81
Passkeys are generally available on GitHub
(github.blog)
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Follow the wormhole through a path of communities !webdev@programming.dev
Can someone tell me why I should care about this rather than just continuing to use my password and 2FA?
I’m stealing this from another comment:
The main advantage comes with phishing resistance. Standard MFA (time based codes) is not phishing resistant. Users can be social engineered into giving up a password and MFA token. Other MFA types, such as pop up notifications, are susceptible to MFA fatigue. Similar to YubiKeys, Passkeys implement a phishing resistant MFA by storing an encryption key, along with requiring a biometric. The benefit here is that these are far easier for the average user, and the user does not need to carry a physical device. Sure, fingerprints could possibly be grabbed with physical presence, but there is far less risk that a users fingerprint is stolen, than a user being social engineered over the phone into giving creds. For most organizations and users, this is far more secure.
So basically this is just idiot-proofing the system. If you aren't the type of person to give your password or MFA token to another person, then passkeys don't really make better security.
It also allows you to login without someone visually observing your password while typing it on a keyboard or on an untrusted device that could have a keylogger.