[epaulson]

And every couple of days we see a post or a tweet about "Google/Apple/Microsoft just nuked my account with no notice and no recourse" so trusting them to sync passkeys rightfully makes some people nervous.

[stavros]

Whereas we never see a horror story involving passwords.

[AlotOfReading]

There are two problems with passwords. Reuse, and site breaches. The solution to the former is the same as passkeys: credential managers. Passkeys genuinely solve the second, in exchange for a vastly less comprehensible system (see all the uncertainty people have even here on HN) that doesn't support many of the ways people want to use authentication tokens.

[stavros]

No, the biggest issue with passwords is phishing. You can't phish a passkey.

[bgbntty2]

The problem with this is requiring everyone to own a device with a secure enclave or similar hardware capabilities because some people are prone to being phished. Let me choose the level of risk I find acceptable.

[stavros]

Passkeys don't require this.

[bgbntty2]

How else would you make the private key unexportable and the passkey uncopyable?

[NoGravitas]

Sort of. Passkeys push the phishing to the account recovery or passkey enrollment process.

[stavros]

How do you phish the account recovery or enrollment process?

[AlotOfReading]

Are there any credential managers that don't validate the domain with passwords? Sure, there are issues with PSL subdomain matching, but at the end of the day it's good enough in the real world. All the other stuff (MITM, malicious site, etc) falls under the other case I already mentioned.

[stavros]

There's a big difference between "generally doesn't get phished" and "it's impossible to be phished".

[AlotOfReading]

It's security, so we're not discussing impossibility. You can still phish a passkey, we're just hoping the cryptography is good enough that it remains astronomically unlikely to succeed. Since we're all reasonable people, that chance is low enough that we're fine accepting it. What I'm saying is that the chance with passwords is still low enough that I'm fine accepting, even though it's much higher than the cryptographic security of passkeys. We're simply disagreeing about where we draw the line of "good enough".

[immibis]

What happens if i drop my phone in a river? Am I unpersoned, or is there a way to recover all my accounts? Just phish that flow instead.

[stavros]

That's not what phishing is. Phishing is convincing someone to give you a credential with a page that looks like the one they're supposed to give the credential on. Passkeys cannot be phished.

[immibis]

They must be paired with an alternative mechanism, unless you plan to unperson everyone who accidentally drops their phone in a river (this may be the plan for high-security services but it can't be the plan in general) and that mechanism can be phished.

Session cookies can't be phished either, so why aren't those sufficient?