Hacker News new | ask | show | jobs
by teekert 344 days ago
I think Proton Pass just stores one key for all devices? Not even sure! But it does work anywhere without the experience you had: I go to a website I have saved, it pops up, I click and am logged in.

Not sure if Proton does the device specific stuff under the hood (and hides it well), or if they are abusing the system by simply sharing the private key over all devices? (That is misuse right? Idk, I had the same experience with BitWarden). The keys should be device specific right? That's the 2fa replacing magic.

I too, have no idea. And I too am a bit disappointed it is so difficult to understand what happens. I do believe I can just export the keys and import somewhere else (i.e. Proton <-> BitWarden), which would suggest one passkey per account... Hmmm... Also, I believe it's just Google and Apple that try to make this a walled garden, it wasn't designed to be like that.
1 comments
dchest 344 days ago
> The keys should be device specific right?

No, they can be synched. There are different types of passkeys, synched and device-bound (for YubiKeys, etc.)

Hope this clears up the confusion (haha).

link
teekert 344 days ago
Ah but why are they better than classic credentials then? I thought they were device specific and thus "2fa build in". I thought you'd have to approve every new device from an existing one? But indeed I never saw that in action...
link
recursive 344 days ago
Because you can't export them.
link
teekert 344 days ago
Pretty sure I could with VaultWarden. For Proton indeed it seems to be an open issue. In theory it should be doable right? It's not like "impossible because of the spec" or something?
link
xmgplays 344 days ago
The difficulty of exporting them is kinda the point(sorta). The benefit of passkeys is that the average user is less likely to hand them over to a scammer, because they literally can't/don't know how, whereas everyone and their mother knows how to give a scammer their password/username and the funky numbers in the email they just got.
link
recursive 344 days ago
> It's not like "impossible because of the spec" or something

It could be, but I don't know if it is. One of the design points is that they are cryptographically un-phishable or something to that effect.

The ability to export directly conflicts non-phishability, at least in theory. I've heard conflicting information about what precisely is allowed or possible.

link