I haven't read into Pass Keys at all since they launched.
Are you using them?
The way all the big players are pushing for them has me sceptical.
But it might just save them from having to deal with thousands daily account compromises so maybe they aren’t bad and I shouldn’t infer malicious intent by association.
Yeah, same.
So far I've been sticking with randomly generated strong passwords and always 2fa when available.
They push them because it’s so easy to use for users, and reduces account compromise risk for them.
The best way to explain it is it’s npub based login but per-website. And it works with a security key, but also many OSes have integrated passkey stuff.
At its core it’s actually just an extension of the FIDO specification, with now “resident” credentials.
Security keys have no memory. What actually happens is the website sends you back a list of possible security keys, and the encrypted version of the private key. The security key decrypts it and signs with it.
With resident credentials, the security key keeps track of which sites etc. the key was registered on, and when you go to example.com it can tell you “would you like to log in with x account”
That and “emulated” security keys, which use the TEE/TPM/SE in your phone or desktop
Security keys very much do have memory and the memory does keep the per website key.
Passkeys do not just allow "password-less" login, much more they all "username-less" login.
If the web site had to send the encrypted private key it would have to know at least the username to send the correct private key.
Example: "Up to 100 discoverable credentials"
There's your memory.
https://support.yubico.com/hc/en-us/articles/360013656980-YubiKey-5-NFC
What I meant there was security keys before resident credentials. The paragraph after that explains it.
Sorry I never got back to you. Completely forgot about that in-depth response until I was thinking about passkeys again just now. Appreciate the lengthy explanation. I'm a bit less suspicious of them now.
