undefined | Better HN

0 pointsthreatofrain1y ago0 comments

Passkeys only encourage the need for a password management tool, which is funny because if everyone had password management tools to begin with then we wouldn't need passkeys.

0 comments

arianvanp1y ago

This is not true.

Passkeys still protect you from additional things that password managers don't protect you against:

1. Your credential can't be phished as it's cryptographically bound to the domain. You could stil be tricked into entering your password and TOTP into a malicious website.

2. Your credential can't be leaked by sloppy servers as it's public key crypto. This makes your security not depend on believing the website your logging into does proper password hashing and doesn't accidentally log password in plaintext.

freeAgent1y ago

Most password managers tie credentials to domains. In fact, this is a good indicator of possible phishing attempts when your password manager doesn’t offer to auto-fill your expected credentials.

vouaobrasil1y ago

True, the technical aspect of passkeys does that. But in practical Apple and others want to heavily push for the smartphone as that tool, because it locks people further into that system.

nottorp1y ago

> Passkeys only encourage the need for a password management tool

The dependency on a password management tool.

Be it Yubikey or Apple secure enclave or whatever, it's a shit piece of hardware that will eventually break. Have fun replacing all your credentials at the same time when your phone dies.

vel0city1y ago

> Have fun replacing all your credentials at the same time when your phone dies.

I won't have to, because I've got passkeys on my desktop, my laptop, on my security token, etc. Losing one device won't lock me out.

j / k navigate · click thread line to collapse