Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

So we still need a passkey + second factor, isn't that the case?

And if my google account gets banned, I lose access to a trillion things instead of just one.

I was hoping passkeys would work on 1password,but chrome/brave don't support that yet.

It seems like a passkey is just a password though



It depends on your security risk profile and the type of passkey provided. The passkey's response describes if the credential is transferrable or not, and if the user has been positively verified as present.

They're as secure as having your password + 2FA in a password manager.


Should be noted that there's still debate on user presence, to the point that someone submitted a CVE[0][1] on KeePassXC for not abiding by this part of the protocol (and which I take Keepass's side).

[0] https://github.com/keepassxreboot/keepassxc/issues/9339

[1] https://keepassxc.org/blog/2023-06-20-cve-202335866/

edit: This actually might be a better thread to hear some of the debate between an Okta dev and the KeepassXC team:

https://github.com/keepassxreboot/keepassxc/issues/10406


A key difference between a passkey and a password is that a passkey is never transmitted off of your device. The existing tech that they most resemble is ssh keys.


How does Google Password Manager sync your passkeys then?

EDIT: Private key is not transmitted off of your device when authenticating, but it can be transmitted off of your device by your password manager.

"The difference between passkeys and passwords is that passkeys are cryptographic key pairs. The key pair is specific to a website. One half is shared with the website, and the other half is private and stored on your device or in your password manager." [0]

"Passkeys are securely backed up and synced between your Android devices" [0]

"Passkeys are stored in your Google Account..." [0]

"Your iCloud Keychain stores and syncs them [passkeys] between iOS, iPadOS, and macOS devices." [0]

[0] https://support.google.com/chrome/answer/13168025


> Private key is not transmitted off of your device when authenticating.

Thank you. I should have been more specific. Non-transerral during auth is important because it virtually eliminates fishing, and that also explains why the Powers That Be are touchy about exporting. Exfiltration enables scenarios where a nefarious party tricks a user into transferring their cryptographic keys.


And the interaction between the thing that generates the passkey and my password manager is very confusing. I got multiple popups and it wasn’t completely clear which was chrome ans 1password.


Strictly speaking, passwords do not have to be shared during auth, either. There are password-agreement schemes (e.g. SRP [1] as used in TLS-SRP) which allow one or both parties to prove they know the password without sharing it. However, these schemes never gained broad adoption.

[1]: https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco...


I see that makes more sense. It is an upgrade to passwords, but in an ideal world we solve the other half (two factor) too.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: