[jlmb]

“Passwords are fine” only in a theoretical world where everyone uses passwords “correctly” and securely. But in the real world people don’t, so passkeys are a much better and easier method.

I fail to understand how educating billions (?) of people about proper password hygiene is faster or simpler than moving all authentication to a “tap this button to magically log in” method.

[bunga-bunga]

> passkeys are a much better and easier method

Disagree. This isn't possible with passkeys:

- logging into a service with email and brain-stored password from any device

With passkeys, your phone becomes your password, so don't break it, lose it, let it die, forget it in the car, become too old, let your kids use it, etc

> “tap this button to magically log in” method

That only works if the device you tap it on is the same device with the key, while that's not always the way for many people (sync may or may not be set up or active)

[szasamasa]

you either can remember all your passwords and then you are fucked or you use a pass manager

passkeys will be stored in a pass manager and they can be recovered with device pin and master pass, I think they will be exportable too

so yes, you can log in with brain stored stuff

I guess you need a device to log in? then you log in to your pass manager and you can log in to anywhere

only this way you have to remember a passcode and a master pass, not 1000 passwords and you need your master pass 5x/10 years and your passcode every other day and you log in with your device and your biometrics

passkeys have issues but what you are saying is pure shit

[hulitu]

> so passkeys are a much better and easier method.

I'm old. What's the difference between a pass word and a pass key ?

> tap this button to magically log in” method.

And how exactly is "this button" authenticated ?

[wasmitnetzen]

Passkeys are basically enforced password managers with random passwords. There's some more complexity below the surface, but for the user, that's it.

[szasamasa]

good point

pass manager is needed and that is one of the key differences

it is good but also a challenge for some people, especially if the 3 bigs cannot sync because normal people without pass manager begin to use Apple, Google, Microsoft pass management... if they have all 3 devices, all of them...

what I do not understand, what the heck is the goal, one passkey per service and total sync or a domain (server) has to create and manage 4 passkeys for 4 operating system providers if user does not use a total syncing pass manager?

that is the problem since those who use pass managers are normally ok but those who dont, and wont register/trust/pay for one, begin to use A/G/M/L pass managers and 4 pass manager accounts must be secured?

and then you begin creating 4 passkeys for each website?

[UncleMeat]

It's even better than that. They don't give any secret data to the service you are using.

[szasamasa]

I read this all the time, ist it true?

isnt public key a bad wording suggesting it should or can be public?

I would call it verification key and keep it secret on the server

only thing it need not to be hashed, it is already "hashed" meaning if it leaks it has 128 bit security or so

if I get it well, the private key can be guessed from the public key from huge alien resources so it is actualyl like an already computer intensive hashed 128 random password from a 2^128 domain?

I do not think the public key is to be posted on twitter or should not be guarded at all... it is just not the signing key and it is 128 bit strong away from it

[UncleMeat]

It is 100% fine to have adversaries know your public key. Asymmetric key crypto is not the same as "already hashed private keys." You can happily use a 4096 bit RSA key if 112 bits of effective security isn't enough for you.

[szasamasa]

you dont quite get my point

i compare password hashing on server with passkeys where you store the public key on the server... we are told to hash computer intensive preparing for the worst that the server is breached and an attacker has the stored hashed (salted, peppered) password... then with brute force if you hashed computer intensive and the password was not weak, it can be i dont know 60,80,120 bit strong?

well you can actually get the password from the hash but if everything ok, infeasible... i guess it is the same with getting the private key from the public key, it is possible but with ecdsa256 i read 128 bit strong or so

i dont want more security i just find it interesting that nobody says the hashes are not a secret... ok it is more problematic since weak passwords remain much weaker hashed or not

i would still say if possible keep your verification key to yourself... and if it leaks, no problem

i would call them secret key (private) and verification key (public)

but i dont know much about this and i guess by digital signatures they are really public? but hey may be even stronger

[krisoft]

> I'm old. What's the difference between a pass word and a pass key ?

Password: You have to choose a good one using your brain or a password manager of your choice, and you have to remember it using your brain or a password manager of your choice.

Passkey: Your device generates it for you, whether or not it is sufficiently random, and long enough is not up to you. You don't even have to worry about it. Your device stores it for you. You don't have to remember it in your brain, you don't have a choice if you want to use a password manager or not. The passkey is stored in something which is functionally equivalent to a password manager.

> how exactly is "this button" authenticated ?

What are you asking? How is it authenticated between the server and the client? Or how is it authenticated that the person pressing the button is the right person on the client side?

[k8sToGo]

The button is authenticated through the phone biometrics for example.

[szasamasa]

no button is authenticated

you start a process by pressing the button and authenticate via having the device and using your os account biometrics/passcode

then your pass manager signs a challenge with the passkey proving that you come from a trusted device (you are logged in to your pass manager) where you are the os account owner

[ValleZ]

Password is something you know and pass key(or a physical key) is something that you own.

[denton-scratch]

> so passkeys are a much better and easier method

Thing is, most people don't understand passkeys. If you want to be secure, then you want to understand why and how you're secure; a pinky-promise that you're secure doesn't cut the mustard.

I do have some understanding of this kind of technology, having written for myself an OAuth server back in the day. I gave up on the server, because the services I wanted it for (bank, tax, medical) didn't accept OAuth, and because it was much too hard to understand.

Passkeys involves more third parties, and is even harder to understand.