(no title)
pibaker | 1 day ago
Passkeys are designed to be hidden from the user. The author of this article even went on GitHub telling an open source implementation to not let users copy the private key.
https://github.com/keepassxreboot/keepassxc/issues/10407
There is a good reason for it. If you can copy and paste your passkey, then a phishing site can just ask you for it, making the phishing protection passkeys provide moot.
But the consequence is people, including many technical users on this website, cannot get a grasp on passkeys both as a concept and in a literal sense. How can you perceive, let alone understand, something that is designed to be hidden from you? It also doesn't help that it was pushed on users with little explanation and comes with many seemingly incompatible implementations.
Unless passkeys are redesigned to solve the intangibility problem, grannies will keep losing their accounts for no good reason and we will keep arguing about it on HN.
kingstnap|14 hours ago
> You absolutely should be preventing users from being able to copy a private key!
> Asking you to put basic protections in place and collaborate with the ecosystem/industry is hardly "anti-user-choice mentality".
> the lack of identifying passkey provider attestation (which would allow RPs to block you, and something that I have previously rallied against but rethinking as of late because of these situations).
Does this guy deflate his neighbors tires before going to work to save them from car accidents?
I cannot believe he has this ridiculous paternalistic behaviour while simultaneously having these bullet points on his personal website that he linked to.
> digital identity ● urban mobility user choice ● boston bruins
Telaneo|10 hours ago
In theory, this issue could never touch average users. It's only power users who use standalone open-source password managers. All the options normal users are funnelled into aren't going to expose passkeys in plain text (except maybe Firefox?), and thus aren't going to be phishable in any meaningful sense.
But this guy opted to tell the open-source community that having exportable passkeys is wrong, full stop, and that open-source implementations might get banned for allowing this, planting a gigantic red flag right next to the very idea of passkeys, making every single power user who sees that post (which is linked on every thread which touches on passkeys) either completely reject the idea, or approach it with extreme caution. And thus no power user will recommend it to anybody else, not to mention the general usability problems they have.
I guess if it weren't him, the same ideas would have been made clear in other ways.