Conversation

Notices

1. Embed this notice
   Tim Bray (timbray@cosocial.ca)'s status on Sunday, 28-Apr-2024 04:19:53 JST Tim Bray

   This apparently touched a nerve; I had no idea. Check the comment thread.

   My own major gripe with passkeys is that I could never find a simple straightforward explanation of what they were and how they were to be used. I have a decent understanding of asymmetric crypto and PKI and key exchange and JWT and so on, so if you can’t explain it to me, you have a big problem.

   https://cosocial.ca/@timbray/112339186728840038

   • Embed this notice
     Jef Poskanzer :batman: (jef@mastodon.social)'s status on Sunday, 28-Apr-2024 04:19:51 JST Jef Poskanzer :batman:

     in reply to

     • jwz

     @jwz @timbray Last year I got scolded by a passkey developer for pointing out that for the huge majority of users, it's one-factor login and the factor is biometrics. So, not really very secure after all. But the dev was like, we put a lot of work into this so don't criticize it.

   • Embed this notice
     jwz (jwz@mastodon.social)'s status on Sunday, 28-Apr-2024 04:19:52 JST jwz

     in reply to

     @timbray Absolutely! It took me like 6 months to finally figure out that passkeys are just ssh authorized_keys that live in the secure enclave. Literally every article about them leads you to believe that they are deeply intertwined with biometrics - and that this is supposed to be a good thing.

     esmevane, sorry repeated this.