Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won’t work on another device.

Now I don’t know if that key can be stolen or not, or if it’s really more secure or not, as people have really unsecure pins.

    • atzanteol@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      2
      ·
      1 year ago

      That’s a terrible take … He’s confusing “what it does and how it works” with “how you manage it”.

      It’s like saying “don’t call it a password if you write it down”. It’s confusing and unhelpful.

      • Natanael@slrpnk.net
        link
        fedilink
        English
        arrow-up
        8
        ·
        1 year ago

        No it’s literally in the spec. Passkeys are designed for cross device synchronization. You have to go out of your way to make it local only (or use a different webauthn spec like physical security keys)

        • atzanteol@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          They’re just private keys. By nature you can copy them wherever you want. I guess I don’t know why he’s making that distinction at all.

          • Natanael@slrpnk.net
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            The original spec is resident keys including TPM protected or hardware token protected keys designed to be impossible to copy. That’s why there’s a distinction.