this post was submitted on 16 Sep 2025
489 points (98.6% liked)

Programmer Humor

26372 readers
1156 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
anzo@programming.dev
Feyter@programming.dev
BurningTurtle@programming.dev
pylapp@programming.dev
489
GitHub auth (lemmy.world)
submitted 23 hours ago by skepller@lemmy.world to c/programmer_humor@programming.dev
30 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] RustyNova@lemmy.world 100 points 22 hours ago (16 children)

I kinda hate the push towards passkeys. If you have two factor Auth, going to passkeys makes you go back to 1 factor, aka less secured.

There's also more and more 2FA fatigue attacks going on, and they can affect passkeys too, and if you don't have a 2FA that involves the user writing a code on the 2FA device, passkeys could be quite possibly worse than passwords

[–] nialv7@lemmy.world 15 points 20 hours ago (4 children)

It's different. It's still two factors if implemented correctly: 1. Possession of the passkey (better if you have a physical token, but passkey on your phone is passable). 2. Knowledge of your password (or bio authentication if you use face id or w/e).

Note you are not giving your password to the website, and if a hacker gets hold of your password they still can't do anything without your passkey device.

[–] RustyNova@lemmy.world 7 points 20 hours ago (1 children)

Knowledge of your passwords

Uh... What password?

[–] nialv7@lemmy.world 18 points 20 hours ago (1 children)

Passkey should ask for a password for unlocking. If it doesn't then it's not implemented correctly.

[–] jj4211@lemmy.world 7 points 20 hours ago (1 children)

It's client specific and my phone requires whatever can unlock the phone and chrome requires either windows hello or a pin if under linux.

Certain implementations do whatever, and as far as the backend is concerned, there's no way of knowing, unless you want to get into the business of locking down specific vendor keys...

But I say MFA is overrated versus just getting away from generally crappy password factors. Also passkeys are less phish-able than OTP type solutions.

[–] nialv7@lemmy.world 5 points 17 hours ago* (last edited 17 hours ago)

Yes, it's implementation specific, in this case your phone, or your browser is the passkey "device". And as long as it's protected by some form of authentication it's OK (though I would recommend a hardware token over phones/browsers). If it doesn't then you shouldn't be using that "passkey". Yes, there is no way for the website you are authenticating with to know whether your passkey is safe or not, choosing a secure passkey implementation is (unfortunately) the user's job. But it's the same with more traditional 2FAs, e.g. you can store your TOTP secret securely or insecurely, and the website will have no way to know.

load more comments (2 replies)
load more comments (13 replies)