this post was submitted on 04 Nov 2023
231 points (94.3% liked)

Technology

34882 readers
17 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.


Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.


Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 1 year ago (1 children)

They are fine, just ssh public private keypairs but for "the web".. worse than fido2.. so not really sure why they are being pushed so much above fido2

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago) (1 children)

They are FIDO2. This is the passwordless stuff yubico has been talking about and working on for ages, plus a marketing name.

https://www.yubico.com/blog/a-yubico-faq-about-passkeys/

[–] [email protected] 3 points 1 year ago (1 children)

Wow! I had no idea. I assumed the yubikey bioseries didn't work with passkeys. But I read the documentation that you linked, and I just tested it out on the demo site. It works.

That's amazing! Thanks

Can only store 25 keys but hey that's still something.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

I like that you are able to query what keys are stored, so if you are ever replacing or upgrading the key you can see where you should update to the new one. That is tough on the current yubikey, I've got a few generations of them and have to hold onto them just in case I happened to use them for 2FA somewhere and don't remember it. 2FA is dynamically generated so there's not really a way to change that, it's just inconvenient.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (2 children)

I prefer the yubikey webauthn fido2 non passkey approach. It's not limited to 25 slots. And if your key gets compromised, or you're forced to unlock it, there isn't a list of sites that it works on.

With passkeys, if somebody compromises you, physically, they can see everything you can log into. That makes me feel icky

[–] tippl 4 points 1 year ago (1 children)

if somebody compromises you, physically, they can see everything you can log into

Can they though? I own a few yubikeys with passkeys stored inside and i cannot query stored logins without entering a pin.

[–] [email protected] -1 points 1 year ago

Right, so they coerce you to unlock the yubi key (threats, torture, finger removal, etc) and now they see all your passkeys and what they belong to. It's a menu of your activity.

[–] [email protected] 4 points 1 year ago

There are definitely pluses and minuses. It will lock you out after 8 incorrect pins so if it came down to it, you could probably force it to lock pretty quickly.