Hacker News new | ask | show | jobs
by vel0city 3 hours ago
"Dang, this site isn't working right with the password manager's detection. Guess I just gotta paste the password in again..."

Meanwhile U2F/Passkeys can't possibly be abused like this.
2 comments
tjoff 3 hours ago
Yeah but the downsides of passkeys make them so much worse anyway.
link
jcattle 3 hours ago
Pretty happy with having a yubikey on my keychain. Log in someplace new? plonk in your yubikey and off you go!
link
AlotOfReading 2 hours ago
I used to keep a yubikey in a spare slot on my laptop. One day it fell out and subsequently escaped through an unnoticed hole in my backpack.

I've never lost a password because my backpack was overly abused.

link
brendoelfrendo 2 hours ago
That's why you keep it on your keychain and not in a spare slot on your laptop.
link
AlotOfReading 1 hour ago
It's not possible to put a 5c nano on a keychain. They're intended to be kept in the slot at all times.
link
someguyiguess 2 hours ago
And when your keychain gets lost then what?
link
jcattle 2 hours ago
Then I have a backup yubikey at home for services which allow to register two keys. For other's there's still good old password+some second factor.
link
vel0city 1 hour ago
Then I use the authenticator built into my phone. Or the authenticator built into my desktop. Or the authenticator built into my laptop. Or my other authenticator.

My phone was destroyed not too long ago. I had been using it for passkeys. Oh no, all those passkeys were gone. No problem, when I got my new phone I just used the authenticator on my keyring to get back into my accounts. If my keyring authenticator got lost I'd just buy a new authenticator eventually and add it to my accounts.

link
brendoelfrendo 2 hours ago
I open the safe where I keep my spare Yubikey. Or I use the passkey stored in my phone, or the one on my laptop. Make passkeys, put them everywhere.
link
bonoboTP 3 hours ago
Exactly. All these ideals work in theory but then in reality banks are also incompetent and will use all kinds of domains.

Same with meta and Google where they often direct you to domains that aren't under their main one and it's actually legit, but there's no way to know. It's impossible to teach family members to pay attention if it's really that domain because it's often legit not that domain.

link