Remix clone Hacker News

new | show | ask | jobs Github

▲

freeopinion 9 days ago

Please help me understand the passkey flow that solves this problem.

1) BAD actor tries to create account at GOOD website posing as oblivious@example.com.

2) GOOD website requests public key from BAD.

3) BAD provides self-generated public key.

4) GOOD later asks BAD to prove that they control the private key.

5) BAD successfully proves they control the private key.

Unless you have step 3b where GOOD can independently confirm that the public key does indeed belong to oblivious. But even that is easily worked around.

▲

arccy 9 days ago | parent [-]

that's just a strawman bad account creation flow that has nothing to do with passkeys. you verify the email address first.

passkeys use a unique keypair per account, there's no single public key that represents you.

	▲	freeopinion 9 days ago \| parent [-]
		Indeed, I was illustrating that DecoPerson was proposing that passkeys solve an account creation flow problem. They do not. But as DecoPerson points out, in the realm of account creation, your "verify the email address first" solution has its limits. It is easy to conflate different aspects of trust and think they have the same solution.