|
|
|
|
|
|
by the_snooze
980 days ago
|
|
|
>No, if you break into a site using passkeys, it gives you literally zero information that can be used to authenticate as any of the users. Think about the prevalence of data breaches in the past decade, and the sharp rise in the effectiveness of password stuffing, and think about why this change might be a good idea. An implication of that is passkeys let you use the same authenticators across multiple services safely. Instead of keeping track of unique passwords across all those services (or worse, reusing passwords), you can just have a passkey-registered phone and one or two Yubikeys for backups/convenience. You'd be a very hard target for account compromise. That setup is highly phishing-resistant and immune to credential-stuffing, without the cognitive load of passwords. |
|
|