this post was submitted on 11 Oct 2023
290 points (98.7% liked)

Technology

59578 readers
3053 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won't work on another device.

Now I don't know if that key can be stolen or not, or if it's really more secure or not, as people have really unsecure pins.

you are viewing a single comment's thread
view the rest of the comments
[–] Tibert@jlai.lu 2 points 1 year ago* (last edited 1 year ago) (1 children)

So first, no, all the files should not be accessible : There are special not "files", but keys, like the key used for this method. These keys pose a huge security risk of they are leaked somehow. The key can be something used to encrypt the device/disk, encrypt a connection, and other things associated with encryption.

And because of that security risk, they are often stored in a special chip or simulated chip (like the simulated tpm 2.0 on pc cpu), and not just "stored" so any malware or who knows what can access them just by reading the drive.

Second, the key is never transfered. When you connect to another device, that other device will get another key. Or maybe could it be backed up somehow in case of recovery on another phone? But that would defeat the entire purpose of this.

How Google can do to allow you to connect to another device if the first one is lost, not sure. But it would certainly either ask for a password and a 2fa method.

[–] jarfil@lemmy.world 0 points 1 year ago (1 children)

How Google can do to allow you to connect to another device if the first one is lost, not sure. But it would certainly either ask for a password and a 2fa method.

That's the key question. From what it seems, it would replace a password manager with different passwords for each website, but you give Google control of the master password.

[–] Tibert@jlai.lu 1 points 1 year ago

It is not for the password manager...

It's just to connect to the google account.

It is not a service to connect to other ones without passwords.