Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
alterom 5 hours ago

>your hardware dies

Or your backpack gets stolen.

Oops.

I swear, people who idolize passkey security must never travel anywhere.

PS: "just have more devices with passkeys", they invariably say.

Yeah right because people are made of money, everyone has the forethought, and a 2nd laptop in the US is a great asset when you're in Poland and can't login anywhere.

StilesCrisis 5 hours ago | parent | next [-]

I've been avoiding passkeys but more and more websites are trying to push them, and one website I use now requires them. I've already got a password manager! I don't need to change everything again!

stouset 4 hours ago | parent [-]

Your password manager almost certainly already has baked-in passkey support.

StilesCrisis 3 hours ago | parent [-]

It does, but what's your point? Why should I redo everything?

stouset 3 hours ago | parent [-]

Nobody is asking you to?

crazygringo 3 hours ago | parent [-]

The subject here is literally websites trying to push passkeys on users. That is who is asking us to.

About every week now Amazon tries to trick me into creating a passkey. It doesn't even ask, it just goes ahead and triggers my browser passkey creation mechanism without my consent. PayPal recently tried to force me to create one too and I had to kill and restart the app because that was the only way to skip it. I'll stick to my password with 2FA, thanks.

Marsymars 39 minutes ago | parent [-]

It's wildly obnoxious that browsers don't let you generally suppress these prompts.

And if you take the nuclear option and strip your browser of WebAuthn support, then you obviously can't use any passkeys, which doesn't work for me - I have two sites where I do want to use passkeys (because it's the only way to avoid SMS-based MFA on every login), but I never want to see passkey prompts for any other sites.

Barbing 3 hours ago | parent | prev | next [-]

>"just have more devices with passkeys"

Confirms that strategy then

For people who only use passwords having an extra device can help too. Google does not necessarily permit a login with a backup code, so to me it seems ideal to grab a spare phone, log into important accounts, and store it with a trusted party/friend.

It could be very difficult to login to an account like Gmail from overseas in the event of PC+phone[+hardware key] theft. Maybe no big deal if you can port your number to a new phone right away. Or maybe the trusted friend can help (unless Google still finds the login suspicious after all, no idea there)

slau 4 hours ago | parent | prev [-]

I travel a lot. By train, plane, and car. I also use passkeys when possible. I have multiple Yubikeys, stored in different locations. I also have a password manager, where I typically keep track of which logins aren’t yet backed up across physical tokens.

It takes a bit of effort, but it’s not impossible.

Yes, it means that in the event of catastrophic failure I might not be able to log in to some services until I get to one of the backups. I haven’t been able to imagine a scenario where that would be truly problematic.