Replying to Avatar semisol

At its core it’s actually just an extension of the FIDO specification, with now “resident” credentials.

Security keys have no memory. What actually happens is the website sends you back a list of possible security keys, and the encrypted version of the private key. The security key decrypts it and signs with it.

With resident credentials, the security key keeps track of which sites etc. the key was registered on, and when you go to example.com it can tell you “would you like to log in with x account”

That and “emulated” security keys, which use the TEE/TPM/SE in your phone or desktop
Avatar
HERMETICVM 5mo ago

Sorry I never got back to you. Completely forgot about that in-depth response until I was thinking about passkeys again just now. Appreciate the lengthy explanation. I'm a bit less suspicious of them now.

Reply to this note

Please Login to reply.

Discussion

No replies yet.