Client certificates have existed for basically as long as encryption. Passkeys are more than that, and that is a crucial point. They allow to verify the identity of the signing device, and allow access only if the device is "legitimate" from the point of view of the remote service. That is a very big encroachment on the user's privacy and freedoms and a new very big step in the process of tying everything even more tightly to accounts and devices controlled by the big service providers and making it more difficult to get out or to enter the market for new actors.Think Trusted Computing. Soon it will be impossible to log in to some media streaming platform, for example, if you don't have a passkey sanctioned by an OS with a TPM. Then everything will be locked in and the only flaw will be our eyes and our ears.
8fingerlouie|8 months ago
HSM ensures that the device is actually the device it claims to be, as the key cannot leave the device, and by coupling it with biometrics, which is authentication, you prove to the device you are who you claim to be.
So by the device authenticating you, the device by extension can authenticate you against the remote site using a cryptographic challenge.
There is no vendor lock in however. You can use a password manager like 1Password to store passkeys, or even Apples keychain supports synchronizing the passkey across devices (including windows). KeepassX also supports passkeys, so it’s not limited to official vendors like TPM.
As for HSM, you can also use something like a Yubikey.
mathiaspoint|8 months ago
I was wondering why I couldn't just use a client cert (or better yet my ssh keys) and figured it would be something like that. It turns out I was right to invest zero time or energy figuring it out.
8fingerlouie|8 months ago
https://www.yubico.com/blog/10-things-youve-been-wondering-a...