• Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security
  • Passkeys were developed to replace passwords for better account security, but their rollout by Apple and Google has limited their potential
  • Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
          • locuester@lemmy.zip
            link
            fedilink
            English
            arrow-up
            4
            ·
            9 months ago

            Most in the crypto industry wouldn’t consider a hardware key that shares metal with an internet connected device to be a very safe hardware key though. Of course when your hardware key such as a ledger or yubikey is plugged into your computer, now it’s also sharing metal.

            I think the industry needs a term to differentiate between all these categories of hardware wallets.

            The best is an airgapped hardware wallet such as Keystone.

            • ShittyBeatlesFCPres@lemmy.world
              link
              fedilink
              English
              arrow-up
              7
              ·
              9 months ago

              Oh, yes. Let’s listen to the crypto industry, that famous industry with no security breaches or frauds. We might as well ask for site design advice from restaurants that don’t put their hours or menu somewhere prominent on their site.

                • GamingChairModel@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  9 months ago

                  That’s probably what pisses me off the most about the cryptocurrency world. They somehow appropriated the word “crypto” to mean their internet money, instead of the meaning it had tracing back to World War 2, if not earlier.

              • locuester@lemmy.zip
                link
                fedilink
                English
                arrow-up
                2
                ·
                9 months ago

                The crypto industry has been perfecting key security for 10 years with huge financial incentive to do so.

                Hacks and grifters are in every industry. It’s unrelated to a conversation about passkeys.

                • ShittyBeatlesFCPres@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  9 months ago

                  Let me know when the crypto community gets key security perfected so I can buy some glorified airplane points from a guy named catfucker88 or whatever. In the mean time, I’ll use normal cryptography libraries and leave the headassery to others.

              • Aceticon@lemmy.world
                link
                fedilink
                English
                arrow-up
                5
                ·
                9 months ago

                If the key is in the same device that’s being used to access a protected resource over the network, the thing can be potentially be hacked and the key retrieved.

                That’s why there are solutions were the key never leaves a secure hardware device, such as challenge-response authentication were a bank card’s smartchip is used to generate responses to the challenges (with the key never being outside the card) or keydongles that show a variable code, depending on time.

                This is actually pretty old tech.

    • asmoranomar@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      9 months ago

      From my understanding it’s the concept of trust. Basic passwords are complete trust that both ends are who they say they are, on a device that is trusted, and passing the password over the wire is sufficient and nobody else tries to violate that trust. Different types of techniques over time have been designed to reduce that level of trust and at a fundamental level, passkeys are zero trust. This means you don’t even trust your own device (except during the initial setup) and the passkey you use can only be used on that particular device, by a particular user, with a particular provider, for a particular service, on their particular hardware…etc. If at any point trust is broken, authentication fails.

      Remember, this is ELI5, the whole thing is more complex. It’s all about trust. HOW this is done and what to do when it fails is way beyond EIL5. Again, this is from my own understanding, and the analogy of hardware passwords isn’t too far off.

    • Dark Arc@social.packetloss.gg
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      9 months ago

      Not ELI5 level but…

      If you understand SSH keys, it’s basically the same thing made more general.

      Whatever website (e.g. lemmy.world) has a copy of the public key, they encrypt something with the public key, you decrypt it, reencrypt it with your private key and send it back (where they can then decrypt it and verify what they got back is what they expected). By performing that round trip, you’ve verified you have the correct key, and the “door opens.”

      The net effect is you can prove who you are, without actually giving someone the ability to impersonate you. It’s authentication via “secret steps only you would know” instead of authentication by a fixed “password” (that anyone who hears it can store and potentially use for their own purposes).

      That’s all wrapped up in an open protocol anyone can implement and use to provide a variety of (hopefully) user friendly implementations (like the one Proton made) 🙂

    • Swarfega@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      I guess it’s a bit like a bank card with a PIN. You go to pay for something and your card stores your credentials on it. To allow those credentials to be read you need to unlock them using the PIN.