Passkeys are here

Hi Everyone,

An announcement for a site update. Since I’ve been more active following the outage I am doing some work to make the site bit by bit, a bit better. Some of you may already know I have a background in cybersecurity. so I did some digging on ways to make discourse (The forum software) more secure, and I learned passkeys are a supported webauthn standard.

How to set one up?

Open your account > Preferences:

Open Security > Add Passkey

You will be asked to confirm who you are before your browser tries to handle webauthn setup.
This will vary depending on what OS you have, which browser extensions you use, etc.

You know it worked once you’ve named your key and it shows in your account:

What are passkeys? (for non-technical people)

Simply, it is a way to login without a password. As long as you have a place to store your passkey (Password manager, Windows Hello, iPhone, Android) you can login, no password required.

One of my favorite infosec youtube channels explains passkeys here:

Be sure that wherever you store your passkeys, you don’t lose them, they replace your passwords when used correctly
This means if you store them in your phone, and you get a new phone. Unless you setup your keys to sync to the new device or backed them up yourself, you will not be able to login to your account

What are passkeys? (for nerds)

Passkeys are a webauthn standard we often refer to as passwordless. If you have ever used SSH keys to login to a server, this is nearly identical to passkeys.

When you create a passkey you generate a private/public key pair. You send the public key to whatever site you’re setting it up with.

The website, then sends you a challenge (long string of random characters) You encrypt/sign this with your private key and send it back. When the site decrypts it with your public key, they know only you (with the private key) could have signed it. This ensures that only you could have tried logging in.