←back to thread

225 points Terretta | 4 comments | | HN request time: 0s | source
Show context
karlkloss ◴[] No.41867156[source]
If they can be moved, they can be stolen. This'll boost acceptance, but also open a can of worms.
replies(3): >>41867234 #>>41867321 #>>41871670 #
reshlo ◴[] No.41867321[source]
Passkeys are terrifying, and I don’t understand why the companies pushing them are doing so. What are their motives? What do they gain from catastrophically increasing the risk that users completely lose access to our ability to conduct our lives?

If someone steals my phone today, I can still access most of my accounts, and can regain access quickly to the others.

Now let’s assume passkeys are ubiquitous and used to log in to every website.

If they can’t be exported, then your entire digital existence is at the mercy of whatever device or technology platform you use to store your passkeys. If you lose access to the platform, you also permanently lose access to every single account you’ve ever signed up for. For me, that would include losing access to my retirement savings, tax records, and the ability to communicate with many of my friends, to give a few examples.

My computer also doesn’t have Bluetooth, which means I can no longer log in to any websites on it even when I do have access to my passkeys.

replies(2): >>41867346 #>>41867814 #
Hypnosis6173 ◴[] No.41867346[source]
I mean, isn't the idea from them that you have 2 or more of them?

Shure not everybody does that and some sites don't really support that but thinking about this concept of having "physical key s" to your data makes a lot of sense to me.

Don't know how this change will affect my trust in the concept

replies(4): >>41867365 #>>41867397 #>>41875149 #>>41879634 #
afiori ◴[] No.41867397[source]
As any kind of key you need to be able to replace them after you lose them (think of a flood or a house fire) so either:

1. You accept a non-trivial risk to be locked out forever of what you used those keys for 2. You still have a password login to revoke/create keys 3. You invest in enough redundacy to never lose all of your keys

IMHO only 2. is viable and then keys are just a different implementation of a password manager.

replies(2): >>41867489 #>>41869193 #
1. jesseendahl ◴[] No.41869193[source]
Account recovery flows are generally entirely unaffected by the move from password to passkey.

It’s just your login credential.

If you lose either a password or a passkey, you do the same thing: reset and set a new one via email recovery.

replies(1): >>41872455 #
2. reshlo ◴[] No.41872455[source]
Isn’t the whole point of a passkey that it’s meant to use a chain of trust to prove that you’re you via biometrics or a physical factor? I’ve read that they’re intended to remove the need for 2-factor authentication because they are both factors, which implies you shouldn’t be allowed to reset them.

Resetting 2-factor authentication by proving access to only one factor (email) defeats the purpose of requiring 2 factors. If they can be reset via email, they might as well not exist at all. Even if we assume that nobody other than the user has legitimate access to the emails sent to the user (which is often untrue), emails can be trivially intercepted by a third party.

Not to mention that if I’ve lost access to the device where I am signed in to my email account, I won’t be able to access my email account to reset my passkeys anyway, because access to my email account would also require a passkey that I no longer have.

replies(1): >>41882354 #
3. jesseendahl ◴[] No.41882354[source]
> Isn’t the whole point of a passkey that it’s meant to use a chain of trust to prove that you’re you via biometrics or a physical factor?

No actually! The biometric auth is more of a “liveness check” than anything else.

The point of passkeys is to replace the primary factor — the password — with a new primary factor that isn’t fundamentally “broken” in the ways passwords are. Password hashes can be stolen from servers, users frequently reuse them across different services, they are frequently very weak, and they are phishable. In contrast passkeys are guaranteed to be strong, unique, and there is nothing worth stealing from servers for attackers (only a public key).

replies(1): >>41886202 #
4. reshlo ◴[] No.41886202{3}[source]
Many websites are using passkeys not as a primary factor, but as the second factor, or as both factors. That implies that they are meant to serve as some combination of “something you are” and “something you have”. The fact that you logged in with one by using biometrics proves both that you are you and that you have your phone. They’re certainly not “something you know” because they are designed specifically so that you are not allowed to know them.

Allowing both “something you are” and “something you have” to be reset simultaneously via proof only of “something you know” (the password to your email account) means that once that reset happens, you’ve gone from two or three factors to one factor.

Allowing passkeys to be reset by email is not compatible with using them as anything other than the primary factor. If you’re using them as both factors, you’d get equivalent security if you implemented sign-in via only magic links. If you’re using them as the second factor along with a password, but you allow them to be reset via email, you actually only have one factor.