Ask HN: How to secure your passkeys to survive lost / stolen devices?

2 pointsrreyes19792y ago4 comments

Cellphones and USB keys can get lost / stolen. What's your recommendation on how to handle Passkeys to avoid losing control of your digital life if any / all of your devices get lost?

4 comments

solardev2y ago

1Password, Apple, and maybe Chrome can sync them into the cloud so they become device-independent. Under such an implementation they're basically like a cloud password manager but instead of filling in a password for you, they just send the token.

I use the 1Password one and it's super convenient on several devices. Probably less secure than real 2fa or proper hardware encryption though. Basically replaces "something you know and something you have/are" with "something only they know".

rreyes1979OP2y ago

Real question: If we trust them with this information, are Passkeys any better than regular passwords? If so, why and how?

solardev2y ago

(Security isn't my specialization, so somebody please correct me if I'm wrong).

My understanding is that two APIs talking to each other and exchanging one time tokens is better than the same APIs exchanging passwords. Passwords are susceptible to phishing attacks, rainbow tables, dumb password requirement policies, and also just basic fuckups like transmitting in clear text or not hashing and salting it.

Compared to time based software OTPs that 1Password also did, I don't see any security improvements there. But the user experience is better (one click instead of multiple).

Compared to gold standard 2fa (something you know AND something you are or have), I think passkeys are actually a downgrade. They wouldn't be if you used your hardware secure enclave as your key storage, but you can't do that if you want the convenience of cloud sync, so we're back to square one.

All in all it seems to me that passkeys primarily offer better convenience with good enough, not optimal, security. Which is probably the right balance IMO.

eimrine2y ago

"Just use passwords" seems too web1-ish I suppose. Having a decent mnemonic solves the problem completely though.

j / k navigate · click thread line to collapse

4 comments

solardev2y ago

rreyes1979OP2y ago

Real question: If we trust them with this information, are Passkeys any better than regular passwords? If so, why and how?

solardev2y ago

(Security isn't my specialization, so somebody please correct me if I'm wrong).

Compared to time based software OTPs that 1Password also did, I don't see any security improvements there. But the user experience is better (one click instead of multiple).

All in all it seems to me that passkeys primarily offer better convenience with good enough, not optimal, security. Which is probably the right balance IMO.

eimrine2y ago

"Just use passwords" seems too web1-ish I suppose. Having a decent mnemonic solves the problem completely though.

j / k navigate · click thread line to collapse