Passkeys and Modern Authentication

(lucumr.pocoo.org)

184 points Bogdanp | 2 comments | 02 Sep 25 13:47 UTC | HN request time: 0.456s | source

Show context

seany ◴[02 Sep 25 17:15 UTC] No.45106027[source]▶

Exporting passkeys is the single required feature for me to start using them more. The "anti phishing" push has really gotten a little too crazy. It seems mostly related to our legal inability to push security responsibility onto consumers.

replies(4): >>45106104 #>>45106144 #>>45106767 #>>45108849 #

jazzyjackson ◴[02 Sep 25 17:22 UTC] No.45106144[source]▶

>>45106027 #

Given that you don't strictly need to have one passkey per site, is this desire to move passkeys around a holdover from wanting to "export" your passwords? Because if you can export them, an exploit can too. I find passkeys rather more interesting when they cannot be exported from a HSM / key enclave / yubikey, but of course I need to be able to register multiple yubikeys per site, and a few of my accounts didn't allow for this so I ended up using my yubikey for TOTP since I can have the same seed on multiple devices.

replies(3): >>45106498 #>>45106736 #>>45107969 #

1. mgulick ◴[02 Sep 25 19:36 UTC] No.45107969[source]▶

>>45106144 #

My keepass database has around 400 different entries in it. If I needed to transfer to a new password manager, it's not feasible to go around to 400 different sites to register new passkeys. In case one might say the answer to that is oauth, I'm also not interested in putting my faith in Google/Microsoft/Apple being benevolent arbiters of my ability to access my accounts.

replies(1): >>45112356 #

2. apitman ◴[03 Sep 25 04:51 UTC] No.45112356[source]▶

>>45107969 (TP) #

You could put your faith in LastLogin: https://lastlogin.net

↑