Jump in the discussion.

No email address required.

Passkeys are way more difficult to export than passwords, if you can at all. It's great for Google and Apple, because it locks you in (no site in their right mind allows you to switch back to passwords). Coal.

Jump in the discussion.

No email address required.

Are sites able to certify the origin of a passkey? This is mostly not a problem if you can use your own software to manage passkeys, but if banks will reject my (exportable) keepass passkeys, I'll be pissed.

That said, even pro-consumer software gets BIPOClicious sometimes. Firefox conforms to the spec of HSTS and doesn't allow you to skip malformed certificates, not even via about config.

Jump in the discussion.

No email address required.

yeah but you can approve self-signed certs

Jump in the discussion.

No email address required.

Are sites able to certify the origin of a passkey?

how would they? it's just basic public/private key crypto, unless there was a massive effort to distribute hardware universally that stored keys baked from the manufacturer, and that hardware was known to be tied to you?... then the signing can be done anywhere by whoever has the private key. so no.

these algos certify the key itself, nothing more than that.

Jump in the discussion.

No email address required.

I see, I remember some person who seems to be involved with passkeys in some form vaguely threatening that this will get keepassxc blocked

https://github.com/keepassxreboot/keepassxc/issues/10407

https://github.com/keepassxreboot/keepassxc/issues/10406

But I've doublechecked and the devs concluded that the current spec doesn't allow blocking since they can just spoof the self-reported id. The passkey-guy then threatened that the spec can be changed...

Jump in the discussion.

No email address required.

well it's not an algo limitation, that would be an implementation choice.

at the end of the day, the algos can only inherently verify a key cause it's the key that's mathematically used to prove identity.

the things aren't really more "secure" in proving identity than a good password. the remove a bunch of human stupidity from the process, like picking a weak password, or manually entering it in the wrong place, or a weak password transport mechanism, and things of that nature. so the protocol details itself are inherently more secure, and that is a clear and significant improvement... but it's still proving the key not necessarily the person who at present has the key, so the quality of proof is roughly the same.

to build some kind of better quality identity proof u would need to be able to run some kind of algorithm based on a person's biological property. and this would need to be done without translating this data to binary before running the proof, as that could considered a key that could be stolen. it would need to somehow physically operate off the biological property itself. i'm not sure that's really possible.

Jump in the discussion.

No email address required.

I use 1password and various browsers refuse to look there for my passkeys so I stopped trying to use them

Jump in the discussion.

No email address required.

the tech is still very young, in 10 years this will "just work".

Jump in the discussion.

No email address required.

The six months between that moment and quantum computers making all cryptography obsolete is gonna be so cozy

Jump in the discussion.

No email address required.

Don't forget that Google has the right to terminate your account at any time for any reason, hope you have an alternate way to login if that happens :pepehackergenocide#:

Jump in the discussion.

No email address required.

I lost access to a site because I used twitter to login to it and I tweeted learn2code at a journo

Jump in the discussion.

No email address required.

if google decided to ruin my life, the amount of fricked i would be is indescribable.

Jump in the discussion.

No email address required.

i mean it's just public/private key crypto. if they can sync it between computers, which google does, then it can be exported. the key itself is just a byte string...

Jump in the discussion.

No email address required.

Link copied to clipboard
Action successful!
Error, please refresh the page and try again.