Based on FIDO Alliance and W3C standards, passkeys replace passwords with cryptographic key pairs. These key pairs profoundly improve security.
– https://developer.apple.com/passkeys/
Based on FIDO2/WebAuthn but unlike them, passkeys are those things Apple & Google have been pushing that live on their servers + one specific device in its secure enclave you as as a user aren’t allowed to look into. FIDO2 is usually tied to some USB security token.
These passkeys want to be unique per site/services & many hardware tokens only have a handful of slots for storage which means such dedicated don’t really work & storing them on say your laptop with your other passwords probably isn’t ideal with Keypass. Many security experts don’t see the advantage over a good hardware token + unique password. Like Big Tech trying to reinvent XMPP with RCS, I feel they are trying to do the same with passkeys so they benefit them.
Passkey is resistant to these attacks, but user adoption is not widespread enough for Discord to be able to mandate it.
Wtf, if it’s such a huge security bonus, why wait for user adoption, especially if token stealing is an issue?
Change is hard. It has been a long road to get where we are today: major OS and Browser vendor support. Users now need to change their behavior.
What is wrong with good ol’ TOTP & FIDO2?
Passkey is FIDO2.
Based on FIDO2/WebAuthn but unlike them, passkeys are those things Apple & Google have been pushing that live on their servers + one specific device in its secure enclave you as as a user aren’t allowed to look into. FIDO2 is usually tied to some USB security token.
you can still use a yubikey or even a password manager like keepassxc with passkeys, no need for any google/apple or even secure enclave.
These passkeys want to be unique per site/services & many hardware tokens only have a handful of slots for storage which means such dedicated don’t really work & storing them on say your laptop with your other passwords probably isn’t ideal with Keypass. Many security experts don’t see the advantage over a good hardware token + unique password. Like Big Tech trying to reinvent XMPP with RCS, I feel they are trying to do the same with passkeys so they benefit them.