Comment on What is a passkey, in practice? Is it a file? A token? Can I keep it in an USB drive? How can I save it in case of device loss?

<- View Parent
4am@lemm.ee ⁨2⁩ ⁨months⁩ ago

Passkeys are basically client certs for website logins.

Server stores a public key, encrypts a challenge on login attempt. Client browser uses private key to decrypt challenge (and sign it maybe?) and respond to web server to authenticate.

Hackers can’t get a shared secret (like a password or password hash) by hacking the website’s database becaus the public key is all they store; useless without the private key.

Not foolproof, but much harder to exploit than passwords - which many people re-use across multiple sites.

source
Sort:hotnewtop