Hacker News new | ask | show | jobs
by JaneLovesDotNet 980 days ago
Correct me if I'm wrong but isn't it fair to say that passkeys secured on your phone are more secure than 1FA (password) but less secure than "traditional" 2FA?

   Passkey 2FA: unlock your phone and the passkey on your phone can log you in.

   Traditional 2FA: remember a password AND unlock your phone (where your TOTP is stored) and you can login
If I were to rate all 3 methods on a scale of 1 to 10, for convenience and security, I'd say:

     Method       Convenience   Security       

  Password only:      4/10        2/10

  Passkey 2FA:        9/10        8/10

  Traditional 2FA:    6/10        9/10
Fair?
3 comments
forward1 980 days ago
Passwordless authentication > hardware-backed MFA > TOTP/HOTP MFA > SMS MFA > no MFA

The reason being is the secret used to authenticate you is non-portable (since it's based on asymmetric crypto, it doesn't need to be shared). On the other hand, portable credentials, like TOTP/HOTP code AND passwords are responsible for almost all compromise today.

Bearer token based authentication will always be inferior to FIDO/U2F - it's not even the same ballgame.

link
px43 980 days ago
No, if you break into a site using passkeys, it gives you literally zero information that can be used to authenticate as any of the users. Think about the prevalence of data breaches in the past decade, and the sharp rise in the effectiveness of password stuffing, and think about why this change might be a good idea.

Also even with traditional 2FA, TOTP can be phished. See https://github.com/kgretzky/evilginx2

WebAuthn almost entirely eliminates phishing risk (at least with respect to credential harvesting), and Passkeys are a really nice, clean UX for using WebAuthn.

link
the_snooze 980 days ago
>No, if you break into a site using passkeys, it gives you literally zero information that can be used to authenticate as any of the users. Think about the prevalence of data breaches in the past decade, and the sharp rise in the effectiveness of password stuffing, and think about why this change might be a good idea.

An implication of that is passkeys let you use the same authenticators across multiple services safely. Instead of keeping track of unique passwords across all those services (or worse, reusing passwords), you can just have a passkey-registered phone and one or two Yubikeys for backups/convenience. You'd be a very hard target for account compromise. That setup is highly phishing-resistant and immune to credential-stuffing, without the cognitive load of passwords.

link
orev 980 days ago
Nobody should be using a remembered password anymore. Most people are likely using the phone for both the password and the MFA code.
link
doublerabbit 980 days ago
> Nobody should be using a remembered password anymore.

Nobody is a strong number, why?

I don't want to use biometrics for logging in to my SSH terminal. I dislike having to use my phone for authentication methods.

I go many places without my phone. Even tempted to gon on holiday without it. Maybe I'm just one of the few who actually enjoys turning it off when coding, developing or whatever.

link
sbuk 979 days ago
Not wanting to use biometrics directly for over-the-web authentication is one thing. Not taking the time to understand the technology being employed by Passkeys is entirely another. That’s your fault.
link
doublerabbit 979 days ago
> That’s your fault.

No one's explained it to me. Other than "DoNT UsE PaSsWoRds", that's not my fault.

Why should I have to learn it, why should my mother have to learn it. This an a totally thrown in your face situation.

Theres plenty of posts in this thread explaining to why its a flawed design. You tell me why not.

link
sbuk 979 days ago
There are plenty of posts in this thread that are misrepresenting the technology, in a few cases deliberately. If you feel strongly enough to comment, you owe it to yourself and the discussion to go to the source and understand what it's about - that's what I mean by that's your fault. You clearly understand enough to A) argue against biometrics over the wire and B) feel you can comment on Passkeys.

Most, if not all (I've not read every post) of the 'flaws' mentioned generally exist in computer security; for example, no one is impervious to a thug and a weapon. The implementation is as simple as generating a key pair; the private key is stored in a secure enclave, either on device or in a secure location, and the public key is shared with the 3rd party. All services provide some recovery method upfront, clearly stating the importance of a backup. There is only so much they can do before you accept the responsibility for managing your security and privacy online. Resorting to "won't someone think of the children" doesn't help either. My mother, who is 74, has no problem with passkeys.

Is it perfect? No. There are 'better' competing standards, but they don't have anywhere near the consensus of the broader security field. Is it better than the current status quo? Definitely. Public key cryptography is significantly better than username/password combinations, even with TOTP or HTOP second factors, though ultimately, it will be a while before they disappear.

link
JaneLovesDotNet 980 days ago
Right, in which case passkeys would be equally secure. But if you DO memorize the password (for example for your most sensitive account), then it feels like traditional 2FA is more secure.

That being said passkeys win if you also take convenience into account. I've updated my original comment with convenience scores to reflect that.

link
vdelitz 980 days ago
Agree
link