A passkey is a key pair where you keep the private key and give the public one to the service. Then you can log in by proving you have the private key. Fairly simple in theory. Horribly complex in practice.
this post was submitted on 22 Dec 2025
69 points (90.6% liked)
Technology
77870 readers
3431 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
Doesn't a normal modern password, hashed, essentielly do the same thing?
No sane service has your actual password.
There's a few differences. One is the length. Another is the randomness. The biggest, though, is that in a passkey, the server is verified as well. That means phishing is nearly impossible.
Yes, kind of. You’re still giving them your password every time you log in. And it’s on them whether they store it hashed or in plain text. With a passkey, you know that even if they’re hacked, they’ll never get your actual private key.
But, if they’re hacked, your key is probably the least of your concerns.
No. When you log into a website your password is sent to the server. A passkey is not.
That depends entirely on the service.
Nothing prevents the password from being hashed client-side, only ever sending the hash to the service.
True, but with passkeys they're never sent, by design.
Complex how exactly?
Here, these specs are what they’re based on:
Right but what about it do you think is complex?
Not feeling great about the opening saying keys are necessarily locked to a single device. If that was true, they wouldn’t be in active use.
Yep. I use them because my password manager handles cross device passkeys. If I had to set passkeys up on every single device I use, per device per web service, I don't think I'd bother with them...
Obligatory github drama https://github.com/keepassxreboot/keepassxc/issues/10407
It's just bullshit that the 'industry' is trying to push because 'security', catch me dead before I give up access to my private keys to some faceless multibillion corpo
The number of times I've seen people link to this thread while completely misunderstanding the context of it drives me nuts. The issue isn't being able to export keys, it's that KeepassXC was making it trivial to export keys in plaintext with no user warning/verification, which fundamentally undermines the biggest security advantage of passkeys - phishing resistance. In other words, if users can be easily talked through exporting their keys via a simple in-app flow that gives them no warning about the danger of what they're doing, then they will do that and be scammed horribly by it.
The person who raised the issue was asking KeepasXC to come up with a better solution for exporting keys - originally he asked them to wait for the now standardized process that every passkey provider uses, but then they settled on showing the user an explicit warning about the danger of plaintext exports in the meantime.
If you choose to read the most hostile and uncharitable subtext into every word a person writes in public, you can misunderstand what he's saying. Otherwise, this is a pretty cut-and-dry example of a person genuinely trying to support the interests of end users.
He does caveat that statement around 10 minutes into the video. But I still think it can be a useful technology even if it’s not portable since it can ease a typical sign in flow. I don’t think as this stage it’ll fully replace passwords.
Yea, I'd rather have a 32 character password created by my password manager. Instead of adding individual keys to each device, having all decives access the same database is much simpler.
I think the only passkey I have is stored in my VaultWarden. Though it only works in browsers atm.
Works on android too.
Windows recently introduced support for Passkeys.
But it can only be used with Bitwarden, if you have Windows Hello enabled ¯\_(ツ)_/¯
And I don't want to use anything else than a regular password.
Something I'm personally going to avoid as long as I can.
What is the point of having a passkey on OneDrive ?
isn't the whole point of OneDrive that you can access your files anywhere ?
Am I missing something here ?
Client side TLS certs are basically the same stuff and it works nicely. Too bad they didn't improve on that. My guess is that the big boys want to handle it at application layer.
To me they seem
A More user friendly
B Abstract away the burden of keeping the mTLS synchronized across devices
C Can be used in hardware and software.
Feel free to correct me if my assumptions are wrong.
Is your B point properly addressed by Passkeys? With all this talk about export I presume not. Client certs seem abandoned, you can't use it on mobile.
In theory yes.
Hardware tokens are bound to keys
Software baes tokens can be synced with password managers (3rd or 1st party)
And the client cert abandonment problem is an entirely other issue.
Oh Dr. Mike, a little more gray at the temples. Why must time pass?