undefined | Better HN

0 pointspacketlost2y ago0 comments

>> Passkeys can’t be phished, ..., or entered on a malicious domain. > Neither can passwords if you're using a password manager to handle them.

This is absolutely not true, it depends heavily on usage patterns of the password manager and its features. Not all are browser extensions that autofill, and even if they did, sites change their domains for auth occasionally that break this functionality (or more often, signup is on a different domain from auth) meaning you must manually copy-paste your password somewhat often if you don't meticulously, and manually, maintain your domain list for a credential. The average person is *not* going to do that, they're going to go "huh, it broke again" and copy paste their randomly generated password.

Please, do not give security advice you are not equipped to handle.

0 comments

troyvit2y ago

> Passkeys have no easy way to extract the private key and do not request to enter the private key to authenticate.

Sure the do. All somebody needs is the password to your password manager. It's a single point of failure and by putting your passkeys in there to you've made it even more vulnerable.

Do you put a passkey on your password manager that exists outside of that ecosystem? Once you have that why not just use it for everything?

The parent wasn't giving security advice. They were asking a valid question.

packetlostOP2y ago

> Sure the do. All somebody needs is the password to your password manager. It's a single point of failure and by putting your passkeys in there to you've made it even more vulnerable.

Not more vulnerable than if they were just using password. You're still missing my point, password managers do not give you the ability to just copy-paste the private key of a passkey into a form field, unlike passwords. Some don't give you access to it at all (*cough* Apple *cough*). Sure you can get the private key if you have access to the password managers vault, but that's not what's being talked about. Common usage patterns matter immensely in security. At the end of the day, the attack surface for passkey-based authentication is smaller than password-based authentication, which is a step in the right direction.

> The parent wasn't giving security advice. They were asking a valid question.

The parent made a blatantly false and dangerous statement and then followed it up with a question. Did we read the same comment?

troyvit2y ago

I agree that it's not more vulnerable than just using a password, I'm only saying that it's only slightly less vulnerable under the best circumstances and incredibly more vulnerable under the worst circumstances (ie. if somebody got ahold of your password manager).

I also agree that passkey-based authentication provides a smaller attack surface than purely password-based authentication.

But putting the passkey on a second device provides an even smaller attack surface since now a bad actor needs both your device (or a MITM attack) and your password.

This is an HN forum. Nobody's giving "security advice," but I do feel like the parent comment's question hasn't been answered. Why would one store passkeys in their password manager instead of on a separate device?

1 more reply

j / k navigate · click thread line to collapse

0 comments

troyvit2y ago

> Passkeys have no easy way to extract the private key and do not request to enter the private key to authenticate.

Sure the do. All somebody needs is the password to your password manager. It's a single point of failure and by putting your passkeys in there to you've made it even more vulnerable.

Do you put a passkey on your password manager that exists outside of that ecosystem? Once you have that why not just use it for everything?

The parent wasn't giving security advice. They were asking a valid question.

packetlostOP2y ago

> Sure the do. All somebody needs is the password to your password manager. It's a single point of failure and by putting your passkeys in there to you've made it even more vulnerable.

> The parent wasn't giving security advice. They were asking a valid question.

The parent made a blatantly false and dangerous statement and then followed it up with a question. Did we read the same comment?

troyvit2y ago

I also agree that passkey-based authentication provides a smaller attack surface than purely password-based authentication.

But putting the passkey on a second device provides an even smaller attack surface since now a bad actor needs both your device (or a MITM attack) and your password.

1 more reply

j / k navigate · click thread line to collapse