WingNews logo WingNews
top | item 47191280

(no title)

utopiah | 1 day ago

> They bind you to your device

Isn't it why good practice is to bind at least 2 hardware passkeys and/or have recovery codes?

Sure someone can steal your phone/laptop/yubikeybio but then you can use the NitroKey you have at home in your drawer to recover your account.

discuss

order

pibaker|1 day ago

Biometric keys are still a niche techie thing that the average person probably doesn't even know exist. Most people will be using passkeys exclusively through their phones, often unintentionally. And outside the first world it is not uncommon for people do own no computing devices apart from their phones.

Backup keys and recovery codes also do not solve all cases of key loss. One thing I worry about is what happens if I am traveling in a foreign country and loses my belongings. In the past if I can convince someone to let me use his computer I can at least log into my email account as long as I remember my password. If everything is passkey then I will be locked out of all my online accounts until I make it back home, assuming that I have actually properly set up the backup device and keys. Humans are not very good at making sure that backups actually work.

utopiah|1 day ago

> Biometric keys are still a niche techie thing that the average person probably doesn't even know exist.

Is it? Maybe I'm in a bubble but feels like most people I know unlock their phone with biometrics. Sure few do that on their laptop, even less on their desktop, but I imagine that explaining it's "like unlocking your phone" would help those very numerous people (if you have metrics on biometrics on phone, please do share, genuinely curious) see that it's basically doing what they already do on more devices.

tuwtuwtuwtuw|1 day ago

Your email account would hopefully have 2FA enabled, so if you lose your belongings, then how would you log on in your scenario?

Assuming your 2FA tokens are generated by phone, of course. But I think that's by far the most common way.

aeronaut80|1 day ago

You can’t expect your grandma to go to those lengths. Heck, even most internet-native people probably wouldn’t.

utopiah|1 day ago

For a random website, no, for bank and primary email (used for account recovery), they probably should.

It honestly takes a minute to add a key and it's just that, a physical key.

IMHO what's risky in terms of UX and habits is precisely that most workflows do not highlight this. So people rightfully are scared of losing that 1 precious key, so they don't activate 2FA because of that. Meanwhile if the UX when they activate 2FA would clarify that they only have 1 key stored, adding a 2nd one or saving codes (most do propose that option for 2FA authenticators but not hardware passkey AFAIK) is what will make them both safe against attacked but also against their own accident (shit happens) then maybe behaviors would change.

Anyway, yes, you're right, most people don't do that or aren't even aware of it but arguably as more and more important and intimate part of our lives are online, it becomes crucial for one owns sanity to better understand how this all works.