Hacker News new | ask | show | jobs
by thealistra 1084 days ago
Tbh the lack of sensible account recovery in the process is why I am afraid to turn it on.

What if my phone dies with all my keys?

Do I need to maintain backups on 3 devices? I assume manually to be secure. This is so much time, esp for throwaway nonsense accounts I use yearly.

What if my phone died during a trip and backups are at home in another country. How do I email someone now?

My mom forgets a password each time she has to retype it. What if she breaks her phone with all the keys and no backups.

How do I log in on a computer without usb access that is not connected to the same network as my phone with the keys? - this workflow is already broken with gmail 2FA process with approving in gmail/youtube app.

If I even reset a passkey, how to use a friends device if mine is broken currently?

This is all solved with a password reset email.
1 comments
acdha 1084 days ago
Those problems are already solved, with one complication. WebAuthn is built around the concept of multiple devices so I tend to have my platform authenticator along with a couple of Yubikeys. That means I have to lose my phone, watch, laptop, and multiple tokens I don’t keep on me at the same time before I have to use a recovery code.

Platform authenticators are built around the synchronization concept so it’s easy to keep multiple devices active. Unfortunately, Apple, Google, and Microsoft have committed to but not yet enabled cross-platform sync so until later this year you’d need to register both, say, your iCloud Keychain and Google Chrome keys separately.

Because each one is implemented separately you’d need to check your synchronization service of choice but note that e.g. iCloud explicitly supports recovery when you’ve lost all of your devices permanently:

https://support.apple.com/en-us/HT213305

> How do I log in on a computer without usb access that is not connected to the same network as my phone with the keys? - this workflow is already broken with gmail 2FA process with approving in gmail/youtube app.

Your computer doesn’t need to be on the same network (it uses Bluetooth). This is also a contrived situation: if you work on a computer which has been locked down that much, you don’t want to use personal accounts there anyway.

There is a solution to that, however, along with every other one of these edge cases: you type in one of the one-time recovery code the service made you setup up when enrolling. Unlike the password reset email, that isn’t commonly exploited by attackers, too.

link