| > I agree that it's not more vulnerable than just using a password, I'm only saying that it's only slightly less vulnerable under the best circumstances and incredibly more vulnerable under the worst circumstances (ie. if somebody got ahold of your password manager). I feel like we might have a mismatch in understanding what a passkey is. You make a new keypair for each account to authenticate to. A leaked passkey is generally no more vulnerable than a password when leaked. > But putting the passkey on a second device provides an even smaller attack surface since now a bad actor needs both your device (or a MITM attack) and your password. Correct. The gold standard is a hardware secured, non-cloud synced private key. > This is an HN forum. Nobody's giving "security advice," It's a technical forum with statements on a technical topic. Making statements like that can always be misinterpreted as technical advice by default. > but I do feel like the parent comment's question hasn't been answered. Why would one store passkeys in their password manager instead of on a separate device? This is fair. The answer is: convenience. It is most definitely worse security posture to sync passkeys than to store them on a separate, physical device that can answer challenges without leaking the private key. The reason to use them over passwords is they are more secure, even when synced to a cloud vault. |