Hacker News new | ask | show | jobs
by vel0city 545 days ago
> A PIN grants you access to the service

Incorrect. The PIN does not grant access to the service.

If all you have is the PIN, you don't get access to the service. Therefore, its not the PIN that grants the access.

If you know my keepass database passphrase, but don't have the actual database file, do you have access to the services contained within?

And as acdha mentioned, the entire login workflow is radically different with security keys / passkeys. Its a radically different implementation of authentication with different guarantees.

Do you leave SSH open on port 22 with only password authentication? It's just the same as using SSH keys, just a difference in implementation.
1 comments
recursive 545 days ago
> If all you have is the PIN, you don't get access to the service.

That depends what the service is. If the "service" is a session on my desktop PC, then it absolutely does grant access. You'll have to take my word that if I type my PIN into it, it will start an interactive session.

My kid wants to play minecraft, but he can't because he doesn't have the PIN. If he did have the PIN, he could play minecraft.

I am willing to believe that the implementation of the PIN is totally different from passwords, but in this use case, the user experience is identical. The "attacker" does NOT need the password.

link
vel0city 545 days ago
It is still not the PIN in the same way the password to the password vault isn't the password to an account. If you had a physical TPM that got removed, your pin wouldn't do anything. If the TPM got reset in the BIOS, the PIN wouldn't work. It's a step in the authentication workflow, but the PIN itself is not the credential. If a person tried to RDP to that computer with the PIN, they wouldn't be able to access it.

If your kid fails the PIN too many times, the PIN gets disabled. No more PIN retries until the real password gets used. If they tried the password a bunch of times, they'd get a timeout but could come back in a few minutes and try again.

link
recursive 545 days ago
I think maybe I get it now.
link
vel0city 545 days ago
I mean, I get what you're saying about from the user perspective the pin is the login, but the under the hood nuance makes things pretty different in the end when thinking more about what's happening.

Same thing with a fingerprint with a passkey to some service. The fingerprint itself isn't the login; you can't just go to any phone and press your finger and log in to the service. So the fingerprint isn't the login, its a part of the process on that particular device to unlock that particular saved credential that logs you in.

link
recursive 545 days ago
I think another, more technically correct, way to say it is this:

In some cases, a PIN can be used to achieve the same effect that the corresponding credential can.

I think normal people care about some of these cases sometimes.

link