Programming

16240 readers

99 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Follow the programming.dev instance rules
Keep content related to programming in some way
If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]

founded 1 year ago

MODERATORS

[email protected]

Passkeys are generally available on GitHub (github.blog)

submitted 9 months ago by [email protected] to c/[email protected]

21 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] Asudox 2 points 9 months ago* (last edited 9 months ago) (1 children)

It has its own pros. The biggest one is that it uses asymmetric cryptography. This means that the only one that can sign a challenge given by the server is the one that has the private key equivalent of the public key the challenge was used to be encrypted with. The challenge is sent to the client, in which the client signs the challenge the server sent with their private key and then sent back to the server. Since the server has the public key, the server can verify whether the signature is indeed from the private key owner. This is possible because the private and public key are mathematically linked. This is the reason why it is phish proof. Though I am not sure whether a phisher can just take the challenge, let the victim sign it and then give back the challenge to the server to login. Can anyone confirm that? They are not better than hardware keys (since they are basically software versions of physical hardware keys), but at least better than passwords. At least the breaches will impose much lesser risks when it becomes a standard.