[AlotOfReading]

The "standard" answer is that you should either use synced passkeys, or enroll multiple passkeys with the provider. The problem is that some providers (e.g. Paypal, some banks) only support one passkey, and synced passkeys aren't supposed to be trusted for attestation (unless they're synced by Apple/Google/Microsoft).

[epaulson]

And every couple of days we see a post or a tweet about "Google/Apple/Microsoft just nuked my account with no notice and no recourse" so trusting them to sync passkeys rightfully makes some people nervous.

[stavros]

Whereas we never see a horror story involving passwords.

[AlotOfReading]

There are two problems with passwords. Reuse, and site breaches. The solution to the former is the same as passkeys: credential managers. Passkeys genuinely solve the second, in exchange for a vastly less comprehensible system (see all the uncertainty people have even here on HN) that doesn't support many of the ways people want to use authentication tokens.

[stavros]

No, the biggest issue with passwords is phishing. You can't phish a passkey.

[bgbntty2]

The problem with this is requiring everyone to own a device with a secure enclave or similar hardware capabilities because some people are prone to being phished. Let me choose the level of risk I find acceptable.

[stavros]

Passkeys don't require this.

[NoGravitas]

Sort of. Passkeys push the phishing to the account recovery or passkey enrollment process.

[stavros]

How do you phish the account recovery or enrollment process?

[AlotOfReading]

Are there any credential managers that don't validate the domain with passwords? Sure, there are issues with PSL subdomain matching, but at the end of the day it's good enough in the real world. All the other stuff (MITM, malicious site, etc) falls under the other case I already mentioned.

[stavros]

There's a big difference between "generally doesn't get phished" and "it's impossible to be phished".

[stavros]

That's not what phishing is. Phishing is convincing someone to give you a credential with a page that looks like the one they're supposed to give the credential on. Passkeys cannot be phished.

[immibis]

They must be paired with an alternative mechanism, unless you plan to unperson everyone who accidentally drops their phone in a river (this may be the plan for high-security services but it can't be the plan in general) and that mechanism can be phished.

Session cookies can't be phished either, so why aren't those sufficient?