this post was submitted on 16 Dec 2023
24 points (100.0% liked)

Android

17717 readers
63 users here now

The new home of /r/Android on Lemmy and the Fediverse!

Android news, reviews, tips, and discussions about rooting, tutorials, and apps.

🔗Universal Link: [email protected]


💡Content Philosophy:

Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.


Support, technical, or app related questions belong in: [email protected]

For fresh communities, lemmy apps, and instance updates: [email protected]

💬Matrix Chat

💬Telegram channels / chats

📰Our communities below


Rules

  1. Stay on topic: All posts should be related to the Android OS or ecosystem.

  2. No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to [email protected].

  3. Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to [email protected].

  4. No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.

  5. No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.

  6. No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.

  7. No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.

  8. No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.

  9. No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!

  10. No affiliate links: Posting affiliate links is not allowed.

Quick Links

Our Communities

Lemmy App List

Chat and More


founded 1 year ago
MODERATORS
 

.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 11 months ago* (last edited 11 months ago) (1 children)

https://www.passkeys.io/technical-details#passkeys-under-the-hood

They are a form of public key cryptography.

The private key never leaves your device.

You can't really transfer them between devices.

A lot of your other questions depend on the service. Generally you can still opt to use a password+2FA instead even if you have PassKeys enabled so adding one on a second device would simply require logging in with the password first or authenticating from another device if the service supports it.

I don't use 1Password so I can't speak to their setup.

[–] akilou 1 points 11 months ago (2 children)

This doesn't seem more secure than having a password saved in a password manager.

[–] [email protected] 5 points 11 months ago

It definitely is. A passkey in a TPM, for example, cannot leave a device. Also, passkeys can have phishing resistance that you cannot obtain with a password and most MFA solutions.

Where passkeys fall short is registering new devices and recovery. I'm not sure what 1Password's solution is here.

[–] whosdadog 4 points 11 months ago

It's much more secure on 'less than trusted' devices and for less than secure people.

Instead of having to type your password in on your friends laptop that may have a keylogger installed, you just type your username in and then do your fingerprint on your phone. That's it; your phone verifies it's you and then transmits the passkey over Bluetooth, so it can't be phished or observed while you type it.

For less than secure people, you don't have to convince them to use a password manager and stop writing their passwords on sticky notes. They just type in their username and do their fingerprint on their phone. It can't be phished so even if someone is remotely controlling a victims computer the damage is limited to allowing access to a single account on that physical computer - they can't take that passkey and use it anywhere else, unlike a password for an email account that's used for online banking as well. They also can't keylogger it and then log in after they're disconnected from the victim.