undefined | Better HN

0 pointsavianlyric1y ago0 comments

> how much easier/better/same is it to try and have your work computer work with your personal passkey from a laptop or something?

Passkeys support authentication via a secondary device over Bluetooth (and this is supported in every major browser on every major platform). So you can login to a site on a machine that’s completely disconnected from your personal passkey store by scanning a QR code with your personal phone.

The login flow basically goes “request login with passkey” -> “browser recognises it doesn’t have the needed passkey, and offers a QR code to scan” -> “scan QR code with phone” -> “phone and browser handshake via Bluetooth” -> “passkey handshake happens between website and phone” -> “login completes”.

I’ve personally used this flow with my work laptop and my personal iPhone many times. iOS has built in support for the Passkey QR codes, so you can scan the code with the standard camera app. Additionally iOS supports allowing 3rd party passwords managers to take over the Passkey flow once you’ve scanned the QR code. So in my case I complete the flow with 1Password.

End-to-end the flow is pretty damn seamless, I’ve never personally had it fail, and take 30seconds to complete. The most annoying part is trying to remember where my phone is.

0 comments

apitman1y ago

What if the target device is a workstation or library desktop with no Bluetooth?

avianlyricOP1y ago

Then obviously you can’t use a personal passkey with it. But so what? Passkeys don’t need to address every niche scenario to be useful.

superq1y ago

Even if we assume that you're ok with connecting discrete and disparate devices together (and you always have your personal tracking device near you all the time), Bluetooth is basically comprised of a giant bag of vulnerabilities and weaknesses.

> take 30 seconds to complete

also, ouch.

avianlyricOP1y ago

> Even if we assume that you're ok with connecting discrete and disparate devices together (and you always have your personal tracking device near you all the time)

This is a solution for the masses. If you're not comfortable with it, nobody is forcing you to use it, and it certainly doesn’t diminish the value passkeys provide over traditional passwords and OTPs for the vast majority of people.

> Bluetooth is basically comprised of a giant bag of vulnerabilities and weaknesses.

That doesn’t really matter. The whole point of passkeys is their cryptographic primitives make snooping on the handshake pointless. Everything is E2E between the passkey provider, and the site you’re authenticating against. There’s no dependency on Bluetooths security to ensure that the actual passkey handshake is secure.

> > take 30 seconds to complete

> also, ouch.

That includes the time taken to fish my phone out of my pocket.

j / k navigate · click thread line to collapse

0 pointsavianlyric1y ago0 comments

> how much easier/better/same is it to try and have your work computer work with your personal passkey from a laptop or something?

End-to-end the flow is pretty damn seamless, I’ve never personally had it fail, and take 30seconds to complete. The most annoying part is trying to remember where my phone is.

0 comments

apitman1y ago

What if the target device is a workstation or library desktop with no Bluetooth?

avianlyricOP1y ago

Then obviously you can’t use a personal passkey with it. But so what? Passkeys don’t need to address every niche scenario to be useful.

superq1y ago

> take 30 seconds to complete

also, ouch.

avianlyricOP1y ago

> Even if we assume that you're ok with connecting discrete and disparate devices together (and you always have your personal tracking device near you all the time)

> Bluetooth is basically comprised of a giant bag of vulnerabilities and weaknesses.

> > take 30 seconds to complete

> also, ouch.

That includes the time taken to fish my phone out of my pocket.

j / k navigate · click thread line to collapse