Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won’t work on another device.

Now I don’t know if that key can be stolen or not, or if it’s really more secure or not, as people have really unsecure pins.

    • russjr08@outpost.zeuslink.net
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Google definitely supports passkeys, and they were one of the sites that did this. I’ve just replied to another comment regarding this. I wonder if the Yubikey 4 (I’m not sure how to tell which one I have, since they look about the same) just doesn’t support passkeys, which would be… unfortunate.

      It’ll be even more unfortunate if there’s a weird mix of sites that support the Yubikey as a passkey and some only support it as a passkey. My Pixel is supported as a passkey, but Firefox on Linux doesn’t support this - only on Windows and macOS. I believe Chrome/Chromium does, which is equally as frustrating as my Yubikey possibly not supporting passkeys.

      Strangely enough, Google lets me “add” my Yubikey as a passkey, but then does not let me sign in with it due to it not being “recognized”. If I remove it as a passkey, and only use it as a 2FA token, attempt to sign in and use the “Enter your password” option, it will then let me use the key after I’ve entered my password as a second factor.

      So it seems Google has removed the error (or its not triggering anymore) as they will have been one of the first sites I tried to create a passkey for, but it still does not let you use it as a passkey.

        • russjr08@outpost.zeuslink.net
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Interesting, I’ll probably just have to wait till either Bitwarden supports Passkeys, or wait till Firefox on Linux supports cross-device Passkeys (so, my phone for example) as yeah a 25 key limit is not likely to be worth purchasing an upgrade for just yet.

      • Natanael@slrpnk.net
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        The credential needs to be set as discoverable and some other stuff to work for passwordless login (the token must store site specific data)

        You would need to reregister it as passwordless to not just use it as 2FA after having entered a password (meanwhile standard 2FA with webauthn don’t store anything on the token, the website sends encrypted credentials to the token which only the token can decrypt and then authenticate with)