@iMeddles the problem is not the nature of any of the authentication devices but rather the fact that you're losing the multi in multi-factor authentication.
With multi-factor authentication, if someone steals my security key, they still need to guess my #passwords. If someone cracks my passwords, they still need to get their hands on my key.
With #passkeys, this is no longer true and all your authentication and identity is rolled into one device that if compromised, compromises everything. #MFA
This week in #FDroid (TWIF) is alive:
* website categories fixed
* calls by e-mail? #DeltaChat #ArcaneChat
* we caught up with #Catima
* last #FOSS version #DOOM #Wolfenstein #RPG
* sorry Android 5,6 and 7, #Fennec now needs 8+
* #Passkeys by #KeepassDX
* time flies, 10 years of #NewPipe
+ 8 new apps
& 131 updates
- 2 archived apps
Start reading: https://f-droid.org/2025/10/24/twif.html
So I think I'll need to read up on it a bit. I understand that "Passkeys" try to do something similar as SSH pubkeys.
But do you know a good technical explainer of what's going on and how it works?
(Yes, I could search myself but I am looking for recommendations of articles you have read that you found helpful and clear.)
EDIT: https://passkeys.io did make some things clearer.
@tante Ich habe auf https://karl-voit.at/FIDO2-vs-Passkeys/ zu #Passkeys und #FIDO2 gebloggt und u.a. auch erklärt, weshalb Passkeys in immer mehr Situationen leider nicht mehr gänzlich gegen #Phishing schützen, FIDO2 meiner Meinung nach aber sehr wohl.
D.h. die Hardware-Tokens liefern aktuell den einzig wasserdichten Schutz gegen Phishing. Trotzdem haben Passkeys viele Vorteile gegenüber den üblichen Methoden wie #TOTP, #TAN via #SMS oder #Email, ...
maco
boosted
Seriously, the issue in this thread is why I think #passkeys are a ticking time bomb. Most people don't understand how they work, or that they're linked to a single device, or that they need to maintain a backup login method. Websites that support passkeys don't do enough to communicate and enforce good habits. If we continue down the passkey path, people losing access is going to be a much bigger problem in the future, and we're not ready for it. #infosec
Seriously, the issue in this thread is why I think #passkeys are a ticking time bomb. Most people don't understand how they work, or that they're linked to a single device, or that they need to maintain a backup login method. Websites that support passkeys don't do enough to communicate and enforce good habits. If we continue down the passkey path, people losing access is going to be a much bigger problem in the future, and we're not ready for it. #infosec
Alex Akselrod
boosted
On weekend I managed to connect all my selfhosted services that support it to the #Keycloak#SSO (single sign on).
Namely #Mastodon#Peertube#NextCloud #FreshRSS#Matomo and #grafana
Why to bother with such complication for apps serving only a couple of users?
First it's quite easy nowadays.
And second, because I want to get rid of passwords and just use #passkeys .
This is one of many examples showing that good apps should just focus on one task and just use standards to cooperate with other apps focusing on other tasks.
Peertube for example focuses on videos, not user management. I am very OK that they don't support passkeys, because they implemented OpenId Connect standard to allow me use Keycloak for better login options.
On the other hand, I am quite sad that SSO is often the one feature, that is proprietary and reserved only for paying customers. SSO is not for huge corporations anymore. It's also usefull for us, selfhosters with couple of users.
❤️ 
On weekend I managed to connect all my selfhosted services that support it to the #Keycloak#SSO (single sign on).
Namely #Mastodon#Peertube#NextCloud #FreshRSS#Matomo and #grafana
Why to bother with such complication for apps serving only a couple of users?
First it's quite easy nowadays.
And second, because I want to get rid of passwords and just use #passkeys .
This is one of many examples showing that good apps should just focus on one task and just use standards to cooperate with other apps focusing on other tasks.
Peertube for example focuses on videos, not user management. I am very OK that they don't support passkeys, because they implemented OpenId Connect standard to allow me use Keycloak for better login options.
On the other hand, I am quite sad that SSO is often the one feature, that is proprietary and reserved only for paying customers. SSO is not for huge corporations anymore. It's also usefull for us, selfhosters with couple of users.
❤️
#Passkeys working on #GrapheneOS with #Vanadium and #Bitwarden 🌻
Support for #keepassDX in progress 🌱 https://github.com/Kunzisoft/KeePassDX/issues/1421
- Inici de sessió: quan vols entrar, el servidor envia un repte que el teu dispositiu signa amb la clau privada (sense revelar-la).
3. Verificació: el servidor comprova la signatura amb la teva clau pública i, si coincideix, et dóna accés.
Avantatges respecte a les contrasenyes
✅ Més segures: no es poden robar.
✅ Més còmodes: no has de recordar contrasenyes.
✅ Sincronització: es poden emmagatzemar en el núvol (amb xifratge) per usar-les en diferents dispositius.
Tant de bo tinguessin #Passkeys arreu, en tots els servidors, bancs, oficines virtuals de les administracions etc. No hi haurien robatoris de contrasenyes perquè no hi hauria cap per robar!
Les claus d’accés (#Passkeys) són una forma moderna i segura d’iniciar sessió sense necessitat de contrasenyes tradicionals. Funcionen amb autenticació biomètrica (digital o facial) i utilitzen criptografia de clau pública per verificar la teva identitat.
Com funcionen?
1. quan crees una passkey, el teu dispositiu genera un parell de claus:
- Clau privada (emmagatzemada de forma segura al teu dispositiu).
- Clau pública (enviada al servidor del lloc web o app).