Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won’t work on another device.

Now I don’t know if that key can be stolen or not, or if it’s really more secure or not, as people have really unsecure pins.

    • smileyhead@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 year ago

      You don’t need to export or know what is the key.

      But is it possible in the implementation of Android/iOS?

      Backups are a thing. With SSH keys I have different key for every device too, but as they are stored in an accessable file (as all computer data should be) they are backed up with the rest of the system.

      • Tibert@jlai.luOP
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        2
        ·
        edit-2
        1 year ago

        So first, no, all the files should not be accessible : There are special not “files”, but keys, like the key used for this method. These keys pose a huge security risk of they are leaked somehow. The key can be something used to encrypt the device/disk, encrypt a connection, and other things associated with encryption.

        And because of that security risk, they are often stored in a special chip or simulated chip (like the simulated tpm 2.0 on pc cpu), and not just “stored” so any malware or who knows what can access them just by reading the drive.

        Second, the key is never transfered. When you connect to another device, that other device will get another key. Or maybe could it be backed up somehow in case of recovery on another phone? But that would defeat the entire purpose of this.

        How Google can do to allow you to connect to another device if the first one is lost, not sure. But it would certainly either ask for a password and a 2fa method.

        • jarfil@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          1 year ago

          How Google can do to allow you to connect to another device if the first one is lost, not sure. But it would certainly either ask for a password and a 2fa method.

          That’s the key question. From what it seems, it would replace a password manager with different passwords for each website, but you give Google control of the master password.

          • Tibert@jlai.luOP
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            1 year ago

            It is not for the password manager…

            It’s just to connect to the google account.

            It is not a service to connect to other ones without passwords.

      • AA5B@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I just replaced my iPhone, and the few places I “sign in with Apple” still work in the new phone. Yes, you can back it up and restore to a different device. I assume you can also use it across devices but I haven’t tried that

        • smileyhead@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          This is something different to PassKeys. “Sign in with Apple” is Apple telling online service “let him in”, while PassKeys is storing your authentication data on your device.

    • maniel
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      i tested it on another device, it looks like it gets the passkey from the source device (not from cloud), i had to input the original device’s unlock pattern for it to work

      • Tibert@jlai.luOP
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        edit-2
        1 year ago

        And it’s expected as you still had that device. And it’s not the same key, a new key has been created for that new device. Now if that device cannot be accessed?