715

submitted 1 week ago by skepller@lemmy.world to c/programmer_humor@programming.dev

80 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[-] nialv7@lemmy.world 7 points 1 week ago* (last edited 1 week ago)

Yes, it's implementation specific, in this case your phone, or your browser is the passkey "device". And as long as it's protected by some form of authentication it's OK (though I would recommend a hardware token over phones/browsers). If it doesn't then you shouldn't be using that "passkey". Yes, there is no way for the website you are authenticating with to know whether your passkey is safe or not, choosing a secure passkey implementation is (unfortunately) the user's job. But it's the same with more traditional 2FAs, e.g. you can store your TOTP secret securely or insecurely, and the website will have no way to know.

this post was submitted on 16 Sep 2025

715 points (97.9% liked)

Programmer Humor

26629 readers

3761 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

Keep content in english
No advertisements
Posts must be related to programming or programmer topics

founded 2 years ago

MODERATORS

Feyter@programming.dev

anzo@programming.dev

BurningTurtle@programming.dev

pylapp@programming.dev