I think of myself as tech savvy but for some reason i either missed the memo on Passkeys, or just misunderstand how the thing works. Im reasonably sure my parents/granparents will start asking me about this stuff soon (as google / other websites push it on them), and id really like to understand it myself first so i can explain it to them as well.
Right now, to login to website/account/etc i just need to know my login (i.e. my email address, or my username) and my password. For example, “FakeDogLover”+”CatsRule123”. How is Passkey different?
In: 1799
A passkey is more cryptographically secure (by a lot), and unphishable because it cryptographically verifies the domain instead of relying on the user to notice if the URL is one character off. It’s encrypted locally and you only have to remember one pin, or have one biometric, for all the passkeys on your device (rather than managing hundreds of passwords). You can keep passkeys for all your accounts on one device, and you can register multiple passkeys per account so you can have a backup device or security key.
It’s a part of the FIDO2 protocol, so I would have said it’s always 2-factor (you know your pin or are your biometric and have your phone or security key) but now Google and Apple are both syncing passkeys so it becomes possible to break that and get access to a passkey with only things you know.
Latest Answers