| |
| ▲ | KevinMS 5 days ago | parent | next [-] | | yubikeys locks up my firefox on both windows and mac, no thanks | | |
| ▲ | nodesocket 5 days ago | parent [-] | | Mine works flawlessly in Chrome on MacOS. Maybe you got defective one, or try factory resetting it. | | |
| |
| ▲ | koakuma-chan 5 days ago | parent | prev [-] | | I have two yubikeys lying around, how do I use them? I don't even have the correct hole in my laptop or in my phone to insert them | | |
| ▲ | egorfine 5 days ago | parent | next [-] | | It goes into the square hole. | |
| ▲ | nodesocket 5 days ago | parent | prev | next [-] | | This is a joke right? Can’t say I’ve ever heard of USB ports referred to as “holes”. | | |
| ▲ | koakuma-chan 5 days ago | parent | next [-] | | > Can’t say I’ve ever heard of USB ports referred to as “holes”. I cannot be bother to remember every hole name. They're all USB anyway, the difference is that some are A, C, or Lightning, I bought a new MacBook and it has that magnet hole, what is that called? I'm not following. | | |
| ▲ | SOLAR_FIELDS 5 days ago | parent [-] | | Are you not around hardware that much? This is stuff people who work in tech deal with every day, it's too hard to keep track of the names of the three different ports that you use ubiquitously? When someone asks you what charging port you need, do you just say "big square one" or "the iphone one"? Do you then have to clarify "the old iphone one, not the new one"? | | |
| ▲ | koakuma-chan 5 days ago | parent [-] | | > This is stuff people who work in tech deal with every day The stuff I deal with every day is centering divs > it's too hard to keep track of the names of the three different ports it's more than three ports. | | |
| ▲ | koakuma-chan 5 days ago | parent [-] | | Also USB A is not even square, it's a rectangle | | |
| ▲ | SOLAR_FIELDS 5 days ago | parent [-] | | Point still stands. Maybe it’s 5 if we are being charitable. Do you also call skillets “flat pan thing I cook with”? | | |
|
|
|
| |
| ▲ | koakuma-chan 5 days ago | parent | prev [-] | | No I'm serious. I used to work on a PC and I had the correct hole, but I never figured out how to make yubikey useful and of course I couldn't use it with my phone. Maybe I'm missing something? | | |
| ▲ | Semaphor 5 days ago | parent [-] | | If it supports NFC, you can use that (mine do, I use them on my phone), otherwise you’d need an adapter, which is clunky but workable. |
|
| |
| ▲ | BenjiWiebe 5 days ago | parent | prev [-] | | You can use an adapter (usb-a to usb-c). Or are they NFC capable? Some models are. |
|
|
| |
| ▲ | semiquaver 5 days ago | parent | next [-] | | Passkeys are unphishable because there is nothing to type in. And they are locked to an origin by design, so you can’t accidentally use one on the wrong domain because the browser simply won’t do it. | | |
| ▲ | jve 5 days ago | parent [-] | | ... and they are not transferrable, tied to BigCorp & Friends. | | |
| ▲ | Semaphor 5 days ago | parent | next [-] | | I use a hardware key as passkey where supported, nothing ties me to anything but those keys. Also there are OSS software managers that support them, like KeePass and friends. | | |
| ▲ | wavemode 5 days ago | parent [-] | | does your hardware key work on mobile? or do you now need to maintain two keys for every service? | | |
| ▲ | vel0city 5 days ago | parent | next [-] | | Yes, my hardware keys work on my mobile devices as well. > do you now need to maintain two keys for every service? I do maintain multiple keys for every service. I wouldn't say it's a lot of maintenance, any more than a far more secure "remember me" box is "maintenance". When I register for a new service, I add my hardware token on my keychain as a passkey. I sign in on my laptop for the first time for a service I'll use there more than once, I make a passkey. I sign in on my desktop for the first time, I make a passkey, maybe make a spare in my password manager. Maybe if it's something I use on my phone, I'll make a passkey there as well when I sign in for the first time. When I get around to it, I'll add the spare hardware token I keep in a drawer. But its not like "I just signed up for a new service, now I must go around to every device and make a new passkey immediately. As long as I've got a couple of passkeys at registration time, I'm probably fine. Lose my laptop? Its ok, I've got other passkeys. Lose my keys? Its ok, I've got other passkeys. My laptop and keys get stolen at the same time? Its ok, I've got other passkeys. Its really not that hard. | |
| ▲ | Semaphor 4 days ago | parent | prev [-] | | > does your hardware key work on mobile? Yes, they support NFC > or do you now need to maintain two keys for every service? I maintain 4 keys so I have backups. In most cases registering additional keys is no problem, and this is only needed when signing up. |
|
| |
| ▲ | udev4096 5 days ago | parent | prev [-] | | It is on majority of selfhosted pw managers. Vaultwarden, most popular, can transfer passkeys |
|
| |
| ▲ | koakuma-chan 5 days ago | parent | prev | next [-] | | Passkey only works when you're on the correct website | | |
