I still don't understand what the hell passkeys are. Weren't passwords and {hardware keys | authenticator apps} enough?

I don't think average Joe is going to understand these passkeys either.

A passkey is just a thing that authenticates with FIDO2 (or is it WebAuthn?), I believe.

With a password, you open your password manager, copy the password in memory, paste it into the input field and trust that nobody could read it from your clipboard and that the program handling the password does it correctly. If your password leaks on the way, it's leaked.

With FIDO2, the server sends a challenge and asks your HSM (or TPM, not sure what the right word is) to sign it with your private key. So the server can verify that you own the private key, but if the challenge or the response leaks, it's just this one time. Next time it will be a new challenge.

Also for the average Joe, the result is that the "passkey" is the fingerprint or the face recognition and there is no password. It feels like they have only one password: the biometry/face recognition (or a master password, I guess?). So passkeys are superior to passwords in that sense.

Fun fact 1: some people hate passkeys because they don't want to be forced to rely on TooBigTech for them. Currently I use my Yubikeys as passkeys everywhere and it works well, so I do NOT depend on TooBigTech.

Fun fact 2: FIDO2 on current Yubikeys (and HSM in general, I think) tend to use classic cryptography which would be broken by quantum computers. A password used with symmetric encryption is not broken by quantum computers. So there may be a period of time where this becomes a tradeoff (you may have to decide whether the most likely attack is a quantum computer breaking your authentication or a malware stealing your password)?

▲

Ferret7446 12 hours ago | parent | next [-]

> A passkey is just a thing that authenticates with FIDO2 (or is it WebAuthn?), I believe.

Not quite. First of all, passkey is not a standardized term. But usually it refers to a key that can be used for authentication on its own, not as a 2FA along with a password.

A FIDO2 key can be a passkey, or not, depending on the service or configuration.

FIDO2 and WebAuthn added some fields necessary to make this work "securely", e.g. asking the key to verify the user separately (e.g. a PIN, which serves as a second factor), or asking the key whether it is device bound or roaming, so individual sites/enterprises can enforce their security policies

▲

qurren 16 hours ago | parent | prev [-]

> With a password, you open your password manager, copy the password in memory, paste it into the input field and trust that nobody could read it from your clipboard and that the program handling the password does it correctly. If your password leaks on the way, it's leaked.

I don't do that. My password manager simulates keystrokes 2 seconds after I hit the button. I switch to the other window and my password gets punched in without going through the clipboard. Specifically to avoid this attack.

> Currently I use my Yubikeys as passkeys

I have Yubikeys but for 2FA. So we're back to 1FA now but just "something you have" and no "something you know" ?

	▲	palata 16 hours ago \| parent [-]
		> I don't do that. My password manager simulates keystrokes 2 seconds after I hit the button. So a malware on your computer can just listen to the keystrokes, or read on the screen? If the OS is compromised, they can extract the password. With a passkey they can't. > So we're back to 1FA now but just "something you have" and no "something you know" ? You can set up a PIN on your Yubikey, so that's "something you have" and "something you know", and you can request physical presence ("touching the yubikey") on top.