Passkeys and Modern Authentication

Original Article ↗ Hacker News Discussion ↗

Exportability, Specs, and User Freedom

  • Strong disagreement over specs forbidding plaintext export of private keys and mandating complex HPKE-based export flows.
  • One side: export in cleartext is obviously insecure; at minimum exports should be passphrase‑encrypted, and non‑exportable keys (e.g., YubiKeys) are a feature.
  • Other side: the protocol should not dictate the user’s security model; blocking even encrypted export removes user choice, complicates archival, migration, and handling of deceased users’ accounts, and creates de‑facto lock‑in.
  • Concern that “temporary minimums” (allowing encrypted exports now) may disappear later as standards tighten.

Lock‑in, Attestation, and Power Asymmetry

  • Fear that attestation plus RP choice will let sites whitelist only big-tech or “approved” managers, excluding open-source tools; KeePassXC’s Github thread is cited as a warning signal.
  • Some argue this is analogous to sites rejecting weak passwords or requiring corporate MFA apps; services already choose what they deem secure.
  • Others see this as constructing technical chokepoints that governments and corporations can later weaponize for real‑identity requirements and platform lock‑in.

Security Benefits vs. Phishing and TOTP

  • Security practitioners in the thread are broadly positive on passkeys: they remove passwords, are phishing‑resistant, and close common holes (TOTP phishing, reused passwords, credential stuffing).
  • Passkeys are seen as weaker than “password + hardware key” but stronger than password+TOTP or email codes; TOTP is described as obsolete for high‑stakes use because phishing it is easy in practice.
  • Critics counter that data breaches and provider screw‑ups are larger real‑world risks than phishing, and that exportable secrets (passwords, TOTP seeds) remain more user‑controllable.

UX, Recovery, and Family Use

  • Many report serious UX pain: multi‑step AWS logins, confusing flows, unclear “where the passkey lives,” and broken experiences across devices and kids’ phones.
  • Non‑exportable keys make migration between managers (hundreds of sites) or off ecosystems (Apple, Google) daunting; backup stories (lost devices, SMS‑only recovery, Authy desktop deprecation) drive skepticism.
  • Some propose mitigating via multiple passkeys per account, hardware keys, and family‑oriented SSO‑like dashboards, but note these don’t really exist for consumers yet.

Alternatives and Comparisons (SSH, X.509, SSO)

  • A camp argues SSH‑style public‑key auth “solved” login with far less complexity; passkeys add attestation, RP IDs, and privacy logic largely to handle web tracking and phishing.
  • Others respond that SSH’s fingerprint / TOFU model fails for most users, and WebAuthn’s binding to the relying party is a genuine improvement.