Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
utopiah 7 hours ago

> They bind you to your device

Isn't it why good practice is to bind at least 2 hardware passkeys and/or have recovery codes?

Sure someone can steal your phone/laptop/yubikeybio but then you can use the NitroKey you have at home in your drawer to recover your account.

pibaker 6 hours ago | parent | next [-]

Biometric keys are still a niche techie thing that the average person probably doesn't even know exist. Most people will be using passkeys exclusively through their phones, often unintentionally. And outside the first world it is not uncommon for people do own no computing devices apart from their phones.

Backup keys and recovery codes also do not solve all cases of key loss. One thing I worry about is what happens if I am traveling in a foreign country and loses my belongings. In the past if I can convince someone to let me use his computer I can at least log into my email account as long as I remember my password. If everything is passkey then I will be locked out of all my online accounts until I make it back home, assuming that I have actually properly set up the backup device and keys. Humans are not very good at making sure that backups actually work.

tuwtuwtuwtuw 3 hours ago | parent [-]

Your email account would hopefully have 2FA enabled, so if you lose your belongings, then how would you log on in your scenario?

Assuming your 2FA tokens are generated by phone, of course. But I think that's by far the most common way.

aeronaut80 6 hours ago | parent | prev [-]

You can’t expect your grandma to go to those lengths. Heck, even most internet-native people probably wouldn’t.

utopiah 6 hours ago | parent [-]

For a random website, no, for bank and primary email (used for account recovery), they probably should.

It honestly takes a minute to add a key and it's just that, a physical key.

IMHO what's risky in terms of UX and habits is precisely that most workflows do not highlight this. So people rightfully are scared of losing that 1 precious key, so they don't activate 2FA because of that. Meanwhile if the UX when they activate 2FA would clarify that they only have 1 key stored, adding a 2nd one or saving codes (most do propose that option for 2FA authenticators but not hardware passkey AFAIK) is what will make them both safe against attacked but also against their own accident (shit happens) then maybe behaviors would change.

Anyway, yes, you're right, most people don't do that or aren't even aware of it but arguably as more and more important and intimate part of our lives are online, it becomes crucial for one owns sanity to better understand how this all works.

Telaneo an hour ago | parent [-]

> For a random website, no, for bank and primary email (used for account recovery), they probably should.

Even for this, for grandma, this is probably still asking for a lot.

Grandma's bank will have a recovery option even if she's tossed her phone, computer and hardware token in the ocean, and then had a stroke which made her forget any passphrases or whatever: You can call the bank and physically authenticate yourself with a passport, driver's licence or some other ID. It's a bitch to do, you may have to go to an actual bank branch, but grandma will get access to her money again. Meanwhile, her access to physical mail doesn't stop just because she's forgotten some passphrase or lost her phone.

Even techy people get caught out by Google forcing 2FA, while casuals don't even consider the possibility of losing access to their email. While both the rhetorical you and grandma both should probably have a bulletproof recovery option for their email, since it will be the foundation of their digital identity, getting them to acknowledge the problem is going to be hard, and the solution, paying for a Yubikey or some other house of cards solution, is a tough sell.