Hacker News new | ask | show | jobs
by Gigachad 60 days ago
Passkeys are even better since you don't have to pull out your phone or switch to email to grab a code. It just logs you in.

Also for old people, its impossible to fall for a phishing page using Passkeys. Unlike auth codes where you can type the code in to a fake login page.
2 comments
goosejuice 60 days ago
I'm a fan of passkeys because I don't have to store sensitive info. It's just a public key and I don't need identifiable info from the user. That's a super nice option for some niche low stakes software.

Unfortunately that breaks down when someone doesn't set multiple keys as backup and gets locked out. Then you're right back to password/backup code or some kind of recovery to email or phone. Chances are people just store their backup codes as plain text too. They also break down across desktop/mobile, e.g. register on desktop then try to log in on mobile. Not everyone has a good sync solution here, especially the non technical.

Honestly all the solutions have trade offs in UX/security/privacy and dependency on third party services. The best solution is going to be highly dependent on the business.

link
Gigachad 60 days ago
The sync situation is a bit of a mess but it's getting better. Personally I use 1password and everything is synced everywhere effortlessly. But if you are a windows user without a password manager then you are probably best off just using your phone and the QR code scan flow.

The UX issues of Passkeys can and are being fixed. The issues with passwords are unfixable.

link
goosejuice 60 days ago
> The UX issues of Passkeys can and are being fixed.

I don't see any solutions to the recovery problem that doesn't introduce another login mechanism. But as a primary method the UX is pretty good for the technically literate.

link
Gigachad 60 days ago
It should be relatively hard to get locked out. Keys are synced to all of your devices so you'd have to lose everything at once.
link
rr808 60 days ago
I have 3 laptops, a PC and a PC at work and 2 phones. Passkeys still confuse me and I'm not 60 yet.
link
Gigachad 60 days ago
They essentially work automatically without having to understand them. They get synced with your apple and google account or password manager to every device. For a work pc or something you haven't signed in with, Windows and MacOS will show a QR code you scan with your phone and it all just works.

For an old person who basically just uses an iphone and ipad, you can't screw it up and you can't be scammed.

link