GitHub Introduces Passkey Support (opens in new tab)

(github.blog)

52 pointsthepaulmcbride2y ago13 comments

13 comments

13 comments · 6 top-level

bob10292y ago· 3 in thread

At first I thought this was a great idea, but then confusion began to dawn after I read the UI...

> Your device supports passkeys, a password replacement that validates your identity using touch, facial recognition, a password, or a PIN.

> Your device supports passkeys, a password replacement that validates your identity using [...] a password

What is being accomplished here if I choose to activate a "passkey" using a "password" for GitHub?

Wool26622y ago

It is preventing password reuse and ensuring key complexity.

The implementation of the credentials manager on the device storing the passkey should also ensure 2factor auth for use of the key.

Further passkeys are highly phishing resistant since they are bound to one specific domain and the passkey manager enforces that it is only transmitted to said domain.

It is basically a phishing , credentials stuffing, brute force resistant password that should ensure 2factor authentication.

It is pretty much the spot between dedicated hardware keys and still usable for the normal guy.

The only thing I dislike is that every provider can lock you in their "passkey ecosystem" since they only sync between them etc.

thepaulmcbrideOP2y ago

I thinks the idea is that it has two factors built in. The password/pin is something you know. You still have to use it on a specific device though, which is the something you have.

yunohn2y ago

I think they mean via the system keychain? Chrome seems to auto handle passkey requests for Google themselves.

botanical2y ago· 2 in thread

How on earth are the big players introducing this when we can't even back up the keys?

Another things is I "lost access" to passkeys.io while trying out passkeys. My phones Bluetooth was switched off, and by the time my phone created and saved a passkey, it timed out on the computer. So now I can't login with that passkey and it only fails. Seems like I'm locked out now...

growse2y ago

> How on earth are the big players introducing this when we can't even back up the keys?

> Another things is I "lost access" to passkeys.io while trying out passkeys. My phones Bluetooth was switched off, and by the time my phone created and saved a passkey, it timed out on the computer. So now I can't login with that passkey and it only fails. Seems like I'm locked out now...

What does "backing up" the key achieve over and above just registering another key?

FlxMgdnz2y ago

Hey, quick note from the creator of passkeys.io: You can always enter your email address on the login screen and this will initiate a fallback auth flow via email passcode.

arielcostas2y ago· 1 in thread

What's the difference between using this and having my password autocompleted by my password manager and then getting prompted for Windows Hello? I've had this setup for months now, and I don't see how removing the password factor from here will be better for me than having 2FA with Windows Hello, or my android phone via the QR thingy or an actual key such as Yubikey.

biscuitech2y ago

I don't think passkeys are for password manager users, but rather people who are tech illiterate. The problem we're seeing now is that passkeys are confusing as hell for non tech people, the target audience. A period of transition is bound to happen.

ishanjain282y ago· 1 in thread

This does not support firefox on linux. I believe firefox shipped a feature on linux in last few months which should make this work.

ishanjain282y ago

I just tried it again and it worked this time.

I had added that key as a plain fido security key and it didn't let me add it as a passkey. So, I removed that key from the list of security keys and added it as a passkey.

ChrisArchitect2y ago

Some earlier discussion: https://news.ycombinator.com/item?id=36697650

aaomidi2y ago

IPv6 when

j / k navigate · click thread line to collapse