Hacker News new | ask | show | jobs
by freeone3000 467 days ago
Passwords are still leakable, guessable, and can be phished. Passkeys are “second-factor-only”: your device responds to a challenge and acts in a similar capacity to a yubikey. The private keys contain much more entropy than a password, never leave the device, and the challenges and responses are both signed with site-specific keys so they can’t be phished. So from a security perspective, a lot is gained.

From a user perspective, instead of trying to get the dang webform to autofill, I just smile for a second and become authenticated.
2 comments
voxl 467 days ago
Until you lose the device. Or you're given security codes and those are again, leakable and guessable. No normal user is going to accept their phone being stolen and losing access to their bank account. It's bitcoin as unregulated fiat levels of wishful thinking
link
freeone3000 467 days ago
Registering your phone as a passkey through Apple or Google will cloud-sync the key. This isn’t great for isolation, but is pretty good for availability.

Using something like KeepassXC puts you in charge of your own backups.

I’m sure we can all find people for whom one or the other would be preferable.

link
FireBeyond 467 days ago
> Registering your phone as a passkey through Apple or Google will cloud-sync the key.

Isn't it lovely that the big players can do that...

and when Keepass or others want to do it, they are threatened in no uncertain terms with de-attestation? Members of the FIDO Consortium threatening KeePassXC and other open source tools with blocking for sharing "roaming keys", meanwhile "Oh, Apple wants to share keys via AirDrop? No problem", which is one of the concerns, that it's yet another "push users to Apple and Google's tool of choice".

> https://github.com/keepassxreboot/keepassxc/issues/10407#iss...

"Users should be prevented from copying or sharing a private key".

link
AlotOfReading 467 days ago
"Leakable" isn't a purely negative property. It's the same thing you can use to provide access to a trusted spouse, and ensures a trivial solution to the "lost device" problem when traveling.
link
Ferret7446 465 days ago
You can provide access by registering another key. Similarly, the trivial solution to the "lost device" problem is a backup.
link