undefined | Better HN

0 pointsmac-mc2y ago0 comments

> By requiring the passkey to be managed by a password manager, you get some anti-phishing protection. A passkey includes metadata, including the website domain that created it, and the password managers simply won't provide the passkey to the wrong domain.

There are so many apps that don't get this right. Make a login on the website, store it in 1password, and then try to login in their mobile app and it doesn't show up as a password because the associated URL is mismatched on the mobile app. Like mybank.com and auth.mybankmobileapi.com

0 comments

mingus882y ago

1password has a URL field. All you have to do it add the extra URLs

Better yet, while on mobile, search for the entry of the desktop site and have it fill. 1password will ask if you want to update the entry for this site

nullfield2y ago

Except they ignore subdomains. Unless you fix that on a per-item basis, in their desktop application.

I think, finally, that the reason this feels so dirty-apart from companies and lock-in and all-is that it’s taking the “something you know” as one auth factor and turning it into something that, not only do you not know, the big goal of is to make sure you can’t know but something you have.

j / k navigate · click thread line to collapse