“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

  • @NateNate60
    link
    English
    201 month ago

    I still have no idea how to use passkeys. It doesn’t seem obvious to the average user.

    I tried adding a passkey to an account, and all it does is cause a Firefox notification that says “touch your security key to continue with [website URL]”. It is not clear what to do next.

    • JackbyDev
      link
      fedilink
      English
      101 month ago

      After my password manager auto filled a password and logged me in the website said “Tired of remembering passwords? Want to add a passkey?” I didn’t know what it meant so I said no lol.

      • @[email protected]
        link
        fedilink
        English
        11 month ago

        Me too, I don’t trust the system and I don’t want to be locked into a specific browser and/or device.

    • Echo Dot
      link
      fedilink
      English
      51 month ago

      I think you actually have to buy a passkey device. Then configure it to work with a particular account.

      You plug the passkey into your computer and then whenever it asks for a password you literally touch it and it does its thing. I think there are options like biometrics that you can add on top but you don’t have to have that.

        • xor
          link
          fedilink
          English
          41 month ago

          …except the ones that can’t

          I think it depends on whether you have a TPM chip in it

          • @[email protected]
            link
            fedilink
            English
            31 month ago

            What are you talking about? KeepassXC, to my knowledge, is not dependent on any TPM, snd it does support passkeys.

            • xor
              link
              fedilink
              English
              -41 month ago

              devices themselves can act as passkeys

              I didn’t say a device needs a TPM to support passkeys - I said I believe it it needs one to be a passkey

              Thank you for your passive aggressive response caused by poor reading comprehension, though

              • @[email protected]
                link
                fedilink
                English
                11 month ago

                From what I understand, “passkey” refers to software, so no such thing as “device being a passkey”. Unlike a hardware key.

                • xor
                  link
                  fedilink
                  English
                  11 month ago

                  You understand incorrectly. “passkey” refers to a token used for the public key authentication that is used for sign in, which needs to be stored somewhere - this can be stored in a hardware key like a YubiKey, or in your device’s credentials manager. In principle, this could be anywhere, but it needs to be somewhere secure to not be trivial to compromise (eg taking out your HDD and just copying your passkey off it)

                  In Windows’ case, this secure credentials store is the TPM chip, which is why you are not able to use passkeys on Windows devices that have no TPM chip (unless you use another hardware implementation).

                  Tldr: passkeys are data, not software, and to store the data, you need some form of hardware, which needs to be secure to not be a really bad idea.

                  If you’d like to do some reading before confidently correcting me further, I’d suggest reading about how passkeys work.

                  • @[email protected]
                    link
                    fedilink
                    English
                    21 month ago

                    That is exactly what I said though - passkeys are software. They’re not confined to hardware modules, so there’s no such thing as “device being a passkey”.

      • @NateNate60
        link
        English
        81 month ago

        If that’s what’s needed, I can say with some certainty that adoption isn’t going to be picking up any time this decade.

        • Echo Dot
          link
          fedilink
          English
          11 month ago

          They’ve been around forever as a concept I think I even have one for accessing some servers at work. You’re right no one uses them.