• 1984@lemmy.today
    link
    fedilink
    English
    arrow-up
    8
    ·
    5 months ago

    Even better would be to use certificates instead of passwords. What if every website gave you a certificate signed by them, and you store that in your password manager automatically.

    Maybe that’s what passkeys are… Haven’t read up on them at all.

    • Spotlight7573@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      5 months ago

      Basically with passkeys you have a public/private key pair that is generated for each account/each site and stored somewhere on your end somehow (on a hardware device, in a password manager, etc). When setting it up with the site you give your public key to the site so that they can recognize you in the future. When you want to prove that it’s you, the website sends you a unique challenge message and asks you to sign it (a unique message to prevent replay attacks). There’s some extra stuff in the spec regarding how the keys are stored or how the user is verified on the client side (such as having both access to the key and some kind of presence test or knowledge/biometric factor) but for the most part it’s like certificates but easier.

    • Passerby6497@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      I really wish SQRL had taken off. It’s a lot like pass keys, but it used a central certificate to mint per-site certificates (along with per user per site certs if memory serves) and had proper methods of rolling it in and rotating the keys assigned to your account.