Passkeys replace passwords with encrypted key pairs that can’t be phished or leaked. Learn how FIDO2 and WebAuthn work, their pros and flaws.

Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.

But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.

I broke down how passkeys work, their strengths, and what’s still missing

  • l_b_i@pawb.socialEnglish
    3912·
    1 day ago

    I think they are being pushed because cool technology on paper. Whenever I read an article about them, I can’t help but think about the human factors. How are passkeys created, often by a password or email. okay… that looks a lot like a password. Oh you lost the passkey, here lets send you one again. It stinks of a second factor without a first. Sure, the passkey itself is hard to compromise, but how about its creation. If your email is compromised I see no difference from passwords or passkeys.

    • 4am@lemmy.zipEnglish
      151·
      1 day ago

      They don’t email you a passkey, what are you even talking about?

      • lmmarsano@lemmynsfw.comEnglish
        2·
        18 hours ago

        There are quite a few uninformed takes here & the number of upvotes they got for it is stunning. Lemmy. 😞

        • Sl00k@programming.devEnglish
          2·
          3 hours ago

          Lemmy has been very anti passkey at least since it’s rise in 2023, it’s very interesting how tech forward Lemmy generally is and how anti passkey and not even anti, just generally uninformed on them they are.

          I for one love them. I always read everyones opinions here and just think nobody has even attempted to use them. It’s very simple.

      • l_b_i@pawb.socialEnglish
        510·
        1 day ago

        The flow I hear about when people talk about passkeys is sign up with email. Code gets sent to email. Code is entered, passkey gets generated. There always seems to be some similar step that looks like that, and often you have new device or reset that looks the same. Sure the passkey itself is secure, but how do you get it, how do you generate it, how do you validate the first time?

        • Encrypt-Keeper@lemmy.worldEnglish
          152·
          1 day ago

          None of that is remotely true lol. You don’t get a passkey, you generate. Nothing is “sent” to you at any point in time, it has nothing to do with email.