|
|
|
|
|
|
by ecesena
319 days ago
|
|
|
I don’t get the sentiment of the article. The whole point about passkeys is to replicate the exact UX of passwords (registration, reset…) but offer protection against phishing, by using public key crypto. If you want a different UX, use a hardware security key. But these failed to reach consumer adoption. And of course the FIDO2 standard didn’t specify (yet) a way to move passkeys around, so each implementation chose their own way to do vendor lock in. But this will be fixed in a few iterations. |
|
|
I think passkeys are worth it for ordinary sites/apps that support resetting your password with a simple email, because if you lose your passkey, you can just reset your passkey with a simple email.
The main point of the article is to demystify passkeys, especially passkey resets. Lots of people (especially on HN, even here on this thread) are in the habit of saying that if you lose your passkey, you're going to get permanently locked out of your account.
That's no more true (and no less true) of passkeys than passwords. If you lose your password, you'll have to reset your password. If you lose your passkey, you'll have to reset your passkey, via the exact same process as resetting your password, however easy/hard that may be.
Logging into Google with a passkey feels more perilous to me, especially if Google is your password manager. Losing your Google password is bad, but you can see your Google password. You can write it down and keep it somewhere secure in your house.
If you're using a passkey to login to Google, you've really gotta go to https://myaccount.google.com/security and set up backup codes, and then keep those in a secure vault in your home.
(But, if you can trust yourself to keep a secure backup code, and not give it away to a phisher, then you're not getting much benefit from passkeys, are you?)