Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
bryantwolf 4 hours ago

The advantage is that the password never leave the device. It has a public key and signs challenges with the private key but nothing sensitive goes over the wire on every login

valenterry 4 hours ago | parent [-]

It should be noted that that is not an inherential advantage of passkeys over passwords. It is possible to achieve the same with passwords, e.g. by using a hash-cascade.

lxgr 3 hours ago | parent | next [-]

Sure, but then you still need a protocol between user agent and website. If you just do this in Javascript, you're not protected against phishing sites just forwarding the password entered directly.

Passkeys can in fact be backed by exactly this, i.e. a HMAC-only stateless implementation backed by a single password: https://github.com/lxgr/brainchain

mi_lk 4 hours ago | parent | prev [-]

is it fair to say all passkey implementations have this advantage while only some password implementations can match?

simoncion 3 hours ago | parent [-]

It is absolutely unfair to say it. Just like passwords stored in a password manager, passkeys can be copied out of the device for safekeeping. Because you can copy them out, a user can be induced to give them to someone.

I saw passkey boosters go very, very rapidly from "Passkeys are immune to phishing!" to "Passkeys are phishing resistant!" when lots of real-world people started using passkeys and demonstrated that you absolutely must have a way to back them up and move them around.

lxgr 3 hours ago | parent [-]

> passkeys can be copied out of the device for safekeeping

You can't copy them out on at least the iOS, Android, and (to my knowledge) Windows default implementations.

> lots of real-world people started using passkeys and demonstrated that you absolutely must have a way to back them up and move them around.

Millions of people use them without being able to move them around in the way you describe.

simoncion 3 hours ago | parent [-]

> You can't copy them out on at least the iOS, Android, and (to my knowledge) Windows default implementations.

Pardon? The official support docs disagree with you [0][1][2]. They absolutely leave the device.

Other passkey managers let them leave the device in a way that you control, but even the default ones copy them off the system they were created on.

[0] <https://support.google.com/accounts/answer/6197437?hl=en&co=...>

[1] <https://support.apple.com/guide/iphone/passwords-devices-iph...>

[2] Examine the "Can I use passkeys across multiple devices?" Q and its A here: <https://support.microsoft.com/en-us/windows/passkeys-frequen...>

lxgr 2 hours ago | parent [-]

Yes, they're synchronized, but I wouldn't call that "copying them out", as that to me implies somehow getting access to the raw private key or root secret bytes.

Both Apple and Google have pretty elaborate ceremonies for adding a new device to an existing account in a way that synchronizes over passkeys.

simoncion 2 hours ago | parent [-]

> ...as that to me implies somehow getting access to the raw private key or root secret bytes.

When passkeys were first introduced, they were 100% stuck to the device that they were created. There was absolutely no real way to copy them off. This is when proponents were -correctly- making the claim that they were immune to phishing.

When lots of users (who -notably- were not supported by whole-ass IT departments who set up and run systems that handle provisioning and enrolling new devices) started using passkeys, the correctness of the thing that many non-boosters were screaming ("You have to have a way to back these up and move them between devices!") became abundantly clear. Passkeys became something that could be copied off of devices, and proponents -correctly- switched to the claim "Passkeys are phishing resistant".

Once things switched around so that passkeys were no longer stuck on a single device, third-party managers got the ability to manage and copy passkeys. [0]

Hopefully it's now clear that the shift from "they never leave the device" to "they do leave the device" (and the consequences of this change) is what I'm talking about.

[0] At least, they will for the next five, ten years until the big players decide that it's okay to use attestation to lock them out to "enhance security".