• Snot Flickerman@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      50
      ·
      edit-2
      1 year ago

      Except passkeys are an Open Authentication standard from the FIDO alliance. Soooooo, not from a corporation.

      https://fidoalliance.org/passkeys/

      You can use passkeys in KeePassXC, if I understand correctly.

      They are the equivalent of using a hardware key like YubiKey or SoloKey, except the passkey is stored on your phone/PC instead of a USB thumbstick.

      • umbrella@lemmy.ml
        link
        fedilink
        arrow-up
        5
        arrow-down
        46
        ·
        edit-2
        1 year ago

        still no reason to trust google with this.

        they have hijacked and dominated open source software quite a bit in the past.

        • Snot Flickerman@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          65
          ·
          edit-2
          1 year ago

          Except Google was only mentioned in terms of whether or not they support it.

          You’re commenting on an article from the Electronic Frontier Foundation, an organization dedicated to fighting for internet and digital freedoms, about an open standard that has only just begun being implemented widely.

          Look, I hate corpos as much as anyone, but please let’s please tone down the alarmism.

          • catboss@feddit.de
            link
            fedilink
            arrow-up
            13
            ·
            1 year ago

            I’d like to thank you for providing context to reactivism based solely on an emotional reaction without doing any research first.

            I am guilty of that as well, but you put effort in, explained things and that takes time. Thanks.

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      1 year ago

      They are fine, just ssh public private keypairs but for “the web”… worse than fido2… so not really sure why they are being pushed so much above fido2

        • jet@hackertalks.com
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          Wow! I had no idea. I assumed the yubikey bioseries didn’t work with passkeys. But I read the documentation that you linked, and I just tested it out on the demo site. It works.

          That’s amazing! Thanks

          Can only store 25 keys but hey that’s still something.

          • Bitrot@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            1 year ago

            I like that you are able to query what keys are stored, so if you are ever replacing or upgrading the key you can see where you should update to the new one. That is tough on the current yubikey, I’ve got a few generations of them and have to hold onto them just in case I happened to use them for 2FA somewhere and don’t remember it. 2FA is dynamically generated so there’s not really a way to change that, it’s just inconvenient.

            • jet@hackertalks.com
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              1
              ·
              edit-2
              1 year ago

              I prefer the yubikey webauthn fido2 non passkey approach. It’s not limited to 25 slots. And if your key gets compromised, or you’re forced to unlock it, there isn’t a list of sites that it works on.

              With passkeys, if somebody compromises you, physically, they can see everything you can log into. That makes me feel icky

              • Bitrot@lemmy.sdf.org
                link
                fedilink
                English
                arrow-up
                4
                ·
                1 year ago

                There are definitely pluses and minuses. It will lock you out after 8 incorrect pins so if it came down to it, you could probably force it to lock pretty quickly.

              • tippl@lemmy.world
                link
                fedilink
                arrow-up
                3
                arrow-down
                1
                ·
                1 year ago

                if somebody compromises you, physically, they can see everything you can log into

                Can they though? I own a few yubikeys with passkeys stored inside and i cannot query stored logins without entering a pin.

                • jet@hackertalks.com
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  arrow-down
                  2
                  ·
                  1 year ago

                  Right, so they coerce you to unlock the yubi key (threats, torture, finger removal, etc) and now they see all your passkeys and what they belong to. It’s a menu of your activity.