| ▲ | diggan 5 days ago | parent | next [-] | | Use a password manager (that isn't too buggy and/or suck) and you get the same thing for both TOTP and passwords. | | |
| ▲ | ApolloFortyNine 5 days ago | parent | next [-] | | As mentioned elsewhere in this thread, the password manager failing to autofill is hardly unheard of. | | |
| ▲ | diggan 5 days ago | parent [-] | | As also mentioned elsewhere in this submission, it doesn't matter how often autofill breaks/works. There are two cases where it breaks: The accounts not showing up in the password manager modal, and the website autofill not working. The first is what prevents phishing, the second doesn't really matter to prevent phishing or not. The idea is that if your password manager doesn't show the usual list of accounts (regardless if the actual autofill after clicking the account works or not), you double-check the domain. | | |
| ▲ | yawaramin 4 days ago | parent [-] | | Yes, the idea you are presenting is that the human being must manually check for mistakes. As should be clear by now, this idea does not work at scale. Passkeys will automate and enforce the check, removing human error from the equation. | | |
| ▲ | diggan 4 days ago | parent [-] | | > Yes, the idea you are presenting is that the human being must manually check for mistakes. Not at all? The password manager handles that automatically, have you never used a password manager before? > Passkeys will automate and enforce the check What happens to the passkey when the origin changes, is it automatically recognising it as the new domain without any manual input? Curious to see what magic is responsible for that | | |
| ▲ | yawaramin 4 days ago | parent [-] | | > Not at all? Yes: '...you double-check the domain.' That's manually checking for mistakes. > What happens to the passkey when the origin changes, The passkey won't work at all. You will just have to create a new one. | | |
| ▲ | diggan 4 days ago | parent [-] | | > Yes: '...you double-check the domain.' That's manually checking for mistakes. Yes, but that's only when the origin changed compared to when you added it to the password manager. Same thing for Passkeys, won't work if the origin is different, so you double-check that the domain in your browser address bar is the correct one. Obviously normally you don't do anything except click on the account that shows up, since the domain matches. | | |
| ▲ | yawaramin 3 days ago | parent [-] | | With passkeys there is nothing to check manually. If it works, you know it's the domain you registered on. If it doesn't work, you log in with a non-phishable auth method like emailed magic link, then register a new passkey. You could claim that a phishing site could set up their own passkey registration system–but that still wouldn't give them access to the target's real account. | | |
| ▲ | diggan 3 days ago | parent [-] | | > With passkeys there is nothing to check manually. If it works, you know it's the domain you registered on. If it doesn't work, So exactly the same as password managers, there is no functional difference if you were using a password manager... |
|
|
|
|
|
|
| |
| ▲ | koakuma-chan 5 days ago | parent | prev [-] | | Npm can't force people to use password manager | | |
| ▲ | diggan 5 days ago | parent | next [-] | | Nor does TOTP+password lock you to one authentication provider indefinitely. Tradeoffs :) | | |
| ▲ | maltee 5 days ago | parent | next [-] | | You can always register a new passkey with the site if you want to switch authentication providers, can’t you? | | |
| ▲ | diggan 5 days ago | parent [-] | | Yeah, I guess that'd work if I had a couple of accounts, but since there a bunch of them, I really need proper import/export to feel comfortable with moving to it. I just know I'd punt the task of migrating everything if I have to go account-by-account to migrate away. Considering that today it'd add work for me today, and future work, with no additional security benefits compared to my current approach, it just don't seem worth it. |
| |
| ▲ | vel0city 5 days ago | parent | prev [-] | | I've got passkeys from multiple "authentication providers" available on all of my devices. This isn't a tradeoff. |
| |
| ▲ | ljlolel 5 days ago | parent | prev [-] | | You can if you just force passwords longer than people can memorize or even want to write down (assigned 24+ characters) | | |
| ▲ | koakuma-chan 5 days ago | parent | next [-] | | It's just gonna be on a sticky note hanging on the screen or under keyboard | |
| ▲ | hu3 5 days ago | parent | prev [-] | | careless people just copy paste those |
|
|
| |
| ▲ | 243423443 5 days ago | parent | prev | next [-] | | Care to explain? | | |
| ▲ | vladvasiliu 5 days ago | parent [-] | | The actual URL in the browser is part of what the passkey signs. So if you go to totallynotascam.com which turns out to be some dude intercepting and passing the connection to npm, the signature would be refused by npm since it wouldn't be for the correct domain. |
| |
| ▲ | codedokode 5 days ago | parent | prev [-] | | Unlike humans. |
| |
| ▲ | operator-name 5 days ago | parent | prev [-] | | The browser ensures that a passkey can only be used on the correct site. |
|
