Passkeys replace passwords with encrypted key pairs that can’t be phished or leaked. Learn how FIDO2 and WebAuthn work, their pros and flaws.

Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.

But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.

I broke down how passkeys work, their strengths, and what’s still missing

  • lmmarsano@lemmynsfw.comEnglish
    1·
    13 hours ago

    If they can intercept my password despite TLS, they can probably also steal my session.

    That’s not necessarily true: it could leak due to flaw or defect that doesn’t affect the session token.

    Security is all about layers & reducing risk/surface area of attack. By getting your secret, they can leak it. Leaking a secret they don’t have, however, is impossible: that’s secure by design.

    I’m going to disagree that passkeys really have multifactor authentication built in.

    Then you’re disagreeing with standards & definitions. Passkeys are encrypted in an authenticator that needs a biometric or secret (ie, something you are or know) to unlock the key (something you have).

    Authenticator is a multi-factor cryptographic authenticator that uses public-key cryptography to sign an authentication assertion targeted at the WebAuthn Relying Party. Assuming the authenticator uses either a facial recognition, fingerprint or PIN for user verification, the authenticator itself is something you have while the facial recognition and fingerprint (biometric) are something you are and the PIN is something you know.

    my one attempt to use it

    While it’s fine to share, “I tried something once, it sucked” is not a great argument to generalize that the technology sucks or isn’t better than your limited impression. Maybe piefed sucks: if piefed implemented password authentication wrong, would you blame password authentication?