• xmunk@sh.itjust.works
    link
    fedilink
    arrow-up
    8
    arrow-down
    1
    ·
    20 days ago

    My voice is my passport, verify me.

    A passkey is a super general term. It’s usually something you can store in a file (because you can store any data in a file) though sometimes it may have a hardware element. You can probably save your passkey in a file and you certainly can copy it onto a USB drive.

    You can also save passkeys into password managers which is what I personally do so (coupled with a syncing script) I can access it from any of my devices.

    • shonn@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      20 days ago

      That makes it sound like it’s a password. If a passkey can be saved in a password manager, can it be memorized or written down? What makes a passkey different than a password? Or are they just two ways of saying the same thing? Is it a really long password that makes you dread having to type it in, or even worse, enter it in with a virtual keyboard with a remote with arrow buttons?

      • BakedCatboy@lemmy.ml
        link
        fedilink
        English
        arrow-up
        4
        ·
        20 days ago

        The key difference is that during normal use, the private key of the passkey doesn’t leave the device (or password manager). The passkey basically comes in 2 parts, the public and private (secret) part. In order to log in, the website presents a cryptographic challenge that is only solvable using your private key - and crucially you can solve the challenge without revealing your private key. An attacker could get your answer to the challenge and still be unable to solve additional challenges without the private part of your passkey.

        This of course makes it basically impossible to manually log in using a passkey and a keyboard, without any password manager to do the cryptographic calculations (unless you have a LOT of paper and time), but the security advantage of making it near impossible to be phished is generally regarded as a net positive. In order to steal a passkey there would need to be a vulnerability in the software, since passkeys make it much harder to trick a user into giving it away (since tricking the user into logging in on a fake website doesn’t work due to the aforementioned cryptography, the main way to steal a passkey would be to trick the user into exporting it - which is a much higher bar).

        • Synapse@lemmy.world
          link
          fedilink
          arrow-up
          4
          ·
          20 days ago

          No, the cryptographic keys used in passkey are not just very long passwords. In face they are not so long. Typical keys generated with ed25519 are 60 characters long.

      • xmunk@sh.itjust.works
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        19 days ago

        Everything in a computer is data - passwords are no different from novels and you could use War and Peace as your password as long as you hated whatever system needed to check it.

        Passkey is usually used to describe a password you keep in a file usually with a public/private pairing though, with everything computer, this is only the general form and description.

        I mentioned putting it in a password manager because, as mentioned, it’s just a string of text… if you want you can put the full executable bundle for Starcraft2 in your password manager - most have trivial ways to copy in whole files but, again, it’s just data.