←back to thread

Passkeys and Modern Authentication

(lucumr.pocoo.org)
184 points Bogdanp | 6 comments | 02 Sep 25 13:47 UTC | HN request time: 0s | source | bottom
Show context
AnotherGoodName ◴[02 Sep 25 17:01 UTC] No.45105818[source]
> there is effectively no way to export private keys between authentication password managers

No exporting really is a feature. Otherwise people would be tricked into giving away passkeys much like they are with passwords today.

You can always register multiple passkeys with providers though. Already have a passkey with google but want another one via a different password/account manager? Just go into settings on google and add it! This is effectively how you’re meant to move passkeys around. Create a new and register that with the same services as the old one.

The real hassle right now is remembering all the services you attached your current passkey to so you can register a new passkey with them and it’d be nice if there was something similar to ninite installer for passkey registration. But still it's not a huge blocker. You can absolutely use multiple passkeys and login with any one of them.

replies(5): >>45106185 #>>45106728 #>>45106815 #>>45107755 #>>45108712 #
1. AlexandrB ◴[02 Sep 25 17:59 UTC] No.45106728[source]
> Otherwise people would be tricked into giving away passkeys much like they are with passwords today.

Is this really a common attack vector vs. a company leaking their whole customer database and a bunch of password being revealed that way?

replies(2): >>45106785 #>>45117555 #
2. habinero ◴[02 Sep 25 18:02 UTC] No.45106785[source]
Yes, it's called phishing.
replies(1): >>45107031 #
3. AlexandrB ◴[02 Sep 25 18:21 UTC] No.45107031[source]
Phishing is different (from the user's POV) than exporting a password and "giving it away". I don't see how phishing would be applicable to passkey exports.
replies(1): >>45108635 #
4. palata ◴[02 Sep 25 20:33 UTC] No.45108635{3}[source]
> Phishing is different

Nope, it's exactly that: tricking people into believing that they are exporting their passkey securely where actually they are sharing it with the attacker.

> I don't see how phishing would be applicable to passkey exports.

Phishing is applicable to everything humans can do: if you can ask a human to do it, you can phish a human to do it.

replies(1): >>45110185 #
5. jesseendahl ◴[02 Sep 25 22:55 UTC] No.45110185{4}[source]
Not sure why this is being downvoted. This user (palata) is correct — phishing is any attempt by an attacker to trick a user into giving up sensitive information.

For anyone who is confused:

https://www.cloudflare.com/learning/access-management/phishi...

6. NoGravitas ◴[03 Sep 25 16:18 UTC] No.45117555[source]
Not yet. It's a more complex variation on phishing, but not complex enough that it wouldn't happen if scammers needed it to.