Passkeys replace passwords with encrypted key pairs that can’t be phished or leaked. Learn how FIDO2 and WebAuthn work, their pros and flaws.

Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.

But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.

I broke down how passkeys work, their strengths, and what’s still missing

  • HulkSmashBurgers@reddthat.comEnglish
    571·
    20 hours ago

    The eco-system lock-in makes this a non-starter for me. If I could store the private keys in something like a keepass vault (or that) and do the authentication magic from that I would consider it.

    • sonofearth@lemmy.worldEnglish
      3·
      9 hours ago

      I am not dependent on any ecosystem for passkeys. I have a self-hosted vaultwarden instance that works with Bitwarden clients. I create and store my passkeys over there primarily and in my keepass db (which I primarily use for TOTPs) for redundancy. So if either one gets compromised, I can just delete the passkey for the accounts involved in that database.

    • cmhe@lemmy.worldEnglish
      204·
      20 hours ago

      You can? At least I do that. I host vaultwarden myself and store the passkeys there.

      Passkeys to me are just a better way to autofill in login data.

      • barryamelton@lemmy.worldEnglish
        20·
        19 hours ago

        OK, now think how nontechnical people will not be able to do it. They will be tied to Google/X-corp for all credentials, even government ones. Waiting to be banned if their social credit is too low.

        • Frezik@lemmy.blahaj.zoneEnglish
          17·
          18 hours ago

          That’s the root of the problem. Nontechnical people don’t use good passwords, but all the ideas we have for replacing them are only usable by more technically minded people.

          There are a variety of other reasons why passwords are bad, though.

        • cmhe@lemmy.worldEnglish
          1·
          10 hours ago

          True. But I would say that this isn’t an issue intrinsic with passkey. Many people don’t have time/energy or the attitude to think critically about technology and are herded towards Google/X-corp/etc with offers of convenience and because they are often the only offered choice on the web sites. But from the POV of passkey they just act as a password manager.

        • Alaknár@sopuli.xyzEnglish
          91·
          18 hours ago

          OK, now think how nontechnical people will not be able to do it.

          Nontechnical people can use BitWarden/Keeper/Proton Authenticator/any other major system like that instead of self-hosting.