Hacker News new | ask | show | jobs
by konha 776 days ago
They can be. Depends on how the are implemented.

Passkeys can:

- Replace the whole login (including discovery of the user id)

- Just replace the password, after a user specified a user id

- Be used as a second factor just like TOTP

They are definitely more phishing resistant for what it’s worth, even if just used for MFA. TOTP codes can be copied manually by an unsuspecting user.
1 comments
Raed667 775 days ago
Thanks for the clarification! Do you know if any services that implemented the full flow including the discovery of user id ?
link
stpn 773 days ago
We do this for https://tender.run - the feature is called conditional mediation / ui. I found this article[0] helpful for implementation.

[0]: https://web.dev/articles/passkey-form-autofill#fetch_a_chall...

link
mderazon 775 days ago
GitHub
link
ecesena 775 days ago
See also: https://webauthn.io

If you want to explore more options.

link