Hacker News new | ask | show | jobs
by 8n4vidtmkvmk 7 days ago
I thought the same for a long time but now i don't know. If your computer is compromised, they can exfiltrate your password, but with a hardware key they can't, so i think that's legitimately more secure than password+otp. It still needs a pin though to protect against device theft. I bring this up because there's been a ton of compromised developer packages recently and windows itself is being attacked so even if you're pretty good about protecting yourself, you still might get screwed.
1 comments
nvme0n1p1 7 days ago
If your computer is compromised, the attacker can just as easily read your email.

OTP can be used with a password.

link
hdjrudni 6 days ago
Uh huh? That's why I specifically said hardware key. Like a Yubikey. You can't digitally steal that.
link
akimbostrawman 6 days ago
That doesn't address anything. If your device is compromised they do not need your hardware key because they can just read all mails on device or steal login/session cookies for accounts and bypass authentication.

Passkey is still inferior to U2F + password anyways.

link