undefined | Better HN

0 pointst_mann10mo ago0 comments

I agree, but unfortunately the spec authors are already going out and dangling possible bans in front of projects who implement Passkeys in more user-friendly ways:

https://github.com/keepassxreboot/keepassxc/issues/10407

> To be very honest here, you risk having KeePassXC blocked by relying parties

But having a choice about how you store your credentials shouldn't depend on the good faith of service providers or the spec authors who are doing their bidding anyway. It's a bit similar to sideloading apps, and it should probably be treated similarly (ie, make it a right for users).

0 comments

16 comments · 3 top-level

growse10mo ago· 7 in thread

There's a tension here between "user freedom" and a service wanting to make sure that credentials that it trusts to grant access to stuff aren't just being yolo'd around into textfiles on people's dropboxes.

People forget that one of the purposes of authentication is to protect both the end user and the service operator.

eredengrin10mo ago

Sure, but as long as the fallback for account recovery is sending a reset email or sms (both of which are similar or worse than yoloing textfiles on dropboxes), that's a very tough argument to make in good faith.

growse10mo ago

I agree that account recovery isn't the best. But just because that sucks doesn't mean there's zero value in improving credentials.

account4210mo ago

What people do on their own computer is none of the service's business.

growse10mo ago

It is if it puts the service at risk.

1 more reply

nyeah10mo ago

Note the scare quotes around user freedom. Perhaps user freedom is a notorious fake issue, a bizarre misconception, or an exotic concept that nobody understands.

growse10mo ago

I don't know what "scare quotes" are. They're just regular quotation marks, because I'm quoting.

1 more reply

tsimionescu10mo ago

What does Microsoft stand to lose if someone steals my passkey for Outlook from a text file I yolo'd into a Dropbox?

charcircuit10mo ago· 4 in thread

Reducing passkeys to the security level of passwords is not just "making something user friendly". It's undoing all of the hardware everyone else in the ecosystem is putting into to making a more secure way for authentication to be done.

kbolino10mo ago

Passkeys have several advantages over passwords but not all of them rely on UX controls. They are, after all, public-private keypairs and the private part is never shared during authentication. The wider web never adopted PAKEs so passwords are still sent verbatim over the (TLS-protected) wire.

charcircuit10mo ago

With password managers passwords are not reused which avoids this problem already.

1 more reply

zekica10mo ago

How exactly is this "reducing the security level to those of passwords"? For example: you can't use a passkey on attacker's web site even if you have a plaintext copy of the private key.

charcircuit10mo ago

I'm not following. The issue is about it being used for the site the private key is for. The attacker's site is irrelevant here.

sam_lowry_10mo ago· 2 in thread

The exact point of passkeys is to remove all rights from users )

charcircuit10mo ago

Ensuring it's not possible for remote attackers to easily steal users passkeys is not "removing all rights" for someone. It is setting a security bar you have to pass. One user's poor security can have negative effects on not just them but the platform itself.

account4210mo ago

You don't need attestation to allow users to secure their passwords.

1 more reply

j / k navigate · click thread line to collapse

0 comments

16 comments · 3 top-level

growse10mo ago· 7 in thread

People forget that one of the purposes of authentication is to protect both the end user and the service operator.

eredengrin10mo ago

growse10mo ago

I agree that account recovery isn't the best. But just because that sucks doesn't mean there's zero value in improving credentials.

account4210mo ago

What people do on their own computer is none of the service's business.

growse10mo ago

It is if it puts the service at risk.

1 more reply

nyeah10mo ago

Note the scare quotes around user freedom. Perhaps user freedom is a notorious fake issue, a bizarre misconception, or an exotic concept that nobody understands.

growse10mo ago

I don't know what "scare quotes" are. They're just regular quotation marks, because I'm quoting.

1 more reply

tsimionescu10mo ago

What does Microsoft stand to lose if someone steals my passkey for Outlook from a text file I yolo'd into a Dropbox?

charcircuit10mo ago· 4 in thread

kbolino10mo ago

charcircuit10mo ago

With password managers passwords are not reused which avoids this problem already.

1 more reply

zekica10mo ago

How exactly is this "reducing the security level to those of passwords"? For example: you can't use a passkey on attacker's web site even if you have a plaintext copy of the private key.

charcircuit10mo ago

I'm not following. The issue is about it being used for the site the private key is for. The attacker's site is irrelevant here.

sam_lowry_10mo ago· 2 in thread

The exact point of passkeys is to remove all rights from users )

charcircuit10mo ago

account4210mo ago

You don't need attestation to allow users to secure their passwords.

1 more reply

j / k navigate · click thread line to collapse