← Back to context

Comment by tempestn

4 months ago

What is the advantage of passkeys compared to managing unique passwords with 1pw? Is there any tangible benefit to switching, besides that Google et al will stop hounding you to do so?

9 comments

tempestn

Reply
UltraSane  4 months ago

Passkeys are asymmetric keys so a hacked site cannot leak the hash or even the plaintext of a passkey. And the private key is never exported to insecure hardware. Funny how so many Linux gurus have been shitting on using passwords for SSH for decades in favor of using SSH keys and now that there is an actually effort to use what are essentially SSH keys tied to a specific domain they are rejecting it.

  • tempestn  4 months ago

    Sorry, I'm still not clear what the advantage is, compared to storing unique passwords in 1pw. If a site is hacked, the only thing at risk is my data on that specific site, which would be the case either way. I definitely understand how they would be easier and more secure for people who don't use a pw manager, but that's not my question.

    • packtreefly  4 months ago

      There are some obvious, significant benefits I can think of off the top of my head:

      - Passkeys give the website no secret to keep.

      Breach of the passkey public key is not an event worthy of credential rotation.

      - Passkey authentication is submitted via a rigorously-defined mechanism intended for machine-to-machine communication.

      Ever had your password manager try to fill the wrong field with your login credentials? Passkeys cannot make that mistake. There's no heuristic mechanism at play trying to figure out where to insert the passkey.

      - Passkeys are immune to credential theft via MITM

      Sure the MITM could hijack the session, but not the credential. (I know this one is a stretch, but you asked for anything)

      1 reply →