• lemmyvore@feddit.nl
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    There are lots of advantages:

    • No need to worry about password encoding, like this emoji debacle for example. Actually there’s no need to worry about passwords in general anymore, no more worries about lenghts, encoding, character space, remembering them etc.
    • It eliminates that scam where attackers set up a site on a domain that looks like the correct one, because the domain is part of the protocol.
    • It eliminates phishing for 2FA because login only works on your device anyway and there’s nothing you can be tricked into giving away to an attacker.
    • If attackers break into a site and steal the public keys they can’t use them for anything.
    • Since the whole process is automated between servers and browsers and also standardized, it can be upgraded seamlessly and continously, you can upgrade the protocol, the key lengths, the encryption cyphers etc. with zero impact for the user. New upgraded versions can be distributed to both servers and browsers and they’ll just use the highest version they both have.
    • 2FA is a core part of the protocol, but again in a way that eliminates phishing: it’s basically a way to unlock access temporarily to one specific key in your key vault. You can use a master password, or an USB key, or TOTP codes, or biometrics (fingerprint or face) etc., but NOT cellular texts (SMS) anymore because the vault stays on your devices, no need for another party to send you anything.
    • Syncing your vault online and over multiple devices, as well as backup, are also a core part of the approach and will eliminate the worry that you drop your phone and you’re screwed forever.

    The downside is that there’s been a whole bunch of tools and apps and services built around passwords for decades and converting all that mass to passkey tools will take a bit.

    There are some other tradeoffs like, right now for example I can reasonably print all my passwords and TOTP codes on a few sheets of paper and achieve an “offline” backup in case of untimely death and so on, it’s going to be a bit more cumbersome with passkeys. But I expect there will be ways to optimize that as the technology evolves.