• 4am@lemm.ee
      link
      fedilink
      arrow-up
      4
      ·
      14 days ago

      Passkeys are basically client certs for website logins.

      Server stores a public key, encrypts a challenge on login attempt. Client browser uses private key to decrypt challenge (and sign it maybe?) and respond to web server to authenticate.

      Hackers can’t get a shared secret (like a password or password hash) by hacking the website’s database becaus the public key is all they store; useless without the private key.

      Not foolproof, but much harder to exploit than passwords - which many people re-use across multiple sites.

    • hedgehog@ttrpg.network
      link
      fedilink
      arrow-up
      4
      ·
      14 days ago

      What are the benefits of a client certificate? As an end user, I’m pretty sure I’ve never used one.

      • Limonene@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        14 days ago

        I don’t know much about client certificates, because nobody ever used them. All I know is that they are decades older than passkeys, and “certificate” implies there is a public-private keypair, just like in a passkey.

        • hedgehog@ttrpg.network
          link
          fedilink
          arrow-up
          3
          ·
          14 days ago

          If I were talking about Passkeys and comparing them to client certificates, even though I don’t know much about client certificates in practice, I would say:

          • Passkeys can be installed in your password manager, which handles securely syncing it to all of your devices
          • Websites can make it very easy to create or log in with a passkey
          • Far more websites support passkeys
          • Websites can support multiple passkeys per user
          • The user experience is far better with passkeys
          • Even if your password manager isn’t installed on a given machine, you can still log in with a passkey via your phone, so long as both devices have bluetooth enabled. This allows you to log in on an untrusted device, like a library computer, without exposing your password (though unfortunately that would still result in that computer having access to the session and being able to modify account settings - best practice would be to log out when you’re done and then, from a trusted device, confirm that you were logged out / log out of all devices.)