this post was submitted on 11 Nov 2025
295 points (87.7% liked)

Technology

84074 readers
4058 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
295
Passkeys Explained: The End of Passwords (sentientrant.com)
submitted 5 months ago by sentientRant@lemmy.world to c/technology@lemmy.world
231 comments fedilink hide all child comments
 

Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.

But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.

I broke down how passkeys work, their strengths, and what’s still missing

(page 3) 50 comments
sorted by: hot top controversial new old
[–] ivanovsky@lemmy.world 4 points 5 months ago (2 children)

I've been mostly too lazy to look into how to use passkeys. If my normal flow is using 1password for 2fa (on mobile and on the computer), is there a way I can still use that with passkeys? It says they're supported but I'm not sure how that'd work, because aren't they device specific?

I just don't want me losing access to my phone for whatever reason mean that I lose access to my accounts.

load more comments (2 replies)
[–] biotin7@sopuli.xyz 3 points 5 months ago

Yeah totally not going to be misused by corporations with proprietary cryptographic-algorithm

[–] Septimaeus@infosec.pub 2 points 5 months ago (1 children)

Thanks for the great article! I had a question re: the top disadvantage you mention (lock-in).

Background: Although the on-device integration for Apple, Google, etc. use their cloud for E2E sync between devices, it appears KeePassXC using their passkey interception, discovery, and import procedures accomplish the same cross-device passkey implementation without needing a particular vendor cloud lock-in. As best I can tell, this meets the original standard’s sync fabric requirements (whether or not the big providers like it) and relies on platform-specific APIs mostly for interoperability.

Question: If KeePass has been able to implement their own sync this way, and the FIDO standard accommodates non-OS providers (e.g. browsers or PW managers), what is currently the biggest technical hurdle remaining for FOSS-based passkey providers?

[–] sentientRant@lemmy.world 2 points 5 months ago (1 children)

Thank you... and Yes you are right... There could be many reasons like greed or could be risk management if you think from both ends of spectrum. It's sad actually they are developed on the same FIDO2 but insists on being seperate which is weird.... Also they feel that regular user wouldn't be able to set up FOSS passkey provider or may be they lose control over encryption if they share with third party.

load more comments (1 replies)
load more comments
view more: ‹ prev next ›