On Mon, Aug 4, 2025 at 9:42 AM Kingsley Jegan Joseph via Silklist < [email protected]> wrote:
I haven't really followed infosec in a long time, and when I'm wearing my > end user hat, passkeys just seem to translate to biometrics. I realize this > is probably a reductive abstraction, but does an end user really benefit > from a deeper understanding? As long as this abstraction isn't totally > delulo I can live with it. > This is actually my biggest problem with the communication around passkeys. - A passkey is basically a public/private key pair, with one part (public) being on the server you want to access, and the other part (private) being on your phone/device - Biometrics in this case is the PIN/Fingerprint/faceID that you use to unlock your phone or other device, which then lets you access the private key, which then lets you access the site - The biometric itself is not the credential, it lets you access the credential that is stored on your device. So you'd need physical access to the device, as well as the biometric in order to access the actual device
-- Silklist mailing list [email protected] https://mailman.panix.com/listinfo.cgi/silklist
