allowing us to log in to services via asymmetric keys?
Note that you pretty much can't store them with Google or Apple; smartphone biometric sensors operate the on-device HSM, not something remote.
So, how does it work when you are accessing account from a different device? How the other device knows your fingerprint?
It does not. The fingerprint always only unlocks the device's HSM ("secure enclave" in Apple speak).
Between your devices enrolled in the ecosystem, private keys are synced securely (AFAIK, they make it so that an existing device’s HSM encrypts keys using the pubkey of the new one’s HSM); for signing up using your device on someone else's computer there's a process that combines QR codes with Bluetooth communication.