undefined | Better HN

0 pointsriddley1y ago0 comments

From what I've seen they're all controlled by huge tech companies. Hard pass.

0 comments

I liked the username, password and TOTP combination. I could choose my own password manager, and TOTP generator app, based on my preferences.

I have a feeling this won't hold true forever. Microsoft has their own authenticator now, Steam has another one, Google has their "was this you?" built into the OS.

Monetization comes next? "View this ad before you login! Pay 50c to stay logged in for longer?"

AgentME1y ago

Passkeys are an open standard with multiple implementations. It represents the opposite of the trend you're worried about there.

tux31y ago

MS Azure Active Entra's FIDO2 implementation only allows a select list of vendors. You need a certification from FIDO ($,$$$), you need to have an account that can upload on the MDS metadata service, and you need to talk to MS to see if they'll consider adding you to the list

It's not completely closed, but in practice no one on that list is a small independent open source project, those are all the kind of entrenched corporate security companies you'd expect

thayne1y ago

But the way it is designed, you can require a certain provider, and you can bet at least some sites will start requiring attestation from Google and or Apple.

1 more reply

endgame1y ago

Because that worked so well for OpenID. If you're lucky, you have the choice of which BigTech account you can use.

wepple1y ago

TOTP has substantial security gaps to make it a non-starter.

Maybe a pubkey system where you choose your own client would be what you’re looking for?

pabs31y ago

TLS Client Certs (aka mTLS) is an option for that, but the browser UI stuff for it is terrible and getting worse.

1 more reply

LoganDark1y ago

> Google has their "was this you?" built into the OS.

Not only that, but it's completely impossible to disable or remove that functionality or even make TOTP the primary option. Every single time I try to sign in, Google prompts my phone first, giving me a useless notification for later, and I have to manually click a couple of buttons to say "no I am not getting up to grab my phone and unlock it for this bullshit, let me enter my TOTP code". Every single time.

AgentME1y ago

I don't understand this criticism. What is being controlled? Passkeys are an open standard that a browser can implement with public key crypto.

ndriscoll1y ago

Doesn't passkeys give the service a signature to prove what type of hardware device you're using? e.g. it provides a way for the server to check whether you are using a software implementation? It's not really open if it essentially has type of DRM built in.

LoganDark1y ago

You're thinking of hardware-backed attestation, which provides a hardware root of trust. I believe passkeys are just challenge-response (using public key cryptography). You could probably add some sort of root of trust (for example, have the public key signed by the HSM that generated it) but that would be entirely additional to the passkey itself.

1 more reply

pabs31y ago

KeepassXC is working on supporting them natively in software, so you would not need to trust big tech companies, unless you are logging into a service that requires attestation to be enabled.

SahAssar1y ago

Password managers are adding support (as in they control the keys) and I've used my yubikeys as "passkeys" (with the difference that I can't autofill the username).

It's a good spec. I wish more people who spread FUD about it being a "tech-giant" only thing would instead focus on the productive things like demanding proper import/export between providers.

LtWorf1y ago

You realise that the second your password manager has it, then it's no longer MFA but it's just 1 factor authentication with extra steps right?

Password manager turns something you know into something you own. If also the something you own is in the password manager itself… it's the same as requiring extra long passwords.

pabs31y ago

They also require JavaScript to work unfortunately.

j / k navigate · click thread line to collapse

0 comments

doubled1121y ago

I liked the username, password and TOTP combination. I could choose my own password manager, and TOTP generator app, based on my preferences.

I have a feeling this won't hold true forever. Microsoft has their own authenticator now, Steam has another one, Google has their "was this you?" built into the OS.

Monetization comes next? "View this ad before you login! Pay 50c to stay logged in for longer?"

AgentME1y ago

Passkeys are an open standard with multiple implementations. It represents the opposite of the trend you're worried about there.

tux31y ago

It's not completely closed, but in practice no one on that list is a small independent open source project, those are all the kind of entrenched corporate security companies you'd expect

thayne1y ago

But the way it is designed, you can require a certain provider, and you can bet at least some sites will start requiring attestation from Google and or Apple.

1 more reply

endgame1y ago

Because that worked so well for OpenID. If you're lucky, you have the choice of which BigTech account you can use.

wepple1y ago

TOTP has substantial security gaps to make it a non-starter.

Maybe a pubkey system where you choose your own client would be what you’re looking for?

pabs31y ago

TLS Client Certs (aka mTLS) is an option for that, but the browser UI stuff for it is terrible and getting worse.

1 more reply

LoganDark1y ago

> Google has their "was this you?" built into the OS.

AgentME1y ago

I don't understand this criticism. What is being controlled? Passkeys are an open standard that a browser can implement with public key crypto.

ndriscoll1y ago

LoganDark1y ago

1 more reply

pabs31y ago

KeepassXC is working on supporting them natively in software, so you would not need to trust big tech companies, unless you are logging into a service that requires attestation to be enabled.

SahAssar1y ago

Password managers are adding support (as in they control the keys) and I've used my yubikeys as "passkeys" (with the difference that I can't autofill the username).

It's a good spec. I wish more people who spread FUD about it being a "tech-giant" only thing would instead focus on the productive things like demanding proper import/export between providers.

LtWorf1y ago

You realise that the second your password manager has it, then it's no longer MFA but it's just 1 factor authentication with extra steps right?

Password manager turns something you know into something you own. If also the something you own is in the password manager itself… it's the same as requiring extra long passwords.

pabs31y ago

They also require JavaScript to work unfortunately.

j / k navigate · click thread line to collapse