Hacker News new | ask | show | jobs
by alterom 48 days ago
>We have now gone from having to “redo everything” to being asked to switch to a passkey by a grand total of one website.

Yeah right.

When passkeys were rolled out, I was told it's OK because "passwords are always going to be required to be an available alternative".

Now we've moved the goalposts to "it's just one website".

>Sometimes the new thing really is just better.

And sometimes your backpack is stolen when you're traveling, with your phone and laptop (happened to me in Poland), and you need to log into your accounts while having none of your devices or your phone number available.

Pray tell then what.
2 comments
stouset 48 days ago
What if I told you I was not one of the people saying that? You can’t take two different people with two different opinions and say “Look! You’ve moved the goalposts!”

If passkeys are significantly better, passwords will gradually stop existing. If passwords are, passkeys probably won’t catch on.

> And sometimes your backpack is stolen when you're traveling, with your phone and laptop (happened to me in Poland), and you need to log into your accounts while having none of your devices or your phone number available.

I personally keep a separate YubiKey that—along with a memorized password—is sufficient for me to retrieve my password manager database and unlock it. If this is a sufficiently motivating use-case for you, you too can take these kinds of steps to mitigate the risk.

But since we’re playing the “what if” game, what happens if you get early onset dementia and forget your passwords? Pray tell then what?

link
alterom 48 days ago
>along with a memorized password—

So, your solution is passwords with extra steps.

Thanks but no thanks.

>I personally keep a separate YubiKey that—along with a memorized password—is sufficient for me to retrieve my password manager database and unlock it.

So, basically, having to create and maintain a backup device to keep separately from my laptop/phone in case they get stolen, make sure I don't lose it, but carry it with me everywhere like a crucifix.

That, and still having to remember and use a password, because otherwise the thieves get control of everything once they steal my device.

Sure. That's not objectively better than passwords which don't require this sort of hassle.

At the very least because it still requires a password.

>you too can take these kinds of steps to mitigate the risk.

OK. I can. I don't want to have to do these kind of steps, or any other dance to mitigate the real risks that passwords already protect me from.

Passkeys mitigate risks which I don't run into (”what if someone learns my password?”), while introducing others.

They are a convenience for people who run the system because they off-load those risks onto users.

>But since we’re playing the “what if” game

You're playing games with contrived hypotheticals.

I've had my laptop, phone, and wallet stolen on an overseas trip.

>what happens if you [...] forget your passwords?

I click the "forgot your password?" link which every website that uses passwords has.

Having a notebook in a vault with passwords also solves this problem.

I don't get a sudden onset of dementia which causes amnesia when I travel.

But I've lost my devices and had them stolen from me overseas.

It was a big enough hassle even though I did have the passwords.

link
jazzyjackson 46 days ago
If a website only supports one passkey on one device, it's a shitty implementation. To be fair many websites have shitty implementations, so I ended up using my yubikeys to store the secret for OTP codes.

Having only one device that has authority to log into your accounts is obviously not a good security model.

link