Marco Arment

ever like why were you asking us have you used passkeys what are you using them for blah blah but we didn't say why would anybody use passkeys what the hell is the point like why why would anyone ever be motivated to go through any kind of process that we were describing uh and we're not going to go into the technical details of passkeys but just sort of the the the f's and b's as they say the features and benefits so one of the biggest and first ones is unlike with passwords

ever like why were you asking us have you used passkeys what are you using them for blah blah but we didn't say why would anybody use passkeys what the hell is the point like why why would anyone ever be motivated to go through any kind of process that we were describing uh and we're not going to go into the technical details of passkeys but just sort of the the the f's and b's as they say the features and benefits so one of the biggest and first ones is unlike with passwords

no private info is ever sent to a website so if you log into a website or an app or anything else with a username and password your username and password are sent to in some form or another to the service or they're sent to the app they're given you're giving your private information to code that you did not write you're giving your private information to the application to the web page to whatever right and then presumably does something safe with it and checks it if it's right or whatever you know

no private info is ever sent to a website so if you log into a website or an app or anything else with a username and password your username and password are sent to in some form or another to the service or they're sent to the app they're given you're giving your private information to code that you did not write you're giving your private information to the application to the web page to whatever right and then presumably does something safe with it and checks it if it's right or whatever you know

It doesn't even have to transmit it. It could do all the hashing locally or encrypt it locally, but whatever. You are handing over your private information. That doesn't happen with passkeys. They're more like SSH keys where the private thing is never given to another piece of code. You are given a thing, which then you sign with your private thing, and then you chuck the other thing back.

It doesn't even have to transmit it. It could do all the hashing locally or encrypt it locally, but whatever. You are handing over your private information. That doesn't happen with passkeys. They're more like SSH keys where the private thing is never given to another piece of code. You are given a thing, which then you sign with your private thing, and then you chuck the other thing back.

So you're only ever sending public information to another entity. And related to that is you, the user, don't make the choice of what to send where.

So you're only ever sending public information to another entity. And related to that is you, the user, don't make the choice of what to send where.

With passwords, you make the choice, even if the choice is like right clicking and picking autofill or like allowing autocomplete or whatever, like you are choosing to enter your username and password somewhere in a web page, in an app, wherever it is. You choose to put it there. And when human choice is added to that equation, you are vulnerable to phishing.

With passwords, you make the choice, even if the choice is like right clicking and picking autofill or like allowing autocomplete or whatever, like you are choosing to enter your username and password somewhere in a web page, in an app, wherever it is. You choose to put it there. And when human choice is added to that equation, you are vulnerable to phishing.

Because if someone could put something in front of you that you think is a place where you should put the password for service X, and you put the password for service X there, but it was a phishing attack, and really that's an enemy website, you've just given, you've transmitted your private information to this bad party.

Because if someone could put something in front of you that you think is a place where you should put the password for service X, and you put the password for service X there, but it was a phishing attack, and really that's an enemy website, you've just given, you've transmitted your private information to this bad party.

Passkeys don't work like that because passkeys never ask you to decide when you should send your passkey to a thing. You cannot send the passkey for apple.com to someplace that is not apple.com, right? That's not a choice you have to make. That's not part of the flow. Again, if it's a security problem and there's some way that they can trick...

Passkeys don't work like that because passkeys never ask you to decide when you should send your passkey to a thing. You cannot send the passkey for apple.com to someplace that is not apple.com, right? That's not a choice you have to make. That's not part of the flow. Again, if it's a security problem and there's some way that they can trick...

ios or mac os to send it past you to an incorrect place that would be a security problem but it's not your fault because you didn't you didn't make that choice phishing relies on essentially social engineering can i trick the user into thinking this is the place to do this and it happens to everybody i recently saw a thread i'm asking on where someone said i literally do cyber security for a living and at the end of one day i was really tired

ios or mac os to send it past you to an incorrect place that would be a security problem but it's not your fault because you didn't you didn't make that choice phishing relies on essentially social engineering can i trick the user into thinking this is the place to do this and it happens to everybody i recently saw a thread i'm asking on where someone said i literally do cyber security for a living and at the end of one day i was really tired

And I entered a bunch of my private information in the form that I thought was legitimate because it looked just like my, you know, intranet, whatever page. And I totally got phished. It can happen to literally anybody. There is no amount of vigilance and care and expertise that can prevent you from falling victim to phishing. That's why we want to take the human out of the equation.

And I entered a bunch of my private information in the form that I thought was legitimate because it looked just like my, you know, intranet, whatever page. And I totally got phished. It can happen to literally anybody. There is no amount of vigilance and care and expertise that can prevent you from falling victim to phishing. That's why we want to take the human out of the equation.

Pasky says, you don't ever have to make that decision. We cryptographically determine if this is the place we should send this. It will never get sent accidentally to the wrong place. Right. And then finally, we're talking about transferring and like what happens if my phone goes in the ocean or whatever.

Pasky says, you don't ever have to make that decision. We cryptographically determine if this is the place we should send this. It will never get sent accidentally to the wrong place. Right. And then finally, we're talking about transferring and like what happens if my phone goes in the ocean or whatever.