• Gigan@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    7 months ago

    I still don’t understand passkeys. What prevents someone else from using my passkey? Maybe I should just set one up to get a better idea of how they work.

    • BakedCatboy@lemmy.ml
      link
      fedilink
      English
      arrow-up
      21
      arrow-down
      1
      ·
      7 months ago

      Passkeys are like using a private key to log in. There are several ways it’s better:

      • Passwords can be stored improperly by a website leading it to be leaked
        • Passkeys never leave the device so a website being breached can never leak your passkey
        • The website only stores the public portion of the key which is useless to an attacker
        • Passkeys can only be stolen by attacking and breaching the device or password manager that holds it
      • Passwords can and often are reused across multiple sites so a single leaked password can compromise many sites
        • Passkeys are created for each site so an attacker would need to steal each one separately
      • Passwords can be phished by fooling a user into entering the password
        • Passkeys can’t be phished easily since it’s designed not to leave the device - if such an attack was found it could be patched in the browser / password manager. You can’t patch all password forms to stop phishing in the same way

      If you’re familiar with ssh keys, it’s similar to that and why the top security recommendation for new servers is to disable passwords and use keys instead.

        • shortwavesurfer@monero.town
          link
          fedilink
          English
          arrow-up
          17
          arrow-down
          1
          ·
          7 months ago

          Yes, but a password is a shared secret. So both you and the person you are interacting with need the password and therefore it is more vulnerable. With a past key, only you have the private key and the company or service you are interacting with never has access to the secret. Basically, they encrypt a message to you using your public key and then your private key decrypts it and sends them a response back with the correct answer.

        • Steve@communick.news
          link
          fedilink
          English
          arrow-up
          12
          arrow-down
          1
          ·
          edit-2
          7 months ago

          The difference is, you literally never give the private key to anyone. Nobody will ever ask for it.

          It works through public private key encryption. To login the site will send your computer a “challenge” (some kind of math problem) that’s first encrypted with your public key. That means only your private key will be able to decrypt the challenge. Then your machine will generate an answer, encrypt it with the private key and sent that back. If the public key decrypts the answer and it matches, they know you are you.

          • 4am@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            3
            ·
            7 months ago

            “Websites ask me for it every time I visit them bro 🤪”

            • IHawkMike@lemmy.world
              link
              fedilink
              English
              arrow-up
              6
              arrow-down
              1
              ·
              7 months ago

              Except they don’t. They may request a passkey which is just an oversimplification about what is going on behind the scenes, with information being passed back and forth as Steve described.

              But the private key never leaves the device. This is such a huge distinction that is easy to overlook. But it is very, very important.

        • Vilian@lemmy.ca
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          7 months ago

          not exacly, if someone hack a site that has poor security they gonna have your password, it you put your passkey there, it’s useless, also people can’t see you writibg yoyr password if don’t write it