|
30+ years of software dev, but I rarely had to worry about security. I've grown up with passwords (from 1980s BBS logins on up), but just like you, I still don't fully "grok" passkeys, in the sense of how I understand passwords, their threat model, how they can be cracked, etc. I think I understand it's a bit like a "my public SSH key + website's public SSH key merged together", so that each website can verify the passkey we created together using their private key. The basic mechanism is more or less straightforward. What I do not understand well is the "how to store and manage 100s of passkeys", and how to migrate my family (including my parents in their 80s, who are far away and I am the main tech guy when the closer "basic tech literate" family members who live closer can't figure things out) to them. We use Linux and Windows boxes at home, and Android phones (for now). I can easily log into any accounts from any of these, even from my work laptop if needed, some requiring SMS 2FA (let's leave that for another discussion). If I created a passkey on a linux desktop and stored it in a yubikey, can I re-use it on someone else's windows laptop? Would I need the bluetooth version of the Yubi to sync with my phone? Or would I have to create a unique passkey from each device to each website, using my existing password? Basically: I don't have "one phone" and "one computer", both running the same OS. What are some usage models, including some that don't require yubikeys, because no way could I get my parents in their 80s to understand those. |