alt Hacker NewsI'm confused how this works. I tried the demo and Bitwarden asked me if I wanted to save the passkey. From a UX experience, this felt weird.. Why do I need to create an account, and save that account? Why is passkey storage prevent bots? Just that bots haven't added that automation yet?
Replies
herghost • 12/08/2024
Totally agree with this - when it popped up asking me if I wanted to use my fingerprint to do ..._something_... I felt like I was at risk and noped out.
Passkey can be thought of as software emulation of a smartcard (aka hard token aka Yubikey). When it asks you to save it, that's when it creates the virtual smartcard in some reasonably secure local storage (possibly TPM-secured or at least kernel-secured).
The benefit of this approach is that a bot doesn't have the private key.
Of course you want to be sure that webauthn on boarding can't be botted.