• BakedCatboy
    link
    fedilink
    English
    arrow-up
    31
    arrow-down
    1
    ·
    8 months ago

    Passkeys are like using a private key to log in. There are several ways it’s better:

    • Passwords can be stored improperly by a website leading it to be leaked
      • Passkeys never leave the device so a website being breached can never leak your passkey
      • The website only stores the public portion of the key which is useless to an attacker
      • Passkeys can only be stolen by attacking and breaching the device or password manager that holds it
    • Passwords can and often are reused across multiple sites so a single leaked password can compromise many sites
      • Passkeys are created for each site so an attacker would need to steal each one separately
    • Passwords can be phished by fooling a user into entering the password
      • Passkeys can’t be phished easily since it’s designed not to leave the device - if such an attack was found it could be patched in the browser / password manager. You can’t patch all password forms to stop phishing in the same way

    If you’re familiar with ssh keys, it’s similar to that and why the top security recommendation for new servers is to disable passwords and use keys instead.