do people here use passkey to log-in?

  • Want to keep track of this thread?
    Accounts can bookmark posts, watch threads for updates, and jump back to where you stopped reading.
    Create account
the grey cat

the grey cat

between black and white
kiwifarms.net
Joined
Mar 5, 2024
1747236214806.webp
this wasn't here before and was added early this year. does it actually work or is it just there for decoration?
 
Sort by date Sort by votes
Not Even Kiwi Music said:
You could get away with it if you put the recovery code within the notes of your account in your preferred password manager, or elsewhere.
Click to expand...
The key material that does the signing is in your system’s cryptographic store* and cannot be exported**, you can only sign challenges via the crypto APIs but the browser never has the private key revealed to it. This defeats infostealer viruses, even if they catch you with the password manager open, so storing your recovery info next to it completely defeats the point of passkeys.

Also, recovery info should be used in the event of the failure of your password manager so you probably can’t use it anyway.

Recovery info needs to be treated in a completely different way, I just print the codes out and physically store them in a specific place because layer 0 attacks just aren’t in my personal threat model, and this is true for most people. You could also maintain a notebook for this purpose but that could get tiresome.

* assuming correct implementation
** assuming you don’t get rooted
 
Upvote 0 Downvote
glow said:
The key material that does the signing is in your system’s cryptographic store* and cannot be exported**, you can only sign challenges via the crypto APIs but the browser never has the private key revealed to it. This defeats infostealer viruses, even if they catch you with the password manager open, so storing your recovery info next to it completely defeats the point of passkeys.

Also, recovery info should be used in the event of the failure of your password manager so you probably can’t use it anyway.

Recovery info needs to be treated in a completely different way, I just print the codes out and physically store them in a specific place because layer 0 attacks just aren’t in my personal threat model, and this is true for most people. You could also maintain a notebook for this purpose but that could get tiresome.

* assuming correct implementation
** assuming you don’t get rooted
Click to expand...
You can still get screwed over with just the OTP key if your password manager database gets compromised, so whether you save seeds/keys or not in that manner, it doesn't really mean anything. It would make more sense however to do that if only recovery codes could actually be used to get rid of the OTP, but most of the time OTP also works for that which defeats the point of a recovery code. A better approach to not losing your database is to make sure you properly make backups when it comes to file system or storage failures.
 
Last edited:
Upvote 0 Downvote
You must log in or register to reply here.
Back
Top Bottom