this post was submitted on 16 Sep 2025

464 points (98.3% liked)

Programmer Humor

26373 readers

1121 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

Keep content in english
No advertisements
Posts must be related to programming or programmer topics

founded 2 years ago

MODERATORS

anzo@programming.dev

Feyter@programming.dev

BurningTurtle@programming.dev

pylapp@programming.dev

464

GitHub auth (lemmy.world)

submitted 1 day ago by skepller@lemmy.world to c/programmer_humor@programming.dev

28 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] nialv7@lemmy.world 5 points 21 hours ago* (last edited 21 hours ago)

Yes, it's implementation specific, in this case your phone, or your browser is the passkey "device". And as long as it's protected by some form of authentication it's OK (though I would recommend a hardware token over phones/browsers). If it doesn't then you shouldn't be using that "passkey". Yes, there is no way for the website you are authenticating with to know whether your passkey is safe or not, choosing a secure passkey implementation is (unfortunately) the user's job. But it's the same with more traditional 2FAs, e.g. you can store your TOTP secret securely or insecurely, and the website will have no way to know.