• shonn@lemmy.world
    link
    fedilink
    arrow-up
    5
    ·
    1 month ago

    That makes it sound like it’s a password. If a passkey can be saved in a password manager, can it be memorized or written down? What makes a passkey different than a password? Or are they just two ways of saying the same thing? Is it a really long password that makes you dread having to type it in, or even worse, enter it in with a virtual keyboard with a remote with arrow buttons?

    • BakedCatboy@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 month ago

      The key difference is that during normal use, the private key of the passkey doesn’t leave the device (or password manager). The passkey basically comes in 2 parts, the public and private (secret) part. In order to log in, the website presents a cryptographic challenge that is only solvable using your private key - and crucially you can solve the challenge without revealing your private key. An attacker could get your answer to the challenge and still be unable to solve additional challenges without the private part of your passkey.

      This of course makes it basically impossible to manually log in using a passkey and a keyboard, without any password manager to do the cryptographic calculations (unless you have a LOT of paper and time), but the security advantage of making it near impossible to be phished is generally regarded as a net positive. In order to steal a passkey there would need to be a vulnerability in the software, since passkeys make it much harder to trick a user into giving it away (since tricking the user into logging in on a fake website doesn’t work due to the aforementioned cryptography, the main way to steal a passkey would be to trick the user into exporting it - which is a much higher bar).

      • Synapse@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        1 month ago

        No, the cryptographic keys used in passkey are not just very long passwords. In face they are not so long. Typical keys generated with ed25519 are 60 characters long.

    • xmunk@sh.itjust.works
      link
      fedilink
      arrow-up
      1
      ·
      1 month ago

      Everything in a computer is data - passwords are no different from novels and you could use War and Peace as your password as long as you hated whatever system needed to check it.

      Passkey is usually used to describe a password you keep in a file usually with a public/private pairing though, with everything computer, this is only the general form and description.

      I mentioned putting it in a password manager because, as mentioned, it’s just a string of text… if you want you can put the full executable bundle for Starcraft2 in your password manager - most have trivial ways to copy in whole files but, again, it’s just data.