[tqi]

To the parent comment's point, even after reading the post I'm still not sure I understand why this is better.

- replay resistant: doesn't ssl already ensure this?

- database-leak resistant: if i'm understanding this correctly, this means a leaked database on the Fastmail side wouldn't compromise your Fastmail account? It's hard for me to imagine a situation where a compromise is serious enough that passwords are leaked, but nothing else?

- phishing proof: don't password managers already do this?

[labcomputer]

Re replay: No, because once someone has your password they can replay it as many times as they want. If you use your passkey on a compromised computer, the intercepted credentials can’t be reused.

Re DB leak: No, you the concern is reused passwords (or similar passwords) from a different site.

Re phishing: Yes, but one of the FUDs against passkeys is that they lock you in to a vendor. There is no more lockin than if store your passwords in a manager.

[theshrike79]

Do you manually check every site's SSL certificate before connecting? If not, how can you be sure there's not a MITM/Replay attack ongoing right now?

Very commonly user databases are the one being accessed for some reason, resulting in user data + salted passwords released.

How so? I can social engineer an employee to give me the password for a site they have in the password manager. I can't make them give me the passkey because they can't do that. It's not something you can paste in a chat.

[eep_social]

> not something you can paste in a chat

this is a fundamental and un-addressable problem with passkeys as currently implemented

[tatersolid]

From a security perspective, not being able “paste into chat” is a fundamental feature of passkeys. The whole point is to prevent a static secret which can easily be copied by an attacker, memorized, phished, or re-used across sites.

[vouaobrasil]

They sort of solve all these problems with a simpler implementation. But the disadvantage of passkeys is that you are dependent on a tech implementation ecosystem to use them, such as your phone, cloud keychain, etc. In practice, for a lot of people, that will mean tighter dependence on the smartphone, which is rather asinine as people should have the freedom to choose life without a big tech company providing for their needs.

[kemotep]

Password managers such as Bitwarden and KeepassXC support creating and using Passkeys for accounts.

Presumably, you are already using a password manager at this point. Memorizing dozens of account passwords is not suitable for maintaining strong passwords.

Also, passwords still exist as a fall back if you need it, such as a situation you don’t have your device available. And not all accounts have to use passkeys.

Passkeys are effectively like ssh keys. Do ssh keys “lock you down” to specific devices? Sure they absolutely do unless you generate more keys or have some key management/sync workflow.