undefined | Better HN

0 pointspricechild1y ago0 comments

Bitwarden (& vaultwarden) also offer passkey which seem to work pretty well.

I've not had a problem registering both this and my phone on any site.

0 comments

If you've already got a password manager, what benefit do you get from passkeys?

Avoiding the risks of short, weak passwords? The risks of reusing passwords across sites? The inconvenience of remembering loads of passwords? The frustration of having to type passwords manually? The risk of getting phished or typing one site's password into a different site? Remembering and typing usernames? The password manager takes care of all that for you already.

And if your objective is to have a second factor just in case your password manager gets compromised? A physical button just in case someone takes over your mouse and keyboard? Or a credential stored in a secure element that's (somewhat) protected even if you use it on a compromised machine? Putting it in a password manager (or OS keyring) removes those advantages.

jorvi1y ago

Passkeys can’t be phished, or shoulder peeped, or entered on a malicious domain. And for the layman, it means they can’t forget their password.

Technically the place where you store your passkeys can be hacked into, but there is no technology that protects against that. You could give a tech layman 5FA and he’ll give all 5 factors to the nice man on the phone call.

masklinn1y ago

> Passkeys can’t be phished, or shoulder peeped, or entered on a malicious domain. And for the layman, it means they can’t forget their password.

Neither can passwords if you’re using a password manager to handle them.

So again, if you’ve already got a password manager, and would put your passkeys in a password manager, what is the benefit of passkeys?

3 more replies

mid-kid1y ago

Automation.

Password managers should be the default authentication method, and the current hack of having it type text into a password field is both unwieldy and completely avoidable.

posix_monad1y ago

Very easy to put the a password into the wrong place when doing it manually.

javawizard1y ago

The risk of your password getting stolen in between your browser and whatever hash algorithm the service you're authenticating with puts your password through before storing/verifying it.

That's the benefit you get from passkeys that no password manager will otherwise be able to give you.

masklinn1y ago

If your TLS connection has been MITM’d, you have much bigger problems than your unique randomly generated password being sniffed out.

2 more replies

knallfrosch1y ago

If they control the information flow can't they simply steal the passkey too?

3 more replies

afavour1y ago

The actual implementation of password managers is really messy. Browser extensions that try to guess which field may or may not contain your username, copy the 2FA code to the clipboard in the hopes that you’ll easily be able to paste it on the next page… passkeys offering a standardized API to provide this information makes it worth considering alone IMO, even without considering the extra security compared to plaintext password.

recursive1y ago

These are all good things. Now, if I can just use it without getting locked into someone's walled garden, I'll be all-in.

kiwijamo1y ago

I've found the Bitwarden to be hit and miss. Some sites work fine with it, others don't work. I haven't debugged it enough to work out whether the problem is on the Bitwarden end or the website end or something else altogether. Given I'm wary of the benefits (or lack of) of passkeys I haven't really looked into it in depth as I have other 2FAs I can use instead.

j / k navigate · click thread line to collapse

0 comments

michaelt1y ago

If you've already got a password manager, what benefit do you get from passkeys?

jorvi1y ago

Passkeys can’t be phished, or shoulder peeped, or entered on a malicious domain. And for the layman, it means they can’t forget their password.

masklinn1y ago

> Passkeys can’t be phished, or shoulder peeped, or entered on a malicious domain. And for the layman, it means they can’t forget their password.

Neither can passwords if you’re using a password manager to handle them.

So again, if you’ve already got a password manager, and would put your passkeys in a password manager, what is the benefit of passkeys?

3 more replies

mid-kid1y ago

Automation.

Password managers should be the default authentication method, and the current hack of having it type text into a password field is both unwieldy and completely avoidable.

posix_monad1y ago

Very easy to put the a password into the wrong place when doing it manually.

javawizard1y ago

The risk of your password getting stolen in between your browser and whatever hash algorithm the service you're authenticating with puts your password through before storing/verifying it.

That's the benefit you get from passkeys that no password manager will otherwise be able to give you.

masklinn1y ago

If your TLS connection has been MITM’d, you have much bigger problems than your unique randomly generated password being sniffed out.

2 more replies

knallfrosch1y ago

If they control the information flow can't they simply steal the passkey too?

3 more replies

afavour1y ago

recursive1y ago

These are all good things. Now, if I can just use it without getting locked into someone's walled garden, I'll be all-in.

kiwijamo1y ago

j / k navigate · click thread line to collapse