• jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Wow! I had no idea. I assumed the yubikey bioseries didn’t work with passkeys. But I read the documentation that you linked, and I just tested it out on the demo site. It works.

    That’s amazing! Thanks

    Can only store 25 keys but hey that’s still something.

    • Bitrot@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      I like that you are able to query what keys are stored, so if you are ever replacing or upgrading the key you can see where you should update to the new one. That is tough on the current yubikey, I’ve got a few generations of them and have to hold onto them just in case I happened to use them for 2FA somewhere and don’t remember it. 2FA is dynamically generated so there’s not really a way to change that, it’s just inconvenient.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        I prefer the yubikey webauthn fido2 non passkey approach. It’s not limited to 25 slots. And if your key gets compromised, or you’re forced to unlock it, there isn’t a list of sites that it works on.

        With passkeys, if somebody compromises you, physically, they can see everything you can log into. That makes me feel icky

        • Bitrot@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          There are definitely pluses and minuses. It will lock you out after 8 incorrect pins so if it came down to it, you could probably force it to lock pretty quickly.

        • tippl@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          if somebody compromises you, physically, they can see everything you can log into

          Can they though? I own a few yubikeys with passkeys stored inside and i cannot query stored logins without entering a pin.