this post was submitted on 24 Sep 2023
81 points (94.5% liked)

Programming

17508 readers
8 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 23 points 1 year ago (22 children)

Can someone tell me why I should care about this rather than just continuing to use my password and 2FA?

[–] [email protected] 19 points 1 year ago (16 children)

I’m stealing this from another comment:

The main advantage comes with phishing resistance. Standard MFA (time based codes) is not phishing resistant. Users can be social engineered into giving up a password and MFA token. Other MFA types, such as pop up notifications, are susceptible to MFA fatigue. Similar to YubiKeys, Passkeys implement a phishing resistant MFA by storing an encryption key, along with requiring a biometric. The benefit here is that these are far easier for the average user, and the user does not need to carry a physical device. Sure, fingerprints could possibly be grabbed with physical presence, but there is far less risk that a users fingerprint is stolen, than a user being social engineered over the phone into giving creds. For most organizations and users, this is far more secure.

[–] atheken 9 points 1 year ago* (last edited 1 year ago) (1 children)

And, they are actually more convenient because then entire login process is one step with minimal keyboard input, rather than two.

[–] [email protected] 5 points 1 year ago (1 children)

What's the backup login mechanism when you lose your biometric sensor? How do you pair with the new sensor?

[–] atheken 3 points 1 year ago (1 children)

You can still keep password + 2FA on GitHub and Google Suite (probably anything else that's currently implementing them), it's just a convenience/anti-phishing feature right now.

The passkey is synced between devices if it's kept in a password manager, I haven't looked at the mechanism that Apple uses to sync it/use it if you store it in the system keychain. I guess you could also have multiple passkeys configured for a few devices.

[–] [email protected] 2 points 1 year ago (1 children)

IIUC Apple syncs them using the most secure way they can, i.e. when you enroll a new device to your account the existing device, the existing device's HSM encrypts keys using the pubkey of the new one's HSM; and for recovery from being left with 0 Apple devices there might be (?) an escrow option that's optional (?)

[–] atheken 2 points 1 year ago

Cool. I should check it out. I tend to assume that when Apple (or Google) rolled this out that it’s not broken in any obvious way that I would recognize right away.

But like contactless payments, which I’ve advocated my friends and family switch to, I should read up on why it’s more secure.

load more comments (14 replies)
load more comments (19 replies)