Comment by valenterry

20 hours ago

It should be noted that that is not an inherential advantage of passkeys over passwords. It is possible to achieve the same with passwords, e.g. by using a hash-cascade.

11 comments

valenterry

Reply
lxgr  19 hours ago

Sure, but then you still need a protocol between user agent and website. If you just do this in Javascript, you're not protected against phishing sites just forwarding the password entered directly.

Passkeys can in fact be backed by exactly this, i.e. a HMAC-only stateless implementation backed by a single password: https://github.com/lxgr/brainchain

  • valenterry  14 hours ago

    > Sure, but then you still need a protocol between user agent and website.

    Yes of course. Just like you do for passkeys.

    > Passkeys can in fact be backed by exactly this, i.e. a HMAC-only stateless implementation backed by a single password: https://github.com/lxgr/brainchain

    No, not quite. It's written on there:

    > "Login" with your passphrase, and you can create non-discoverable WebAuthN credentials (don't call them passkeys, but definitely be reminded of them) at ~all~ some websites supporting them (...)

    That's the thing: with passwords, a website/app cannot prevent you from controlling the password yourself. With passkeys and attestation it can.

    • lxgr  9 hours ago

      But attestation for passkeys is dead. Neither Apple's, nor Google's implementation (with negligible exceptions) support it anymore, so any site demanding attestation will immediately disqualify > 99% of all potential users.

      Some still might, e.g. for corporate or high security contexts, but I don't think it'll become a mass-adopted thing if things don't somehow drastically change course.

      1 reply →

mi_lk  20 hours ago

is it fair to say all passkey implementations have this advantage while only some password implementations can match?

  • simoncion  19 hours ago

    It is absolutely unfair to say it. Just like passwords stored in a password manager, passkeys can be copied out of the device for safekeeping. Because you can copy them out, a user can be induced to give them to someone.

    I saw passkey boosters go very, very rapidly from "Passkeys are immune to phishing!" to "Passkeys are phishing resistant!" when lots of real-world people started using passkeys and demonstrated that you absolutely must have a way to back them up and move them around.

    • lxgr  19 hours ago

      > passkeys can be copied out of the device for safekeeping

      You can't copy them out on at least the iOS, Android, and (to my knowledge) Windows default implementations.

      > lots of real-world people started using passkeys and demonstrated that you absolutely must have a way to back them up and move them around.

      Millions of people use them without being able to move them around in the way you describe.

      4 replies →