this post was submitted on 04 Nov 2023
152 points (96.9% liked)

Open Source

31250 readers
324 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 13 points 1 year ago* (last edited 1 year ago)

Passkeys are client-driven.

When you visit a website you'd like to login to, your browser generates a public/private key pair and gives the public key to the site.

When you want to login:

  • The browser uses the website domain name to generate a challenge and sends it to the website.
  • The website verifies the challenge by sending back a randomly generated long text, encrypted with the public key.
  • Browser confirms by sending back the decrypted text as proof.

Now both website and browser are sure the other is legit, there are no passwords involved, the login process is standardized and can be upgraded with new protocols and cyphers whenever needed, you can't be phished, you can't be tricked by a fake domain that looks in Unicode like the correct one, and if anybody breaks in and steals the public key they can't do anything with it.