[packetlost]

>> Passkeys can’t be phished, ..., or entered on a malicious domain. > Neither can passwords if you're using a password manager to handle them.

This is absolutely not true, it depends heavily on usage patterns of the password manager and its features. Not all are browser extensions that autofill, and even if they did, sites change their domains for auth occasionally that break this functionality (or more often, signup is on a different domain from auth) meaning you must manually copy-paste your password somewhat often if you don't meticulously, and manually, maintain your domain list for a credential. The average person is *not* going to do that, they're going to go "huh, it broke again" and copy paste their randomly generated password.

Please, do not give security advice you are not equipped to handle.

[troyvit]

> Passkeys have no easy way to extract the private key and do not request to enter the private key to authenticate.

Sure the do. All somebody needs is the password to your password manager. It's a single point of failure and by putting your passkeys in there to you've made it even more vulnerable.

Do you put a passkey on your password manager that exists outside of that ecosystem? Once you have that why not just use it for everything?

The parent wasn't giving security advice. They were asking a valid question.

[packetlost]

> Sure the do. All somebody needs is the password to your password manager. It's a single point of failure and by putting your passkeys in there to you've made it even more vulnerable.

Not more vulnerable than if they were just using password. You're still missing my point, password managers do not give you the ability to just copy-paste the private key of a passkey into a form field, unlike passwords. Some don't give you access to it at all (*cough* Apple *cough*). Sure you can get the private key if you have access to the password managers vault, but that's not what's being talked about. Common usage patterns matter immensely in security. At the end of the day, the attack surface for passkey-based authentication is smaller than password-based authentication, which is a step in the right direction.

> The parent wasn't giving security advice. They were asking a valid question.

The parent made a blatantly false and dangerous statement and then followed it up with a question. Did we read the same comment?

[troyvit]

I agree that it's not more vulnerable than just using a password, I'm only saying that it's only slightly less vulnerable under the best circumstances and incredibly more vulnerable under the worst circumstances (ie. if somebody got ahold of your password manager).

I also agree that passkey-based authentication provides a smaller attack surface than purely password-based authentication.

But putting the passkey on a second device provides an even smaller attack surface since now a bad actor needs both your device (or a MITM attack) and your password.

This is an HN forum. Nobody's giving "security advice," but I do feel like the parent comment's question hasn't been answered. Why would one store passkeys in their password manager instead of on a separate device?

[packetlost]

> I agree that it's not more vulnerable than just using a password, I'm only saying that it's only slightly less vulnerable under the best circumstances and incredibly more vulnerable under the worst circumstances (ie. if somebody got ahold of your password manager).

I feel like we might have a mismatch in understanding what a passkey is. You make a new keypair for each account to authenticate to. A leaked passkey is generally no more vulnerable than a password when leaked.

> But putting the passkey on a second device provides an even smaller attack surface since now a bad actor needs both your device (or a MITM attack) and your password.

Correct. The gold standard is a hardware secured, non-cloud synced private key.

> This is an HN forum. Nobody's giving "security advice,"

It's a technical forum with statements on a technical topic. Making statements like that can always be misinterpreted as technical advice by default.

> but I do feel like the parent comment's question hasn't been answered. Why would one store passkeys in their password manager instead of on a separate device?

This is fair. The answer is: convenience. It is most definitely worse security posture to sync passkeys than to store them on a separate, physical device that can answer challenges without leaking the private key.

The reason to use them over passwords is they are more secure, even when synced to a cloud vault.

[troyvit]

Thanks for helping to clarify what we're talking about. I disagree with some of what you're saying, but I also see where you're coming from re: the convenience of passkeys in your pw manager.