this post was submitted on 11 Nov 2025
280 points (87.8% liked)

Technology

76839 readers
1479 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
280
Passkeys Explained: The End of Passwords (sentientrant.com)
submitted 5 days ago by sentientRant@lemmy.world to c/technology@lemmy.world
208 comments fedilink hide all child comments
 

Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.

But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.

I broke down how passkeys work, their strengths, and what’s still missing

(page 2) 50 comments
sorted by: hot top controversial new old
[–] 58008@lemmy.world 9 points 5 days ago

Nope.

[–] ExLisper@lemmy.curiana.net 7 points 5 days ago (1 children)

Hardly anyone supports it: https://www.passkeys.io/who-supports-passkeys

So to use it I will have to log in with my google/microsoft account everywhere? Thanks but no thanks.

[–] artyom@piefed.social 6 points 5 days ago* (last edited 5 days ago)

I've used it with many sites not on that list. Including this one. It's not comprehensive.

No, you do not need Microsoft/Google account.

[–] reluctant_squidd@lemmy.ca 6 points 5 days ago

It’s the never ending battle between what’s secure and what’s practical. In order to have widespread adoption, it has to be easy. In order to be secure it requires layers of complication.

It’s a yin/yang battle.

A bank vault with walls 2 feet thick, 24/7 surveillance and requiring a two key unlock mechanism is secure compared to a house door lock on a regular suburban bungalow, but is it very practical?

The level of digital security generally attainable is limited by how likely someone is to use it.

2FA using keys is the closest I’ve seen to a happy medium, but it has to be implemented correctly. If the private keys are sitting on a cloud server somewhere and it gets hacked, is it more secure? Maybe not.

Just like real defence, the walls are only as good as the foundation or weakest point.

[–] BilSabab@lemmy.world 6 points 4 days ago (1 children)

seems like too much messing around to make it a widespread solution.

[–] Appoxo@lemmy.dbzer0.com 5 points 4 days ago (1 children)

Acrually not really.
I do use it with my password manager.
Very convenient.

BUT, it's not hardware based so more suscepticle to attacks.

load more comments (1 replies)
[–] lukaro@lemmy.zip 6 points 4 days ago (3 children)

All I know is a few months back someone setup a passkey on a shared google account at my job and now nobody but knows what the password for our email is. I can use the passkey to sign in with my phone, but only I can do that.

load more comments (3 replies)
[–] baggachipz@sh.itjust.works 6 points 5 days ago (1 children)

My company’s online product uses passkeys (I implemented it) more as a convenience method for login. 2FA is the base standard, and authenticated users can create a passkey for each device they want to use. Subsequent logins can then use the passkey or 2FA. Rather than having to dig out my phone, open the authenticator app, and put in the digits, I can simply use the fingerprint reader and I’m right in.

[–] HereIAm@lemmy.world 4 points 5 days ago

That doesn't sound like a TOTP vs passkey situation though. It sounds like the program just releases the passkey when you give it the fingerprint. There wouldn't be anything stopping the program from generating a OTP and passing that along when you identify with the fingerprint.

I think a big issue is how difficult it can seem to be to get easy access to TOTP codes, like in your example digging up your phone. But that's more of a browser/operating system failure for not implementing a way to generate those codes like they can already store usernames and passwords.

[–] tym@lemmy.world 6 points 4 days ago

hot take: end users will be more likely to adopt security keys (or device attested passkey which = security key). Physical security, out-of-bounds cryptography to defeat AitM attacks (fake landing pages where six digit codes are stolen and silently used in perpetuity by the bad actor)

source: my job is to try to get end users to put strong MFA on all the things.

[–] minorkeys@lemmy.world 5 points 5 days ago (1 children)

What am I dependent on to access by stuff if I use a passkey? A smart phone?

load more comments (1 replies)
[–] ProjectPatatoe@lemmy.world 5 points 5 days ago (1 children)

I like passkeys but ONLY as the second factor. Using them as the primary makes no sense in majority of cases.

load more comments (1 replies)
[–] ivanovsky@lemmy.world 4 points 5 days ago (2 children)

I've been mostly too lazy to look into how to use passkeys. If my normal flow is using 1password for 2fa (on mobile and on the computer), is there a way I can still use that with passkeys? It says they're supported but I'm not sure how that'd work, because aren't they device specific?

I just don't want me losing access to my phone for whatever reason mean that I lose access to my accounts.

load more comments (2 replies)
load more comments
view more: ‹ prev next ›