Hacker News new | ask | show | jobs
by cassianoleal 1087 days ago
> they just sweep the problem under a corporate rug and ignore that people will still use them inappropriately.

Can you expand on these 2 points? I'm still trying to wrap my head around passkeys and these are some of the arguments I see around but never quite explained.
1 comments
michaelt 1087 days ago
From a certain perspective, passkeys are a lot like using "Sign in with Google/Apple/Microsoft account"

Because if this passkey stuff takes off with normal people, 98% of passkeys will be stored in cloud accounts with those providers.

The weakest link in the security chain is the procedure for when the user forgets their password / loses their phone / gets a rootkit / gets phished / has their e-mail compromised. You can transfer that problem from your site to a cloud provider and hope they do a good job - but the problem doesn't go away.

link
cassianoleal 1087 days ago
> 98% of passkeys will be stored in cloud accounts with those providers.

They will also (and primarily) be stored in the individual devices, and don't need cloud access to the providers in order to be used.

In this sense, it solves one of the main issues with third-party sign-in, i.e. that if the provider decides to lock your account, you get locked out of any linked services.

> You can transfer that problem from your site to a cloud provider

With passkeys? How so? Are passkeys not just cryptographic key pairs? If your service associates a certain account to a certain public key, there's nothing an external cloud provider can do to solve the issue you describe.

It's possible I've missed something, like I said before I'm still wrapping my head around the whole thing.

link
michaelt 1087 days ago
> If your service associates a certain account to a certain public key, there's nothing an external cloud provider can do to solve the issue you describe.

Without passkeys, if one of my users lost their "second factor" (e.g. lost phone) I had to provide a flow for them to get into their account despite that, while remaining secure.

With passkeys, users can restore their "second factor" from a cloud backup, so long as they can get access to that cloud backup. Hence, my lost-second-factor flow is outsourced to the user's cloud provider.

link
pcthrowaway 1087 days ago
If your passkey is issued by Google on your Android device, and Google decides to revoke your account for violating some arcane term of service, how long until you lose access to services with those passkeys? At the very least, I imagine you lose it if you get a new device?
link