.

    • paholg@lemm.ee
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      It definitely is. A passkey in a TPM, for example, cannot leave a device. Also, passkeys can have phishing resistance that you cannot obtain with a password and most MFA solutions.

      Where passkeys fall short is registering new devices and recovery. I’m not sure what 1Password’s solution is here.

    • whosdadog@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      It’s much more secure on ‘less than trusted’ devices and for less than secure people.

      Instead of having to type your password in on your friends laptop that may have a keylogger installed, you just type your username in and then do your fingerprint on your phone. That’s it; your phone verifies it’s you and then transmits the passkey over Bluetooth, so it can’t be phished or observed while you type it.

      For less than secure people, you don’t have to convince them to use a password manager and stop writing their passwords on sticky notes. They just type in their username and do their fingerprint on their phone. It can’t be phished so even if someone is remotely controlling a victims computer the damage is limited to allowing access to a single account on that physical computer - they can’t take that passkey and use it anywhere else, unlike a password for an email account that’s used for online banking as well. They also can’t keylogger it and then log in after they’re disconnected from the victim.