At some point, passkeys will be ubiquitous enough they’ll be like low friction SSH keys for web authentication (i.e. there will be no shared secrets in the login process).
It has its own pros.
The biggest one is that it uses asymmetric cryptography. This means that the only one that can sign a challenge given by the server is the one that has the private key equivalent of the public key the challenge was used to be encrypted with.
The challenge is sent to the client, in which the client signs the challenge the server sent with their private key and then sent back to the server. Since the server has the public key, the server can verify whether the signature is indeed from the private key owner. This is possible because the private and public key are mathematically linked. This is the reason why it is phish proof. Though I am not sure whether a phisher can just take the challenge, let the victim sign it and then give back the challenge to the server to login. Can anyone confirm that? They are not better than hardware keys (since they are basically software versions of physical hardware keys), but at least better than passwords. At least the breaches will impose much lesser risks when it becomes a standard.
They are not better than hardware keys (since they are basically software versions of physical hardware keys), but at least better than passwords.
That is not technically correct. Passkey is a protocol first and foremost, and the way it is implemented is up to the vendor. Can be software, eg. Apple, Google, Bitwarden, etc, but you can as well use a hardware key, eg. Yubikey has Passkey support for quite a while now.
The reason why I said that is because they are currently only stored in the cloud. It’s not like hardware and passkeys function differently. It’s just that a physical key (that you have) is more secure than having it on some companies computers.
Can someone tell me why I should care about this rather than just continuing to use my password and 2FA?
From just now reading the Docs regarding passkeys.
The main draw seems to be that it is easy to sign in (just requiring biometrics for example) and mainly a lot more resistant to phishing.
At this point, you probably shouldn’t.
At some point, passkeys will be ubiquitous enough they’ll be like low friction SSH keys for web authentication (i.e. there will be no shared secrets in the login process).
It has its own pros. The biggest one is that it uses asymmetric cryptography. This means that the only one that can sign a challenge given by the server is the one that has the private key equivalent of the public key the challenge was used to be encrypted with. The challenge is sent to the client, in which the client signs the challenge the server sent with their private key and then sent back to the server. Since the server has the public key, the server can verify whether the signature is indeed from the private key owner. This is possible because the private and public key are mathematically linked. This is the reason why it is phish proof. Though I am not sure whether a phisher can just take the challenge, let the victim sign it and then give back the challenge to the server to login. Can anyone confirm that? They are not better than hardware keys (since they are basically software versions of physical hardware keys), but at least better than passwords. At least the breaches will impose much lesser risks when it becomes a standard.
That is not technically correct. Passkey is a protocol first and foremost, and the way it is implemented is up to the vendor. Can be software, eg. Apple, Google, Bitwarden, etc, but you can as well use a hardware key, eg. Yubikey has Passkey support for quite a while now.
The reason why I said that is because they are currently only stored in the cloud. It’s not like hardware and passkeys function differently. It’s just that a physical key (that you have) is more secure than having it on some companies computers.