Hacker News new | ask | show | jobs
by crote 1109 days ago
Not quite.

The biggest difference is that websites seem to trust a passkey as both a password and a 2FA token at the same time. So security-wise it essentially means giving up 2FA altogether, as passkeys are about as secure as a password manager.

So for anyone with a password manager and 2FA tokens, passkeys are a downgrade.
2 comments
stavros 1109 days ago
This is wrong. Everyone here confuses "Passkeys the standard" with "some hardware implementation they've heard of".

Yubikeys require a PIN, and the key is wiped if you enter it wrong ten times. Nobody stops you from making a hardware key that requires a long password to access it. You can do whatever you want, the standard doesn't care how you want to secure your keys. The standard just asks for a key at enrollment and then asks you to sign something with that key at signup.

Anything after that is up to you and your choice of device.

EDIT: I've written a short post to clarify a few misconceptions:

https://www.stavros.io/posts/clearing-up-some-passkeys-misco...

link
n42 1109 days ago
that'd be more of a choice by the service operator than a design detail of passkeys, right?
link