top | item 46303496

(no title)

novok | 2 months ago

Pre-passkeys, was this lockout issue a true issue with apple and google accounts? Or have passkeys added a general lockout issue that didn't exist before? Also passkeys in their current implementation are not possible to back up or export yourself, unlike passwords in the past.

Security engineers are prioritizing preventing key copying over lockout issues, unilaterally, on literally billions of people. It improves their metrics internally, at the cost of an externality on the entire world. This kind of stuff invites odious regulation as more and more stories of lockout with no recourse surface.

And unlike passwords, there is no good provider migration story. There is a roach motel issue. Yes it is being 'worked on', but passkeys and such have been out for many years, the willful denial whenever you ask people running these standards about these issues is incredibly irritating. The fact they tend to avoid questions about this like politicians decreases trust in the motives of such standards.

discuss

lucideer|2 months ago

> unlike passwords, there is no good provider migration story

I'm curious what the "good provider migration story" you're referring to here for passwords is?

Password managers by-and-large haven't agreed on a standardised interchange format for import/export - a few of them have some compatibility helpers for importing from specific popular competitors but they're all in different formats, no consistent formats.

The above goes for passkeys as it does passwords - import/export will include your passkeys - so I don't see much difference in the provider migration story.

On the other hand, the FIDO Credential Exchange Format does solve the above problem (if/when providers choose to adopt it), so passkeys are at least further along the path of creating a "good provider migration story" than passwords ever were.

spencerflem|2 months ago

Copy & Paste one at a time is at least possible with passwords

Fire-Dragon-DoL|2 months ago

And what about password sharing? I want to share everything with my partner,in case something happens to me.

Passwords right now are outright better.

And by the way, door keys could be copied.

mjrpes|2 months ago

1Password family plan, and I assume similar cloud password managers, let you organize passwords/TOTP/Passkeys into vaults, and you can put credentials you want to share with other family members here.

drweevil|2 months ago

I agree. I use passwords with TOTP whenever possible. Passwords in a locally stored database (such as KeePassXC) can be easily shared. TOTP using Google Authenticator can also be easily shared, not just with my partner, but also among my own devices. Right now I see this as a much better, simpler, and much easier to understand option. BTW, the "easier to understand" is a big feature. Passkeys seem to be complex; just look at all the arguments about them in these comments. And where there is complexity there is vulnerability.

Marsymars|2 months ago

You can store passkeys in a password manager where they're either in a full-time shared config or there's some configuration that allows access if something happens. (e.g. Emergency Kit for 1Password, legacy contact for Apple account, etc.)

pabs3|2 months ago

Add your partner's passkeys to your accounts, then you can both login. Or put some Yubikeys in a safe that can be accessed if needed.

ethersteeds|2 months ago

> Pre-passkeys, was this lockout issue a true issue with apple and google accounts?

Yes, absolutely. I have a second Google account I created and lost the password to. I can't reset it because it wants to know the exact month I opened it. I don't even know if it was 2012 or 2016, I'll never guess the month.

joshuamorton|2 months ago

Yes. People have complained about the difficulty of Google or Facebook account recovery and how they need to make it easier and more accurate for ages. You could search hn for "password reset" or "lost password" and you'll find tons.

jesseendahl|2 months ago

The primary credential a user relies on for logging in (whether it's a password or a passkey) is pretty unrelated to the the "lockout issue". The lockout issue is really the age old question of: what happens if I can't do a normal email-based account recovery flow (aka "I forgot/lost my password/passkey").

The answer to that is stuff like this:

https://blog.google/technology/safety-security/recovery-cont...

https://support.apple.com/en-us/102641

pabs3|2 months ago

> passkeys in their current implementation are not possible to back up or export yourself

You can with KeePassXC, so it is a choice of the credential manager implementation. The standards people want to ban such credential managers though.

dfabulich|2 months ago

No, passkeys haven't added a new general lockout issue, because Apple, Google, etc. don't allow you to create an account where you can only login via passkey with no external authentication factor. They require you have something outside the Google account, whether that's a password, a hardware key, etc.

People keep falsely imagining that Google is setting people up with passkey-only accounts, with no way to backup their login credentials. Gosh, wouldn't that be terrible?

That would be like 1Password letting you create a passkey-only account with no password, storing the only passkey in 1Password. The whole idea makes no sense. 1Password doesn't do that, and neither does Apple, Google, Microsoft, etc. (We can all imagine them doing something that stupid, but, it turns out, they don't.)

Pre-passkeys, the most common lost-credential scenario was creating a fresh Gmail address on a new device (an Android phone) with a password and forgetting both your Google password and your password for your cellular-phone carrier (AT&T, T-Mobile, etc). Your Google password would be stored locally on your phone and in Google's cloud, but when you lose your phone and forget your passwords, no backups remain.

At that point, you're pretty much screwed. Google can't email you a reset-password link, because Gmail is your email. Google can't send you a 2FA SMS until you get a new phone with the same number, but you can't convince AT&T to do that, because they want to send a reset-password link to your email, which you don't have, or SMS to your phone, which you don't have.

(The cellular carriers don't even allow you to show government ID at a physical store. They don't allow you to take over a phone number that way, because people could then threaten/bribe a T-Mobile store representative to falsely claim that you presented valid government ID, taking over other people's accounts. If you walk into a store, they'll just put you on the phone with customer service, where they'll insist that you provide your AT&T password, or reset your password via email or SMS. If you've lost your email and your phone and all your passwords, you're completely out of luck.)

If Google allowed you to create a passkey-only account, with no SMS 2FA and no way to backup your passkey, that would be even worse.

But, luckily for all of us, they don't even allow that, and they're certainly not pushing it unilaterally on billions of people.

why-o-why|2 months ago

I use passkeys. I save them in the Apple cloud. They work on all my apple devices seamlessly. I don't need to copy them. Ecosystems are nice.

veeti|2 months ago

And what happens when Apple permabans your account for buying a gift card? https://news.ycombinator.com/item?id=46297336

hshdhdhj4444|2 months ago

I use passwords. I save them in iCloud. Or Bitwarden. Or Chrome/Firefox. Or Lastpass. Or 1password.

They work on all my (not just Apple) devices seamlessly.

I don’t need to copy them.

Non walled ecosystems are nice.