• Kusimulkku@lemm.ee
    link
    fedilink
    arrow-up
    12
    ·
    edit-2
    4 months ago

    A lot of the stuff that has implemented passkeys so far are on mobile. And I mean the apps serving them out, not things you authenticate to.

    • 4am@lemm.ee
      link
      fedilink
      arrow-up
      13
      ·
      4 months ago

      BitWarden has a desktop extension and it also handles 2FA. No reason to be using a password, which is way less secure and can be extracted from a website DB via a hack.

        • perfectly_boiled_pizza@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          4 months ago

          In practice, yes. IF IMPLEMENTED PROPERLY it would be extremely unlikely for an attacker to get in.

          For example with a proper implementation of TOTP it would require an attacker to guess the correct number between 0 and 999999 in less than half a minute. Most services make you wait a little bit (often less than humans notice) between attempts and don’t allow infinite attempts, so an attacker would have to be unimaginably lucky.

          There are sadly lots of huge companies that DON’T IMPLEMENT 2FA PROPERLY. Sony Entertainment (account for PlayStation) for example. So a unique and long password is still important.

          • Natanael@infosec.pub
            link
            fedilink
            arrow-up
            1
            ·
            4 months ago

            TOTP can be phished remotely, passkeys / hardware security keys can’t (need to get malware into the users’ computer instead)

    • Ulrich@feddit.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      Well that’s not a problem with Passkeys, that’s a problem with implementation. The ones I use are saved to a password manager and can be used anywhere that password manager is installed.