Update: The forums now support passkeys!


If you want to use Passkeys to authenticate to The Fire Panel Forums, you can do so on your profile: https://forums.thefirepanel.com/my/preferences/security

At this time, there is not an option to completely remove your password. This is a Discourse limitation, not something The Fire Panel has control over at this time.

What is it?

As some of you may know, my full time job is in the tech/cybersecurity industry. You may have also heard of Passkeys, a password-less authentication option founded by the Fido Alliance built to be more secure than a traditional username/password login.

How do they work?

For a basic overview, passkeys use what is called a ‘key pair’ strategy, similar to using HTTPS (TLS) for encrypted traffic on a website:

  1. When a passkey is created, a key pair comprised of a public and private key is created.
  2. The private key lives on your device or password managers such as 1Password, Bitwarden, iCloud Keychain, and others. They NEVER leave this place.
  3. The website holds on to the public key.
  4. Any time you log into a website, there is an ‘exchange’ between the public and private keys. If everything matches up, you’re instantly authenticated to your account.

What makes Passkeys more secure than Passwords?

Passkeys cannot be phished!

Phishing is an attempt to trick a user into giving up their credentials. For example, receiving an email saying “Something is wrong with your account! Click here to log into the website to fix it!” and while the website may look similar - and in some cases identical - to the real site, but instead of example.com you may actually be routed to examp1e.com, a change that some users may not catch. They enter their username and password, and now the fake website has your real site’s credentials.

Passkeys, however, can only work on the site they are affiliated with using the aforementioned key pair strategy. A private key will simply never be able to handshake with an improper public key, and since the private key never leaves the device or password manager it is on, the attacker simply can’t get it.

Passkeys have Multi-Factor Authentication (MFA) built in.

On many sites, you have the choice to enable MFA alongside your traditional password. This may come in the form of a text, email, or TOTP code to enter upon login to a site. It adds an additional step to make it more difficult for attackers to retrieve your credentials. It is not fool-proof, and not all forms of MFA are equally strong*, but it is certainly better than no MFA at all.

For Passkeys, one factor is the key pair handshake with the site, but the other factor is that the key pair exchange happens on a trusted device or password manager that the user has unlocked. Usually this includes some kind of biometric authenticator, pin code, or additional password depending on the user’s settings. Because MFA is implied with passkeys, it requires no additional steps from users, meaning no more waiting for text codes that never show up, or entering your TOTP code right as the 30 second timer expires.

What else uses passkeys?

Passkeys were announced by Google and Apple in May and June of 2022 respectively. While there is a standard way to implement this technology into websites, WebAuthn, adoption isn’t happening too quickly, but the number of sites and apps supporting it is growing. I’ve personally used 1Password’s Passkeys.directory to see a fairly accurate list of sites that support passkeys. Consider making use of them as the list continues to grow!


Ooooh, fancy technology ngl