[HopenHeyHi]

HN gets a public key, that's the account. The private key is stored on your device, say on iOS it would be stored encrypted in the secure enclave and accessible via TouchID/FaceID.

There is little to no point in stealing the HN user database at that point because that's all just useless public keys, it has no passwords.

If you wanted to add a device to the HN account you'd login, go to the settings, and generate another pub/private key for the new device rather than the traditional "change password". As there is no password. Most likely you're familiar with a variation of this already from sites like Github.

[logifail]

> If you wanted to add a device to the HN account you'd login, go to the settings, and generate another pub/private key for the new device rather than [..]

So I'm on my phone wanting to log into HN, and you're saying I need to go to my desktop (which is already logged in) to generate a key ... for the phone to be able to log in?

Umm, I'm not sure Joe Q. Public is going to view that as acceptible.

[aseipp]

It's basically impossible to answer that hypothetical right now, because it depends entirely on the choice of client software. And that's still something that's evolving; it's just that Apple/Google/MS have the most prominent implementations here.

If you have an iPhone and a Mac? No, your iPhone will log in via iCloud keychain. You use touchid/faceid to auth as usual.

If you have an Android phone and a Chromebook/use Chrome? No, it will get sync'd implicitly. You use whatever the equivalent of touchid/faceid is to auth, as usual.

If you're using some third party, pure-software, syncing solution? No, probably not. For example, existing password managers will probably just store the key material, encrypt it, then sync across devices. Again, pure software solution. You use 1Password on Windows 11 and also on your iPhone? You'll probably be fine. (Note: this is hypothetical, because 1Pass doesn't support it yet, but this is probably how it will shake out.)

If you want to login with your Chromebook using a key it has generated and not export/sync the key, and you also have an iPhone at the same time you want to login with? Yes, you will need multiple keys, one for each device, and you will need to provision them.

Realistically this is also a change to login flows on the server as well, so there's work to be done for the UX. For example many server-side auth packages are still adopting Passkeys into their flow, they need to change their schemas and frontends. One change to explore e.x. is you can ask the user after registering with WebAuthn is to register other devices, if they have them. Whether or not that's a workable solution remains to be seen.

[logifail]

> [..] so there's work to be done [..]

OK, we agree that much is clear :)

[HopenHeyHi]

Sorry if it wasn't clear:

If you logged in to HN using Safari on a Mac the private-key (a.k.a "password") got chucked into your keychain as part of the account creation flow and is synced across all your iCloud devices.

So on your phone when visiting the HN login page you'd just be prompted for a fingerprint by TouchID and in you go. Actually quite seamless. This would be what 90%+ of users experience as normal people don't fiddle with defaults.

I don't use Windows but they have some sort of iCloud Passwords thing for Windows now too apparently. Just dipping their toe into slowly making it cross platform.

It becomes less seamless and more of a hassle when you are using multiple keychains or 3rd party apps which probably a lot of people here are. What I described is that case, when you have both an Android phone and an iPhone and they are completely sequestered from each other (maybe personal and work?).

[logifail]

> normal people don't fiddle with defaults

Just to clarify, these "normal people", they are the ones who typically click on links in phishing emails without actually thinking?

> an Android phone and an iPhone and they are completely sequestered from each other

Q: Why would one not expect to have devices sequestered from each other?

Anyway, umm, OK. Sounds like this "solution" means normal people are fine, anyone who isn't normal has a new mountain to climb.

[HopenHeyHi]

> Just to clarify, these "normal people", they are the ones who typically click on links in phishing emails without actually thinking?

Yes? Heh, you know what normal people means, good. Guess what, phishing emails tricking people into visiting fake websites won't be as effective as with this flow there is no password for them to type in and accidentally give away to the attacker.

> Q: Why would one not expect to have devices sequestered from each other?

Because most people don't carry two phones or bother sequestering devices. It isn't the common case so it isn't a polished flow. At least not yet.

Don't know about a mountain as you probably use a password manager already, it isn't much different.

[vbezhenar]

> If you wanted to add a device to the HN account you'd login, go to the settings, and generate another pub/private key for the new device rather than the traditional "change password".

I still don't understand how do I do that.

Let's say I registered account using iPhone. Now I want to log in with my Linux workstation. So I pick up iPhone, go to the https://news.ycombinator.com/settings click "Add device" and then what?

I guess something like "recover password" workflow? Like I type my e-mail on new device, receive login link and then via login link I can register new device?

[watermelon0]

This depends on the implementation.

If you are in Apple world, your keys are synced between iOS and macOS (and saved in Secure Enclave, so you need TouchID/FaceID to complete flow.) In 'Google' world, you can use them between Android devices and Chrome browser.

However, if you access from unsupported app/device (e.g. use Apple Passkeys and want to access from browser on Linux machine), you can always just scan QR code with phone, and use it to log-in.

You can try it on https://www.passkeys.io

[meirwah]

you can try here too https://passkeys.guru/

[mszary]

> The private key is stored on your device, say on iOS it would be stored encrypted in the secure enclave and accessible via TouchID/FaceID.

What's important is that even though they are stored in the SE, they are no longer tied to the device and can be exported. Prior to the introduction of passkeys, all FIDO-based keys were minted inside the SE, without the option of being exported.