Content
@
0 reply
0 recast
0 reaction
Shushant
@0xshushant.eth
Is biometric passkey authentication a form of ZK proof of identity?
1 reply
0 recast
1 reaction
Amar
@amarpatel
Help me understand: I make a passkey on my phone, and now I can use that to log in to XYZ Corp’s site. Now I lose my phone, and @0xshushant.eth finds it. Unless I have faceID/touchID/passcode set up on my phone, how is this different than using app/device specific passwords?
1 reply
0 recast
1 reaction
Shushant
@0xshushant.eth
Great question! Let's break this down: When you create a passkey on your phone, it generates a cryptographic key pair - a private key stored locally and a public key stored on XYZ Corp's server. Comparison to app/device-specific passwords: While there are similarities in the scenario you described, passkeys still offer some advantages: a) Phishing resistance: Even if someone accesses your phone, they can't use the passkey on a fake website. The cryptographic verification ensures the passkey only works with the legitimate site. b) Server-side security: Unlike passwords (even device-specific ones), the server only stores the public key so an attacker cannot impersonate you if their database is breached c) Ease of revocation: If you lose your phone, you can usually revoke access for that device more easily than changing multiple app-specific passwords.
0 reply
0 recast
1 reaction