Nostr Web Client

They push them because it’s so easy to use for users, and reduces account compromise risk for them.

The best way to explain it is it’s npub based login but per-website. And it works with a security key, but also many OSes have integrated passkey stuff.

semisol 5mo ago

At its core it’s actually just an extension of the FIDO specification, with now “resident” credentials.

Security keys have no memory. What actually happens is the website sends you back a list of possible security keys, and the encrypted version of the private key. The security key decrypts it and signs with it.

With resident credentials, the security key keeps track of which sites etc. the key was registered on, and when you go to example.com it can tell you “would you like to log in with x account”

That and “emulated” security keys, which use the TEE/TPM/SE in your phone or desktop

Reply to this note

Please Login to reply.

Discussion

frphank 5mo ago

Security keys very much do have memory and the memory does keep the per website key.

Passkeys do not just allow "password-less" login, much more they all "username-less" login.

If the web site had to send the encrypted private key it would have to know at least the username to send the correct private key.

frphank 5mo ago

Example: "Up to 100 discoverable credentials"

There's your memory.

https://support.yubico.com/hc/en-us/articles/360013656980-YubiKey-5-NFC

semisol 5mo ago

What I meant there was security keys before resident credentials. The paragraph after that explains it.

HERMETICVM 5mo ago

Sorry I never got back to you. Completely forgot about that in-depth response until I was thinking about passkeys again just now. Appreciate the lengthy explanation. I'm a bit less suspicious of them now.