←back to thread

Passkeys and Modern Authentication

(lucumr.pocoo.org)
184 points Bogdanp | 1 comments | 02 Sep 25 13:47 UTC | HN request time: 0s | source
Show context
dan-robertson ◴[02 Sep 25 17:43 UTC] No.45106484[source]
What do security professionals think about passkeys? In particular, those who were not involved in designing them. Lots of the arguments in this article feel very much like the sort of thing one would expect from someone into open source (not saying they are wrong, and I think they are well explained here) but I feel they will inevitably be the product of different concerns than those a security practitioner might have.
replies(5): >>45106725 #>>45106875 #>>45108342 #>>45108792 #>>45116912 #
1. vaylian ◴[02 Sep 25 20:08 UTC] No.45108342[source]
I think hardware keys are the best option for passkeys, because they have a separate (physical) user interface compared to software-based keys. This makes it easier to understand the login process. You physically interact with the hardware key to confirm that you want to log in. And you can use your key for many different accounts.

The downside is of course that hardware keys are typically not cheap and you should also buy a backup key. Another unnecessary downside is that certain companies like Microsoft require the use of resident keys, which take up storage space on the hardware key. The better alternative is non-resident keys, of which you can have an infinite number on your key.