←back to thread

Passkeys and Modern Authentication

(lucumr.pocoo.org)
184 points Bogdanp | 1 comments | 02 Sep 25 13:47 UTC | HN request time: 0.205s | source
Show context
AnotherGoodName ◴[02 Sep 25 17:01 UTC] No.45105818[source]
> there is effectively no way to export private keys between authentication password managers

No exporting really is a feature. Otherwise people would be tricked into giving away passkeys much like they are with passwords today.

You can always register multiple passkeys with providers though. Already have a passkey with google but want another one via a different password/account manager? Just go into settings on google and add it! This is effectively how you’re meant to move passkeys around. Create a new and register that with the same services as the old one.

The real hassle right now is remembering all the services you attached your current passkey to so you can register a new passkey with them and it’d be nice if there was something similar to ninite installer for passkey registration. But still it's not a huge blocker. You can absolutely use multiple passkeys and login with any one of them.

replies(5): >>45106185 #>>45106728 #>>45106815 #>>45107755 #>>45108712 #
AlexandrB ◴[02 Sep 25 17:59 UTC] No.45106728[source]
> Otherwise people would be tricked into giving away passkeys much like they are with passwords today.

Is this really a common attack vector vs. a company leaking their whole customer database and a bunch of password being revealed that way?

replies(2): >>45106785 #>>45117555 #
1. NoGravitas ◴[03 Sep 25 16:18 UTC] No.45117555[source]
Not yet. It's a more complex variation on phishing, but not complex enough that it wouldn't happen if scammers needed it to.