Hacker News new | ask | show | jobs
by koito17 741 days ago
> The inability to move them is a feature, not a bug.

Wasn't the whole point of passkeys over FIDO2 keys the fact that you can have the same secrets stored on more than one device? (thus mitigating the largest pitfall of FIDO2 keys -- losing the physical key)
1 comments
TheNewsIsHere 740 days ago
Passkeys are an implementation of FIDO2 - technically an expansion of the protocol to include so-called platform authenticators that are device bound, but also syncable credentials, which is what the major players are implementing with storage in iCloud Keychain, Google Accounts, Microsoft Accounts, password managers, etc.

In this way the promise of passkeys, and the main marketing message around passkeys, is that they are phishing-resistant. This isn't strictly true though, because within some of these syncable ecosystems you can share a passkey. For example I can AirDrop a Cloudflare passkey to someone else's iPhone. If they accept, they can now authenticate as me.

The core intentions of FIDO2 generally and passkeys specifically is sound, but solving the age-old problems of device loss, resets, impersonation, sharing, etc, are human issues that the tech companies and consortiums still can't solve. In this way I would argue that passkeys are an improvement but are oversold. They are still better than passwords for many use cases though. And IMHO should remain optional.

link
romwell 740 days ago
>In this way the promise of passkeys, and the main marketing message around passkeys, is that they are phishing-resistant. This isn't strictly true though

So, it is not true.

However, what's true is that if you're arrested, the police won't have to ask Google/Apple/anyone to give them access to your accounts.

They'll just hold the phone to your face, and get a convenient list of all your accounts and a means to log into them.

Granted, you'd need to have biometrics involved. But you can be simply asked to unlock the phone, if that's FSB doing the asking, you won't say "no".

link
TheNewsIsHere 735 days ago
> However, what's true is that if you're arrested, the police won't have to ask Google/Apple/anyone to give them access to your accounts.

> They'll just hold the phone to your face, and get a convenient list of all your accounts and a means to log into them.

As with any password manager installed on your phone. Passkeys don’t claim to solve and are not intended to solve that particular kind of threat.

link