.

  • 𝕽𝖔𝖔𝖙𝖎𝖊𝖘𝖙@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 year ago

    https://www.passkeys.io/technical-details#passkeys-under-the-hood

    They are a form of public key cryptography.

    The private key never leaves your device.

    You can’t really transfer them between devices.

    A lot of your other questions depend on the service. Generally you can still opt to use a password+2FA instead even if you have PassKeys enabled so adding one on a second device would simply require logging in with the password first or authenticating from another device if the service supports it.

    I don’t use 1Password so I can’t speak to their setup.

      • paholg@lemm.ee
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        It definitely is. A passkey in a TPM, for example, cannot leave a device. Also, passkeys can have phishing resistance that you cannot obtain with a password and most MFA solutions.

        Where passkeys fall short is registering new devices and recovery. I’m not sure what 1Password’s solution is here.

      • whosdadog@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        It’s much more secure on ‘less than trusted’ devices and for less than secure people.

        Instead of having to type your password in on your friends laptop that may have a keylogger installed, you just type your username in and then do your fingerprint on your phone. That’s it; your phone verifies it’s you and then transmits the passkey over Bluetooth, so it can’t be phished or observed while you type it.

        For less than secure people, you don’t have to convince them to use a password manager and stop writing their passwords on sticky notes. They just type in their username and do their fingerprint on their phone. It can’t be phished so even if someone is remotely controlling a victims computer the damage is limited to allowing access to a single account on that physical computer - they can’t take that passkey and use it anywhere else, unlike a password for an email account that’s used for online banking as well. They also can’t keylogger it and then log in after they’re disconnected from the victim.