This video demonstrates the process of adding a passkey to your PieFed account and then using the passkey to log in securely and quickly.
Firefox’s support for passkeys is a bit lacking, especially on Linux, so this seems to work best on Chrome(ium) at the moment.
What are passkeys? Read on…
Passkeys are a passwordless authentication method for logging into websites and apps. Traditional username and password logins are vulnerable to phishing, reuse, and data breaches. Even two-factor authentication (2FA), which often relies on insecure or inconvenient methods like SMS codes or ever-changing numbers has its flaws. Passkeys eliminate these issues by removing the need to remember or type passwords altogether.
Passkeys are stored securely on your device and verified using biometrics or a device PIN, making them both more user-friendly and significantly more resistant to phishing, credential stuffing, and other common attacks. This makes passkeys a safer and more seamless alternative to traditional login systems. On Mac and Windows passkeys can be synched via the cloud, making logging in from multiple devices easier.
Amazing and works nicely in LibreWolf with KeePassXC.
Awesome! This is the second (iceshrimp afaik) fediverse software that has implemented passkeys, a huge achievement.
Nice feature!
Is it possible to require a passkey for login, or is it currently an alternative to the traditional user name and password login? If not, is that a future goal? I’ve never used passkeys, just trying to understand the end goal, presumably you want to replace username and password with passkeys eventually, otherwise you’re not really making login more secure.
It’s an alternative and will remain one for a long time. Browser & OS support needs to mature before we could even think about making it a hard requirement.
At present I expect only instance admins would be interested in passkeys.
Over time if adoption and viability increases we might want to make passkeys more prominent, include the creation of the passkey as a step in the onboarding process, make email-based 2FA compulsory for every login when people use the old username+password method and various UI nudges to get people moving in the ‘right’ direction. But all that feels like a long way off at the moment.
Question, why are things that require biometrics considered more secure? The government has all my biometric data.
Another question, how do passkeys compare to ssh keys?
Here’s the thing: you don’t necessarily need to use biometric data to store a passkey. That’s how the vast majority of current implementations do it, but it’s not required by the spec. Personally I store all my passkeys in Bitwarden, meaning I can lock them behind my master password with no bio data involved. It also means that my passkeys are platform non-specific and are stored on my own self-hosted Bitwarden instance instead of in some mega-corp’s cloud.
As for SSH vs passkeys, AFAIK they’re both based on the same encryption but SSH keys are just super low level (the raw key in what’s essentially a text file) vs. the more abstracted passkey system that, in theory, is more user-friendly.
