this post was submitted on 11 Apr 2024
37 points (93.0% liked)

Proton

7749 readers
154 users here now

Empowering you to choose a better internet where privacy is the default. Protect yourself online with Proton Mail, Proton VPN, Proton Calendar, Proton Drive. Proton Pass and SimpleLogin.

Proton Mail is the world's largest secure email provider. Swiss, end-to-end encrypted, private, and free.

Proton VPN is the world’s only open-source, publicly audited, unlimited and free VPN. Swiss-based, no-ads, and no-logs.

Proton Calendar is the world's first end-to-end encrypted calendar that allows you to keep your life private.

Proton Drive is a free end-to-end encrypted cloud storage that allows you to securely backup and share your files. It's open source, publicly audited, and Swiss-based.

Proton Pass Proton Pass is a free and open-source password manager which brings a higher level of security with rigorous end-to-end encryption of all data (including usernames, URLs, notes, and more) and email alias support.

SimpleLogin lets you send and receive emails anonymously via easily-generated unique email aliases.

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
37
Is the future passwordless? (proton.me)
submitted 1 year ago by [email protected] to c/[email protected]
17 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 31 points 1 year ago

Passkeys are like using a private key to log in. There are several ways it's better:

  • Passwords can be stored improperly by a website leading it to be leaked
    • Passkeys never leave the device so a website being breached can never leak your passkey
    • The website only stores the public portion of the key which is useless to an attacker
    • Passkeys can only be stolen by attacking and breaching the device or password manager that holds it
  • Passwords can and often are reused across multiple sites so a single leaked password can compromise many sites
    • Passkeys are created for each site so an attacker would need to steal each one separately
  • Passwords can be phished by fooling a user into entering the password
    • Passkeys can't be phished easily since it's designed not to leave the device - if such an attack was found it could be patched in the browser / password manager. You can't patch all password forms to stop phishing in the same way

If you're familiar with ssh keys, it's similar to that and why the top security recommendation for new servers is to disable passwords and use keys instead.