Some thoughtful stuff about passkeys and the identity system, includes a few angles I hadn’t thought of: https://lucumr.pocoo.org/2025/9/2/passkeys/
Discussion
Loading...
Post
@timbray I consider myself reasonably good at this stuff, and I still cannot figure out passkeys...
@dangillmor @timbray The passkey explanation that made sense to me: it's like an ssh key that goes in your device's security chip.
@dangillmor @timbray It took me a *very* long time to understand WTF passkeys actually were. What finally made it click for me: they work *exactly the same* as ssh certificates, except that it is mandated that the private key live in a secure enclave, and there's no way for you to copy it to a new machine.
Plus lots of vendor-specific obfuscatory wainscoting in the UIs.
@dangillmor @timbray
I read something recently that made be understand the basics.
I read something recently that made be understand the basics.
They are per-device/per-website/per-user asymmetric public/private key pairs with the private one stored on the device and each one only used with one user id on one website, with the public key stored at the service provider for that user on that device.
The details about how they are instantiated or revoked are less clear to me.
If I've got that wrong, please, anyone, correct me.
@dangillmor @timbray
jwz's elucidation about secure enclaves is very helpful. I suppose it explains the attitude of the developer around export, but it also tells you exactly what you need to know about how corporations view the ownership of secure enclaves on *your* ("your") devices.
jwz's elucidation about secure enclaves is very helpful. I suppose it explains the attitude of the developer around export, but it also tells you exactly what you need to know about how corporations view the ownership of secure enclaves on *your* ("your") devices.
bonfire.cafe
A space for Bonfire maintainers and contributors to communicate
Automatic federation enabled