Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won’t work on another device.

Now I don’t know if that key can be stolen or not, or if it’s really more secure or not, as people have really unsecure pins.

  • darth_helmet@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 year ago

    Use a yubikey, that doesn’t vendor-lock you to an OS ecosystem. They make one with nfc so it’s not a pain to use with your phone.

    • russjr08@outpost.zeuslink.net
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      I’m not sure if this is universal or specific to the last site I tried to use my Yubikey with as a passkey, but it only would allow it to be used as 2FA, not actual passwordless authentication.

      I assume this is because Yubikeys don’t create a secret for each individual website I suppose? Not exactly sure about that one.

      • Natanael@slrpnk.net
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Both the website and your physical security token must support the right type of webauthn credentials (the token has storage for a certain number of slots with “discoverable credentials”).

        Passkeys is a variant of the same which is bound to your device’s own TPM / SE security chip or equivalent, plus a synchronization feature for backups.

      • Companion1666@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        edit-2
        1 year ago

        You can use Yubico keys as your passwordless logins. Both Google and Microsoft have this option.

        • russjr08@outpost.zeuslink.net
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Strangely enough, Google lets me “add” my Yubikey as a passkey, but then does not let me sign in with it due to it not being “recognized”. If I remove it as a passkey, and only use it as a 2FA token, attempt to sign in and use the “Enter your password” option, it will then let me use the key after I’ve entered my password as a second factor.

          So it seems Google has removed the error (or its not triggering anymore) as they will have been one of the first sites I tried to create a passkey for, but it still does not let you use it as a passkey.

          • Companion1666@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            1 year ago

            I haven’t encountered this issue, yet. I’m using LibreWolf browser (v118.0) and tested logging in my Google and MS account passwordless. BTW, I have Yubico Security Key NFC (the blue one).