Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
Privacy Facebook Security

Facebook Now Supports Passkeys (lifehacker.com) 20

Posted by BeauHD from the passwordless-future dept.
Facebook now supports passkeys for login, offering users a more secure, phishing-resistant alternative to passwords by using biometrics or a PIN stored on their device. The feature is rolling out to iOS and Android "soon," while Messenger will get the feature "in the coming months." Lifehacker reports: Meta seems pretty excited about the news -- and not just because the company happens to be a member of the FIDO Alliance, the organization that developed passkeys. Aside from logging into your Facebook account, Meta says you'll be able to use passkeys to autofill your payment info when buying things with Meta Pay. You'll also be able to use the same passkey between both Facebook and Messenger, and your passkey will act as a key to lock out your encrypted Messenger chats.

Facebook Now Supports Passkeys More | Reply

Facebook Now Supports Passkeys

Comments Filter:

  • My Ideal Setup (Score:5, Informative)

    by organgtool ( 966989 ) on Wednesday June 18, 2025 @05:43PM (#65459529)
    My ideal setup is password + passkey for login to each service. I love the concept of passkeys because they're practically immune to all MITM attacks, however I hate the idea that every service I use could be accessed if someone has my device and can bypass any of its auth mechanisms. By having separate passwords for each site and requiring passkeys for MFA, I can mitigate the damage caused by theft/tampering while protecting myself from MITM attacks.

    Yes, this is far beyond normal but if I want to be neurotic then just let me.

    • Re: (Score:3)

      by mysidia ( 191772 )

      hate the idea that every service I use could be accessed if someone has my device

      Then use a PassKey authenticator that requires a PIN or biometric entry to use the key. For example a Passkey stored on a Yubikey with a strong PIN set. Or a Passkey stored on a TPM configured to require entry of the PIN each time the credential will be used. Many users would disable the separate PIN requirement, or choose a solution that does not require one for their own convenience purposes, But you don't have

  • Nobody understand what this is (Score:2, Insightful)

    by Anonymous Coward
    I have a TOTP authentictor and Yubikeys. I can understand these. I've read the WP article on Passkeys probably five times and still don't have a single clue about what these are or how they work.

    • Re:Nobody understand what this is (Score:4, Informative)

      by ewhac ( 5844 ) on Wednesday June 18, 2025 @06:33PM (#65459613) Homepage Journal

      This is how I've come to understand it. I welcome any and all corrections.

      Passkeys are a cryptographic key stored in a Secure Element. This is usually a private key inside a small cryptographic engine. You feed it some plaintext along with the key ID, and it encrypts it using that key. The outer software then decrypts the ciphertext using the public key. If the decrypted text matches the original plaintext, then that proves you're holding a valid private key, and authentication proceeds.

      The private key can be written to and erased from the Secure Element, but never read back out. All it can do is perform operations using the secret key to prove that it is indeed holding the correct secret key.

      On phones, the Secure Element is in the hardware of your handset. On PCs, this is most often the TPM (Trusted Platform Module) chip. In both cases, the platform will ask for your PC's/phone's password/fingerprint/whatever before forwarding the request to the Secure Element.

      Yubikeys can also serve as a Secure Element for Passkeys; the private key is stored in the Yubikey itself. Further, the Yubikey's stored credentials may be further protected with a PIN, so even if someone steals your Yubikey, they'll still need to know the PIN before it will accept and perform authentication checks. You get eight tries with the PIN; after that, it bricks itself.

      The latest series 5 Yubikeys can store up to 100 Passkeys, and Passkeys may be individually deleted when no longer needed. Older series 5 Yubikeys can store only 25 Passkeys, and can only be deleted by erasing all of them.

      Theoretically, you can have multiple Passkeys for a given account (one for everyday access; others as emergency backups). Not all sites support creating these, however.

    • Do you ever use SSH keys for authentication?

      Passkeys are SSH keys but for the web browser. Seriously, it's the same tech.

    • Re: (Score:2)

      by jsonn ( 792303 )
      The most important part is missing. TOTP authenticators are not phishing-resistant. They don't ensure that the website asking for the code is the one the code is intended for. That's also why remarks like "TLS already can do mutual authentication" are completely missing the mark. If I connect to s1ashdot.org and get a valid HTTPS certificate, the user doesn't necessarily notice the difference. With FIDO tokens, the public key authentication is also bound to the domain.

  • Good news for the old people still using Facebook (Score:3)

    by ebunga ( 95613 ) on Wednesday June 18, 2025 @06:39PM (#65459623)

    I guess they can be safe and secure while they view their ai-generated bacon jesus memes.

  • About time... (Score:3)

    by CommunityMember ( 6662188 ) on Wednesday June 18, 2025 @11:52PM (#65460063)

    While there is the question of whether one *should* be using Facebook, it is long overdue for Facebook to allow passkeys if you choose to do so. Glad to see they got with the program.

    I am still waiting for my bank to support passkeys for those of us not at some level of extreme premium service (where they do support it).

Slashdot Top Deals

Your good nature will bring you unbounded happiness.

Close