←back to thread

Passkeys and Modern Authentication

(lucumr.pocoo.org)
184 points Bogdanp | 9 comments | 02 Sep 25 13:47 UTC | HN request time: 0.601s | source | bottom
1. seany ◴[02 Sep 25 17:15 UTC] No.45106027[source]
Exporting passkeys is the single required feature for me to start using them more. The "anti phishing" push has really gotten a little too crazy. It seems mostly related to our legal inability to push security responsibility onto consumers.
replies(4): >>45106104 #>>45106144 #>>45106767 #>>45108849 #
2. EbNar ◴[02 Sep 25 17:20 UTC] No.45106104[source]
>Exporting passkeys is the single required feature for me to start using them more.

Ditto

3. jazzyjackson ◴[02 Sep 25 17:22 UTC] No.45106144[source]
Given that you don't strictly need to have one passkey per site, is this desire to move passkeys around a holdover from wanting to "export" your passwords? Because if you can export them, an exploit can too. I find passkeys rather more interesting when they cannot be exported from a HSM / key enclave / yubikey, but of course I need to be able to register multiple yubikeys per site, and a few of my accounts didn't allow for this so I ended up using my yubikey for TOTP since I can have the same seed on multiple devices.
replies(3): >>45106498 #>>45106736 #>>45107969 #
4. tuckerman ◴[02 Sep 25 17:43 UTC] No.45106498[source]
Export is a good check against lock in. I just went through my password manager and I have 60 passkeys. It would be a huge pain if I have to switch to a different password manager and there isn't export/import.
5. recursive ◴[02 Sep 25 18:00 UTC] No.45106736[source]
You should be allowed to keep your passkeys in such enclave. But there seems to be no alternative. I'm in the same boat as the GP. I'm not touching passkeys unless and until I can export them into a file I can get my grubby hands on. I'm guessing that's never happening. Not sure what one-passkey-per-site has to do with it.
6. habinero ◴[02 Sep 25 18:02 UTC] No.45106767[source]
Nothing to do with legal responsibility and it's not about only consumers.

I have 50 terabytes of data breaches on a NAS with lots of plain text or badly encrypted passwords, and that's just a small subset of what's out there.

7. mgulick ◴[02 Sep 25 19:36 UTC] No.45107969[source]
My keepass database has around 400 different entries in it. If I needed to transfer to a new password manager, it's not feasible to go around to 400 different sites to register new passkeys. In case one might say the answer to that is oauth, I'm also not interested in putting my faith in Google/Microsoft/Apple being benevolent arbiters of my ability to access my accounts.
replies(1): >>45112356 #
8. palata ◴[02 Sep 25 20:49 UTC] No.45108849[source]
There are two kinds of passkeys: the ones you can sync (i.e. export) and the ones you can't. The ones you can't sync are typically security keys, and there it's a feature.

So yeah, you can have whichever you want, nothing prevents it!

9. apitman ◴[03 Sep 25 04:51 UTC] No.45112356{3}[source]
You could put your faith in LastLogin: https://lastlogin.net