Open5

パスキーとTOTPの比較(Bard)

kyoheiukyoheiu

What can and cannot I do with passkey, generally?

Passkeys are a new type of passwordless authentication that is designed to be more secure and convenient than traditional passwords. They use public-key cryptography to create a unique digital signature for each user and device, which can then be used to verify identity without the need for a password.

With a passkey, you can generally do the following:

  • Log in to websites and apps without having to type in a password.
  • Unlock your device without having to enter a PIN or pattern.
  • Make payments online without having to enter your credit card information.
  • Share files and data with other devices securely.

However, passkeys are still under development, so there are some things that you cannot do with them yet. For example, you cannot yet use passkeys to log in to all websites and apps, and you cannot yet use them to make payments at all stores.

Here are some specific examples of what you can and cannot do with passkeys:

Can:

  • Log in to websites and apps that support passkeys using your device's biometric sensor (e.g., fingerprint scanner or facial recognition).
  • Unlock your device using your device's biometric sensor.
  • Make payments online at stores that support passkeys.
  • Share files and data with other devices that support passkeys.

Cannot:

  • Log in to websites and apps that do not support passkeys.
  • Unlock your device if its biometric sensor is not working or if you have not set it up.
  • Make payments online at stores that do not support passkeys.
  • Share files and data with other devices that do not support passkeys.

Overall, passkeys are a promising new technology that has the potential to revolutionize the way we authenticate ourselves online. However, they are still under development, so there are some limitations to what you can do with them at the moment.

kyoheiukyoheiu

For example, if I implement the passkey to my own website, can I log in to the site in any devices using passkey?

Yes, if you implement passkey on your website, you should be able to log in to the site on any device that supports passkeys. This is because passkeys are not stored on any one device, but are instead stored in the cloud. This means that you can access your passkeys from any device, as long as you are signed in to the same account.

However, it is important to note that passkeys are still a relatively new technology, and not all devices and browsers support them yet. Therefore, you should check to make sure that your target devices and browsers support passkeys before implementing them on your website.

Here are some of the devices and browsers that currently support passkeys:

  • Devices:
    • iPhone
    • iPad
    • Mac
    • Android phones and tablets
    • Windows 11 PCs
  • Browsers:
    • Google Chrome
    • Microsoft Edge
    • Apple Safari

If you are using a device or browser that does not support passkeys, you will still be able to log in to your website using a traditional password.

Once you have implemented passkeys on your website, users will be able to create and save a passkey for your site. Once they have saved a passkey, they will be able to log in to your site on any device that supports passkeys simply by entering their biometric information (e.g., fingerprint or face scan).

Passkeys offer a number of benefits over traditional passwords, including:

  • They are more secure, as they are not vulnerable to phishing or brute-force attacks.
  • They are more convenient, as users do not have to remember or type in passwords.
  • They can be used on any device that supports passkeys, regardless of the operating system or browser.

If you are looking for a way to improve the security and convenience of your website's login process, you should consider implementing passkeys.

kyoheiukyoheiu

So, if I use chrome on linux, I cannot log in to the site even if I have an Android device, right?

That is correct. Chrome on Linux does not currently support passkeys with a built-in platform authenticator. This means that you cannot use passkeys to log in to websites on Chrome on Linux without using a workaround.

However, there are a few workarounds that you can use to log in to websites on Chrome on Linux using passkeys:

  • Use a passkey from another device. You can use a passkey from your Android device to log in to websites on Chrome on Linux by scanning a QR code. To do this, open the website in Chrome on Linux and click the "Sign in" button. Then, select the "Use passkey from another device" option and scan the QR code with your Android device.
  • Use a hardware security key. You can also use a hardware security key to log in to websites on Chrome on Linux. To do this, insert the hardware security key into your computer and then follow the instructions on the screen.
  • Use a password manager. Some password managers support passkeys. If you use a password manager that supports passkeys, you can use it to generate and store passkeys for your websites. Then, you can use the password manager to log in to your websites on Chrome on Linux.

Google is working on adding built-in platform authenticator support for passkeys to Chrome on Linux. Once this support is added, you will be able to use passkeys to log in to websites on Chrome on Linux without having to use a workaround.

I hope this helps!

kyoheiukyoheiu

TOTP authentication

Pros:

  • Widely supported by websites and apps
  • Relatively easy to set up and use
  • Free to use

Cons:

  • Can be vulnerable to phishing and brute-force attacks
  • Requires users to enter a code from their phone, which can be inconvenient
  • Codes have a limited expiration time, so users must generate a new code each time they log in

Passkey method

Pros:

  • More secure than TOTP authentication
  • More convenient, as users do not have to remember or type in passwords
  • Can be used on any device that supports passkeys, regardless of the operating system or browser

Cons:

  • Not yet widely supported by websites and apps
  • Can be more difficult to set up and use, especially for users who are not familiar with the technology
  • May require users to purchase additional hardware, such as a security key

Overall, passkeys are a more secure and convenient authentication method than TOTP authentication. However, they are still under development, and not all websites and apps support them yet.

Here is a table that summarizes the key differences between TOTP authentication and passkey method:

Feature TOTP authentication Passkey method
Security Less secure More secure
Convenience Less convenient More convenient
Device compatibility Widely supported Not yet widely supported
Ease of setup Relatively easy Can be more difficult
Cost Free May require additional hardware

Which authentication method is best for you will depend on your individual needs and preferences. If you are looking for the most secure authentication method, then passkeys are the better option. However, if you need to support a wide range of devices and users, then TOTP authentication may be a better choice.

kyoheiukyoheiu

In my understanding, to use passkey every device should implement webauthn, but TOTP only needs a smartphone device to see the code and log in. Isn't this the difference to consider?

Yes, that is correct. To use passkeys, both the website or app you are logging in to and the device you are using to log in must support WebAuthn. WebAuthn is a standard that allows websites and apps to authenticate users using a variety of different methods, including passkeys.

TOTP authentication, on the other hand, only requires a smartphone device to generate and display the one-time password (OTP). The website or app you are logging in to does not need to support any specific authentication standard.

This difference in device compatibility is a major consideration when choosing between passkeys and TOTP authentication. If you need to support a wide range of devices, then TOTP authentication is the better choice. However, if you are able to limit support to devices that support WebAuthn, then passkeys are the more secure and convenient option.

Another consideration is that passkeys can be used to authenticate on multiple devices without having to generate a new OTP for each device. This is because passkeys are stored in the cloud, so you can access them from any device that is signed in to your account.

TOTP authentication, on the other hand, requires you to generate a new OTP for each device you want to authenticate on. This can be inconvenient if you need to log in to multiple devices frequently.

Overall, passkeys are a more secure and convenient authentication method than TOTP authentication. However, they require that both the website or app you are logging in to and the device you are using to log in support WebAuthn. If you need to support a wide range of devices, then TOTP authentication may be a better choice.