←back to thread

Passkeys and Modern Authentication

(lucumr.pocoo.org)
184 points Bogdanp | 7 comments | 02 Sep 25 13:47 UTC | HN request time: 0s | source | bottom
Show context
AnotherGoodName ◴[02 Sep 25 17:01 UTC] No.45105818[source]
> there is effectively no way to export private keys between authentication password managers

No exporting really is a feature. Otherwise people would be tricked into giving away passkeys much like they are with passwords today.

You can always register multiple passkeys with providers though. Already have a passkey with google but want another one via a different password/account manager? Just go into settings on google and add it! This is effectively how you’re meant to move passkeys around. Create a new and register that with the same services as the old one.

The real hassle right now is remembering all the services you attached your current passkey to so you can register a new passkey with them and it’d be nice if there was something similar to ninite installer for passkey registration. But still it's not a huge blocker. You can absolutely use multiple passkeys and login with any one of them.

replies(5): >>45106185 #>>45106728 #>>45106815 #>>45107755 #>>45108712 #
jazzyjackson ◴[02 Sep 25 17:24 UTC] No.45106185[source]
Just made the same comment, weird that its an unpopular opinion. Chalk it up to a UX issue around user expectations.
replies(1): >>45107060 #
AlexandrB ◴[02 Sep 25 18:24 UTC] No.45107060[source]
It's not just that. There's a huge lack of trust with the tech industry. I don't think anyone trusts tech companies to act in the user's best interests with this kind of restriction instead of using it to drive more platform or service lock-in.
replies(1): >>45108681 #
palata ◴[02 Sep 25 20:36 UTC] No.45108681{3}[source]
I get the lack of trust with TooBigTech, but I personally use passkeys with security keys (Yubikeys). WebAuthn is just a bunch of protocols that can run independently from TooBigTech.
replies(1): >>45109343 #
1. recursive ◴[02 Sep 25 21:32 UTC] No.45109343{4}[source]
It's hard for more people to verify whether this is actually independent from big tech. With a password, you can write it on a piece of paper. You can then type it back in. If any character doesn't match, it doesn't work. This seems like a trustworthy demonstration that it is actually independent. Passkeys have too much magic to understand in this way.
replies(1): >>45110495 #
2. palata ◴[02 Sep 25 23:34 UTC] No.45110495[source]
But passwords are hell for most people: they never remember them, for some reason (I don't understand it either) they really don't want to use a password manager, and they get phished.

Passkeys mean that most people can just FaceID or their fingerprint everywhere and they are happy. They are happy to be locked in if it just works.

For those of us who don't want to be locked in, we still have the possibility to not be locked in because we understand how it works.

I don't think we can do better: try to explain to normies how they should enjoy using a CLI and see how they react.

replies(1): >>45111108 #
3. const_cast ◴[03 Sep 25 00:58 UTC] No.45111108[source]
> Passkeys mean that most people can just FaceID or their fingerprint everywhere and they are happy. They are happy to be locked in if it just works.

Yeah, because people are stupid.

Heading towards a future where you need to use government-approved devices which are tied to your real identity to access the internet is a recipe for disaster.

replies(2): >>45112159 #>>45113389 #
4. recursive ◴[03 Sep 25 04:03 UTC] No.45112159{3}[source]
I'm stupid. I don't think passkeys actually just work. What if I get a new phone? I don't know the answer to that. I do know how to install my password manager on a new phone. Last time I got a new phone, all my 2FA authenticator codes stopped working. I switched them all to SMS.
5. palata ◴[03 Sep 25 08:12 UTC] No.45113389{3}[source]
> Heading towards a future where you need to use government-approved devices which are tied to your real identity to access the internet is a recipe for disaster.

That's unrelated to passkeys. When you use your credit card to pay online, it's tied to your real identity. Many countries offered to do a lot of official stuff online (like taxes) long before passkeys.

replies(1): >>45115304 #
6. const_cast ◴[03 Sep 25 13:09 UTC] No.45115304{4}[source]
No, it's very much related, although not guaranteed.

The reality is that many passkey implementations right now come with attestation and are closed off. That's simply not possible with passwords.

Passwords, as a concept, just can't be abused in that way. Because they're just strings of text. Passkeys, however, CAN be - and we're already seeing that happen.

It could reverse course, but then it would need to reverse course and stay reversed. Forever. Even though there's lots of money and control being left on the table.

That's a big problem.

replies(1): >>45116047 #
7. palata ◴[03 Sep 25 14:12 UTC] No.45116047{5}[source]
> That's simply not possible with passwords. Passwords, as a concept, just can't be abused in that way.

Well, not with only the password, but with the mandatory 2FA app that comes with it, it's definitely possible. Source: my company does that.

And you can most definitely request the real ID before you let someone create an account, password or passkey.

I don't see a difference.