Hacker News new | ask | show | jobs
by alyandon 185 days ago
I'm a bit of a curmudgeon about this.

Until service providers are no longer allowed to:

  1) force the type of passkey stores used (e.g. hardware vs software) when I am providing the passkey store
  2) force me to MFA (e.g. forcing touch ID, entering pin or unlock password, etc) when attempting to use a passkey
I'll continue to stick to plain old boring password + TOTP. I fully understand the security trade-offs like phishing resistance but password + TOTP is secure enough for me.
2 comments
Groxx 185 days ago
Many/all? also need to have some form of manual input as a backup, so you're not forced to sync all your passwords to e.g. a library's computer just to log in, if your house burns down or something.

Which probably looks a lot like a password.

link
jesseendahl 184 days ago
(1) is already true today. There is no way for services to enforce whether a passkey is stored in software or hardware.

(2) I understand you don't like the user experience. But to make a technical clarification: requiring a user action to prove there's a human involved in the login action (e.g. by clicking a button in UI or requiring Touch ID) does not necessarily mean there's another factor involved at all (MFA). What you are describing is more of a "liveness check" than a separate factor/separate credential.

link
alyandon 184 days ago 

  (1) is already true today. There is no way for services to enforce whether a passkey is stored in software or hardware.
Challenge: Go and try to register a non-blessed passkey type with PayPal and come back and share your experience.

  (2) I understand you don't like the user experience
Pretty much my complaint. Passkeys allow for service providers to do dumb things that result in terrible UX. With Password + TOTP, I don't get asked to touch a sensor, enter a PIN, enter an unlock password, etc.
link
spencerflem 184 days ago
I actually kinda like the enter-a-pin flow, it makes me feel a lot safer about letting someone hold my phone. I just hate the lock-in it adds
link
spencerflem 184 days ago
Liveness check is fine, but I’ve always seen it as requiring Microsoft Hello or equivalent explicitly, and not whatever check I would prefer to use
link