Gregory's Server@nikitonsky it's public/private keys for authentication, so you never have to pass a secret to the server, and the server doesn't hold anything that's worth leaking
|
2 comments
@nikitonsky yeah, your device signs something and the server never receives the private key. Also the password manager integrates directly into the browser so you just click "sign in w/ passkey" instead of it having to hack around filling in a form. If a site does a bad job choosing their hash/salt then a leaked DB could be reversed to passwords (or they could be storing in plaintext), and the server receives the plain password during authentication, neither of those are possible with passkeys |
@willhbr so during auth server asks you to sign something instead of transmitting password for check?
> server doesn't hold anything that's worth leaking
This is already true with hashed/salted passwords, no?