(lucumr.pocoo.org)

186 points Bogdanp | 1 comments | 02 Sep 25 13:47 UTC | HN request time: 0.236s | source

Show context

dan-robertson ◴[02 Sep 25 17:43 UTC] No.45106484[source]▶

What do security professionals think about passkeys? In particular, those who were not involved in designing them. Lots of the arguments in this article feel very much like the sort of thing one would expect from someone into open source (not saying they are wrong, and I think they are well explained here) but I feel they will inevitably be the product of different concerns than those a security practitioner might have.

replies(5): >>45106725 #>>45106875 #>>45108342 #>>45108792 #>>45116912 #

arccy ◴[02 Sep 25 20:44 UTC] No.45108792[source]▶

>>45106484 #

Pretty much everyone likes them? Nobody likes passwords, especially passwords by users. Passkeys essentially force the users to have some sort of password manager, whether third party, or OS / browser integrated. Plus they're unphishable in normal use.

They're technically weaker than password + hardware key but stronger than anything else, including password + totp. Google Advanced Protection still wants you to have a hardware key for your account.

replies(1): >>45110128 #

jesseendahl ◴[02 Sep 25 22:49 UTC] No.45110128[source]▶

>>45108792 #

Google's Advanced Protection Program supports both passkeys and security keys.

replies(1): >>45132239 #

1. arccy ◴[04 Sep 25 21:11 UTC] No.45132239[source]▶

>>45110128 #

I guess they lowered requirements recently, now you can even do "1 passkey or security key, and recovery options, like a recovery phone and email".

↑

Passkeys and Modern Authentication