←back to thread

Passkeys and Modern Authentication

(lucumr.pocoo.org)
184 points Bogdanp | 1 comments | 02 Sep 25 13:47 UTC | HN request time: 0s | source
Show context
juancn ◴[02 Sep 25 17:27 UTC] No.45106230[source]

    Signing into my accounts on my children’s devices has turned from a straightforward process to an incredibly frustrating experience. I find myself juggling all kinds of different apps and flows.
This strikes home for me, I'm the main gatekeeper of passwords and service accounts in my home. 2FA and passkeys are so annoying to juggle.

My kids use prepaid numbers, once I changed one and forgot to tell Apple, when I realized that I needed the old number later, it took me a month at least to get it back.

I really like passwords, the security risks are well known and really easy to handle compared to 2FA and all that crap, specially when 99% of your accounts are not sensitive enough to merit anything fancy.

replies(5): >>45106514 #>>45106530 #>>45107602 #>>45108644 #>>45112401 #
ajsnigrutin ◴[02 Sep 25 19:05 UTC] No.45107602[source]
Passwords + OTP (stored in keepass or somewhere) is the win for me.

Everything else is a security theatre and an UX pain.

replies(3): >>45108108 #>>45109965 #>>45112987 #
anon7000 ◴[03 Sep 25 06:56 UTC] No.45112987[source]
Passkeys is not security theatre, and also not a UX pain if you use a password manager. Turns out it’s nice to have a standardized API for submitting a credential to a website rather than relying on browser extensions to hopefully guess the input field is for a password. (Not to mention the multitude of sites that don’t properly handle text being autofilled)
replies(2): >>45113860 #>>45116908 #
1. NoGravitas ◴[03 Sep 25 15:26 UTC] No.45116908{3}[source]
There are exactly three nice things about passkeys.

1. It forces the use of keys with a reasonable amount of entropy, and the use of a password manager to access them. 2. They will not make it easy to use a key with the wrong site (also true of a good password manager). 3. Uses public/private keypair so key itself is never sent over the wire (even encrypted).

The real question is whether these properties are worth all the costs (enumerated in this article).