←back to thread

Passkeys and Modern Authentication

(lucumr.pocoo.org)
184 points Bogdanp | 1 comments | 02 Sep 25 13:47 UTC | HN request time: 2.12s | source
Show context
bradley13 ◴[02 Sep 25 17:32 UTC] No.45106324[source]
This. All of this. Passkeys are a great idea, but the walled gardens are a huge problem. Also, services placing additional requirements (e.g., attestations) that potentially violate your privacy and anonymity.

Just now, at least in Europe, there is a huge push to force users to authenticate themselves with their actual identity, even for ordinary Internet services. This is happening simultaneously in many countries (including non-EU countries like Switzerland). It almost has to be a coordinated effort....driven by whom? Passkeys play into this.

Call me paranoid...

replies(3): >>45106611 #>>45108899 #>>45111612 #
1oooqooq ◴[03 Sep 25 02:18 UTC] No.45111612[source]
you're spot on. everyone here "keepassX works for me" are just frogs being slow boiled.

passkey are designed in a ways that the attestation party is visible. Tomorrow the coordinated effort will say "too much fraud from providers other than google and apple, sorry" (or something about protecting kids).

replies(1): >>45113719 #
palata ◴[03 Sep 25 09:12 UTC] No.45113719[source]
> passkey are designed in a ways that the attestation party is visible

Are you talking about the relying party? I don't think it works the way you describe...

replies(1): >>45117033 #
NoGravitas ◴[03 Sep 25 15:36 UTC] No.45117033[source]
I believe they mean that relying parties can use attestation to verify that the client implementation is one they choose to support.
replies(1): >>45120801 #
1. palata ◴[03 Sep 25 21:55 UTC] No.45120801[source]
The thing is, it's already the case today, without passkeys. Banks routinely force you to use their own app to login, for instance. And for those that allow you to choose your own password, I'm pretty sure they force you to use some other factor of their own. And it actually does make sense for services that do need the security.

The fight should be "now that we have good third-party authentication thanks to passkey, you should allow us to use those that are secure enough". Not "we don't want that new technology that is superior in many situations because services could force us to use it the way they want, exactly like they already do without this technology".

"Now that I can login using my Yubikey, please don't force me to use your MFA apps because they are provably not superior to my Yubikey".