| |
| ▲ | ApolloFortyNine 5 days ago | parent | next [-] | | As mentioned elsewhere in this thread, the password manager failing to autofill is hardly unheard of. | | |
| ▲ | diggan 5 days ago | parent [-] | | As also mentioned elsewhere in this submission, it doesn't matter how often autofill breaks/works. There are two cases where it breaks: The accounts not showing up in the password manager modal, and the website autofill not working. The first is what prevents phishing, the second doesn't really matter to prevent phishing or not. The idea is that if your password manager doesn't show the usual list of accounts (regardless if the actual autofill after clicking the account works or not), you double-check the domain. | | |
| ▲ | yawaramin 4 days ago | parent [-] | | Yes, the idea you are presenting is that the human being must manually check for mistakes. As should be clear by now, this idea does not work at scale. Passkeys will automate and enforce the check, removing human error from the equation. | | |
| ▲ | diggan 4 days ago | parent [-] | | > Yes, the idea you are presenting is that the human being must manually check for mistakes. Not at all? The password manager handles that automatically, have you never used a password manager before? > Passkeys will automate and enforce the check What happens to the passkey when the origin changes, is it automatically recognising it as the new domain without any manual input? Curious to see what magic is responsible for that | | |
| ▲ | yawaramin 4 days ago | parent [-] | | > Not at all? Yes: '...you double-check the domain.' That's manually checking for mistakes. > What happens to the passkey when the origin changes, The passkey won't work at all. You will just have to create a new one. | | |
| ▲ | diggan 4 days ago | parent [-] | | > Yes: '...you double-check the domain.' That's manually checking for mistakes. Yes, but that's only when the origin changed compared to when you added it to the password manager. Same thing for Passkeys, won't work if the origin is different, so you double-check that the domain in your browser address bar is the correct one. Obviously normally you don't do anything except click on the account that shows up, since the domain matches. | | |
| ▲ | yawaramin 3 days ago | parent [-] | | With passkeys there is nothing to check manually. If it works, you know it's the domain you registered on. If it doesn't work, you log in with a non-phishable auth method like emailed magic link, then register a new passkey. You could claim that a phishing site could set up their own passkey registration system–but that still wouldn't give them access to the target's real account. | | |
| ▲ | diggan 3 days ago | parent [-] | | > With passkeys there is nothing to check manually. If it works, you know it's the domain you registered on. If it doesn't work, So exactly the same as password managers, there is no functional difference if you were using a password manager... |
|
|
|
|
|
|
| |
| ▲ | koakuma-chan 5 days ago | parent | prev [-] | | Npm can't force people to use password manager | | |
| ▲ | diggan 5 days ago | parent | next [-] | | Nor does TOTP+password lock you to one authentication provider indefinitely. Tradeoffs :) | | |
| ▲ | maltee 5 days ago | parent | next [-] | | You can always register a new passkey with the site if you want to switch authentication providers, can’t you? | | |
| ▲ | diggan 5 days ago | parent [-] | | Yeah, I guess that'd work if I had a couple of accounts, but since there a bunch of them, I really need proper import/export to feel comfortable with moving to it. I just know I'd punt the task of migrating everything if I have to go account-by-account to migrate away. Considering that today it'd add work for me today, and future work, with no additional security benefits compared to my current approach, it just don't seem worth it. |
| |
| ▲ | vel0city 5 days ago | parent | prev [-] | | I've got passkeys from multiple "authentication providers" available on all of my devices. This isn't a tradeoff. |
| |
| ▲ | ljlolel 5 days ago | parent | prev [-] | | You can if you just force passwords longer than people can memorize or even want to write down (assigned 24+ characters) | | |
| ▲ | koakuma-chan 5 days ago | parent | next [-] | | It's just gonna be on a sticky note hanging on the screen or under keyboard | |
| ▲ | hu3 5 days ago | parent | prev [-] | | careless people just copy paste those |
|
|
|
