this post was submitted on 09 Apr 2024
503 points (92.7% liked)
Technology
59589 readers
2891 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Better yet: use a hardware 2FA token that supports passkeys
The issue is that most of them are limited in the amount of passkeys they can manage.
In the case of the Yubikey 5
It depends on the passkey type (resident vs non-resident keys)
Passkey = Resident Key
Nonresident keys are not passkeys, they are solely a second form of authentication meaning the service you are logging into still requires a password.
Couldn't a site theoretically use a nonresident key with just a username, in place of a password?
This seems to imply it might be possible:
https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Resident_Keys.html
For sure, but that still isn't a passkey. The method you are talking about is the equivalent of non-passphrase protected SSH protocol, which is a single form of authentication (i.e. if someone has your security key they have your account).
The term passkey implies MFA: having a physical key and a password, a physical key and a fingerprint scan, or equivalent.
Sure the username could be considered the password, but usernames are not designed to be protected the same way. For example, they typically are stored in clear text in a services database, so one databreach and it's over.