hperrin

Basically, in public key cryptography, you can generate a set of two big numbers that are mathematically related, one called the private key and one called the public key, collectively called a key pair.

Through a lot of fancy math, you, with your private key, can take a number I give you and give me back another number called a signature. I, with your public key, can do even more fancy math to prove that you do, in fact, have the corresponding private key to the public key I have, based on this signature.

If you give me the wrong signature, I can’t trust that you have the private key, and you don’t get authenticated, but if you give me the right signature, I can trust that you’re you, and you get authenticated.

A number of things. The key is stored on and accessed by a separate coprocessor from the CPU, so the CPU doesn’t even know the private key. That takes its own protocol, over i2c, usb, Bluetooth, etc. Then the browser has to coordinate that protocol to communicate with the web protocol from the frontend JS. There’s also the concept of server verification, so it’s a more complicated handshake than just one signature going one way. Then, of course, there’s the inherent complexity of public key cryptography in general, but you only need to worry about that if you’re writing it from scratch with no library.

From a basic web dev perspective, it’s not much more complex than a password, but that’s because the complexity of the protocols is hidden behind the libraries. A password actually isn’t complex, even when you remove the libraries.

(The private key does not have to live in a separate coprocessor, but that’s the most secure method, and the one covered by the protocol.)

Here, these specs are what they’re based on:

https://passkeys.dev/docs/reference/specs/

I think kid stuff is fine to like. Legos even say on the box you’re allowed to play with that until you turn 100. I think playing with toddler toys is probably a bit sad though, just cause that’s indicative of a psychological problem to me. But I’m not gonna tell someone what toys they can and can’t play with.

Yes, kind of. You’re still giving them your password every time you log in. And it’s on them whether they store it hashed or in plain text. With a passkey, you know that even if they’re hacked, they’ll never get your actual private key.

But, if they’re hacked, your key is probably the least of your concerns.

A passkey is a key pair where you keep the private key and give the public one to the service. Then you can log in by proving you have the private key. Fairly simple in theory. Horribly complex in practice.

If Russia wanted peace in Ukraine, they’d just leave. They don’t want peace in Ukraine, they want Ukraine.

That’s a great star. Very nice. Good tree. 10/10

That’s cool. AI can do art and writing and video games for me. It can watch all my shows. All I have to do is work and maybe sleep. Sounds fun.

Birds are reptiles in the same sense that people are fish.

Centering a div is pretty fucking easy nowadays. What’s way harder is aligning a god damned SVG icon with text.

Oh boy, I can’t wait to pay $800 more a month for health insurance that doesn’t cover anything I actually need. I’m so glad half the country is dumb as rocks and thought this guy was anything other than a rapist pedophile grifter who actively hates this country and its people.