Hacker News new | ask | show | jobs
by grammarxcore 461 days ago
The big thing missing from the article is how a device that contains many passkeys is any different from a password manager that enforces security settings. I don’t worry about passwords my password manager generates getting compromised because I use at least 24 random characters (assuming my password manager is using a cryptographically secure PRNG that guarantees some level of randomness, giving us more than 128 bits). Assuming I use that to manage the password to my email, I really only have to worry about my password manager key being compromised. I only used my password manager on trusted devices so I really only have to worry about my trusted devices being compromised.

If I use passkeys, I have to worry about my trusted devices being compromised. According to the article, “as long as you can remember your phone password, you can log in to your accounts.” That sounds like my password manager. The other benefits also sound like a combination of my password manager and privacy focus. I’m not saying this is bad; I just don’t see how it’s different from a security-conscious status quo.
2 comments
freeone3000 461 days ago
Passwords are still leakable, guessable, and can be phished. Passkeys are “second-factor-only”: your device responds to a challenge and acts in a similar capacity to a yubikey. The private keys contain much more entropy than a password, never leave the device, and the challenges and responses are both signed with site-specific keys so they can’t be phished. So from a security perspective, a lot is gained.

From a user perspective, instead of trying to get the dang webform to autofill, I just smile for a second and become authenticated.

link
voxl 461 days ago
Until you lose the device. Or you're given security codes and those are again, leakable and guessable. No normal user is going to accept their phone being stolen and losing access to their bank account. It's bitcoin as unregulated fiat levels of wishful thinking
link
freeone3000 461 days ago
Registering your phone as a passkey through Apple or Google will cloud-sync the key. This isn’t great for isolation, but is pretty good for availability.

Using something like KeepassXC puts you in charge of your own backups.

I’m sure we can all find people for whom one or the other would be preferable.

link
FireBeyond 461 days ago
> Registering your phone as a passkey through Apple or Google will cloud-sync the key.

Isn't it lovely that the big players can do that...

and when Keepass or others want to do it, they are threatened in no uncertain terms with de-attestation? Members of the FIDO Consortium threatening KeePassXC and other open source tools with blocking for sharing "roaming keys", meanwhile "Oh, Apple wants to share keys via AirDrop? No problem", which is one of the concerns, that it's yet another "push users to Apple and Google's tool of choice".

> https://github.com/keepassxreboot/keepassxc/issues/10407#iss...

"Users should be prevented from copying or sharing a private key".

link
AlotOfReading 461 days ago
"Leakable" isn't a purely negative property. It's the same thing you can use to provide access to a trusted spouse, and ensures a trivial solution to the "lost device" problem when traveling.
link
Ferret7446 459 days ago
You can provide access by registering another key. Similarly, the trivial solution to the "lost device" problem is a backup.
link
tonyhart7 461 days ago
well if your hardware is compromised using passwd manager or passkeys is not different at all

for now phone hacked = say goodbye to work,banking etc is not ideal yes but in the future where you can implant chips under skin??? now we talking

link