undefined | Better HN

0 pointssevanteri1y ago0 comments

This is why services need to support multiple passkeys per user just like they should support multiple 2FA methods...

0 comments

Big problem with this is that enrolling the secondary passkey requires the authenticator to be present. This is super inconvenient and risky as it always requires both authenticators to be present at the same machine/physical location, exposing both to local, physical threats (faulty USB ports on your machine frying anything you plug in? Congrats, you've now fried your main and any backup authenticators before you realized what was happening).

Ideally, you should be able to get an authenticator's public key and be able to enroll one without presenting the authenticator itself, allowing you to keep it in a safe/etc.

This would enable an easy workflow - enroll main authenticator as normal, then enroll your safely-stored backup by pasting its public key. If you lose your main, go to your safe, get your backup and "promote" it to primary and enroll a new backup one which goes in the safe.

PaulHoule1y ago

It always struck me that 2FA is a corporate suicide pact. Some percentage of users are going to lose their keys per year so your user base is going to decay like a radioactive element.

jorvi1y ago

That’s why most 2FA’s are 1.5FA by default where you can recover via SMS, delayed e-mail, etc, and you can (sometimes) only disable this by clicking through three scary screens and saving your 10 backup codes.

4ad1y ago

This is why you need to enrol the secondary passkey at the same time you enrol the first one, not later when you might not have the authenticator present.

In reality websites should not allow setting up a single passkey.

cuu5081y ago

Enrolling both at the same time still requires both authenticators to be present at the same machine/physical location.

e12e1y ago

Problem remains when you lose one, and need to block and enroll a new backup?

radicality1y ago

Apple actually forces you to use 2 keys when setting up security keys for iCloud, just did the setup few weeks ago.

jdiff1y ago

Do they typically not? My only contact with passkeys has been the 2FA service (Duo) at my place of work, and I've got a passkey on my phone and laptop, as well as OTP push notifications, OTP SMS, or recovery code from IT. It's particularly handy with the Chromeboxes hooked into the big presentation displays since I can scan a QR code with my phone to use the passkey stashed inside it.

sevanteriOP1y ago

Slightly poor wording from me maybe. There have been cases where for example only one hardware key could be set up but other methods were available at the same time.

I remember AWS having some weird choices at some point too, not sure how they are currently.

But yeah, typically I think most services have had multiple choises available at the same time.

JoBrad1y ago

The services that I use passkeys for (MS, AWS) do. I have separate passkeys for 2 browsers and on my phone.

bonton891y ago

The trouble is if it is on the service to do the support, they can revoke support at any time. They could use start tightening the screws on device attestation tomorrow for business reasons and drop support for your browser or phone.

JoBrad1y ago

How would we add MFA (in the broadest sense) without services supporting it? Or multiple MFA devices?

Double_a_921y ago

Yes, this is crucial. So far all the services that I use do though.

j / k navigate · click thread line to collapse

0 comments

Nextgrid1y ago

Ideally, you should be able to get an authenticator's public key and be able to enroll one without presenting the authenticator itself, allowing you to keep it in a safe/etc.

PaulHoule1y ago

It always struck me that 2FA is a corporate suicide pact. Some percentage of users are going to lose their keys per year so your user base is going to decay like a radioactive element.

jorvi1y ago

4ad1y ago

This is why you need to enrol the secondary passkey at the same time you enrol the first one, not later when you might not have the authenticator present.

In reality websites should not allow setting up a single passkey.

cuu5081y ago

Enrolling both at the same time still requires both authenticators to be present at the same machine/physical location.

e12e1y ago

Problem remains when you lose one, and need to block and enroll a new backup?

radicality1y ago

Apple actually forces you to use 2 keys when setting up security keys for iCloud, just did the setup few weeks ago.

jdiff1y ago

sevanteriOP1y ago

Slightly poor wording from me maybe. There have been cases where for example only one hardware key could be set up but other methods were available at the same time.

I remember AWS having some weird choices at some point too, not sure how they are currently.

But yeah, typically I think most services have had multiple choises available at the same time.

JoBrad1y ago

The services that I use passkeys for (MS, AWS) do. I have separate passkeys for 2 browsers and on my phone.

bonton891y ago

JoBrad1y ago

How would we add MFA (in the broadest sense) without services supporting it? Or multiple MFA devices?

Double_a_921y ago

Yes, this is crucial. So far all the services that I use do though.

j / k navigate · click thread line to collapse