Passkeys replace passwords with encrypted key pairs that can’t be phished or leaked. Learn how FIDO2 and WebAuthn work, their pros and flaws.

Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.

But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.

I broke down how passkeys work, their strengths, and what’s still missing

  • HulkSmashBurgers@reddthat.comEnglish
    481·
    12 hours ago

    The eco-system lock-in makes this a non-starter for me. If I could store the private keys in something like a keepass vault (or that) and do the authentication magic from that I would consider it.

    • sonofearth@lemmy.worldEnglish
      2·
      1 hour ago

      I am not dependent on any ecosystem for passkeys. I have a self-hosted vaultwarden instance that works with Bitwarden clients. I create and store my passkeys over there primarily and in my keepass db (which I primarily use for TOTPs) for redundancy. So if either one gets compromised, I can just delete the passkey for the accounts involved in that database.

    • cmhe@lemmy.worldEnglish
      194·
      12 hours ago

      You can? At least I do that. I host vaultwarden myself and store the passkeys there.

      Passkeys to me are just a better way to autofill in login data.

      • barryamelton@lemmy.worldEnglish
        18·
        11 hours ago

        OK, now think how nontechnical people will not be able to do it. They will be tied to Google/X-corp for all credentials, even government ones. Waiting to be banned if their social credit is too low.

        • cmhe@lemmy.worldEnglish
          1·
          2 hours ago

          True. But I would say that this isn’t an issue intrinsic with passkey. Many people don’t have time/energy or the attitude to think critically about technology and are herded towards Google/X-corp/etc with offers of convenience and because they are often the only offered choice on the web sites. But from the POV of passkey they just act as a password manager.

        • Frezik@lemmy.blahaj.zoneEnglish
          16·
          10 hours ago

          That’s the root of the problem. Nontechnical people don’t use good passwords, but all the ideas we have for replacing them are only usable by more technically minded people.

          There are a variety of other reasons why passwords are bad, though.

        • Alaknár@sopuli.xyzEnglish
          81·
          10 hours ago

          OK, now think how nontechnical people will not be able to do it.

          Nontechnical people can use BitWarden/Keeper/Proton Authenticator/any other major system like that instead of self-hosting.