Things I learnt about passkeys when building passkeybot

Original Article ↗ Hacker News Discussion ↗

Use of LLMs in Passkeybot Documentation

  • Several commenters object to the project’s quickstart step of “paste this into a good LLM,” especially for security‑critical auth code.
  • Concerns: outsourcing auth logic to an LLM, lack of traditional API docs, and the need to fully review LLM output makes it feel pointless.
  • The author clarifies that the LLM is meant only to translate a well‑commented TypeScript example into other languages/frameworks; core logic is documented via sequence diagrams, handler descriptions, and a demo.
  • Others defend LLM‑oriented onboarding as a better DX than guessing framework‑specific boilerplate.

Passkeys vs Passwords: Security, Recovery, and Usability

  • Some wish passkeys fully replaced passwords; others insist passwords remain vital for recovery and cross‑device use, especially after device loss, theft, or fire.
  • Main claimed advantages of passkeys: phishing resistance, protection against credential reuse and database breaches.
  • Counterpoints: good password managers already mitigate phishing via domain checking; passkeys add conceptual and UX complexity and lack flexibility for some use cases.
  • Recovery is a recurring pain point: not all sites allow multiple passkeys; some limit to a single authenticator; fallbacks (email/SMS, magic links) reintroduce weaker factors.

Vendor Lock‑in, Attestation, and Client Bans

  • Strong worry that “unexportable keys + attestation + ability to ban clients” yields de facto lock‑in to Apple/Google/Microsoft ecosystems.
  • Spec author statements about potentially blocking clients that allow export (e.g., some password managers) are seen as hostile to user control.
  • Defenders argue: unexportability is a core security property, and RPs should be able to distrust compromised/rogue clients; users can rely on multiple authenticators or account‑recovery flows instead.
  • Critics respond that inability to back up credentials is unacceptable and that client‑based blocking is too powerful a lever.

UX Problems and Edge Cases

  • Reports of conflicting passkey providers (native keychains vs password managers vs hardware keys), awkward multi‑click flows, and difficulty setting preferred providers.
  • Examples of “orphaned keys” and inability to enroll multiple device‑specific passkeys, confusing labels due to cross‑device sync, and bugs that effectively lock users out.
  • Some users have reverted to passwords + TOTP after frustrating passkey experiences.

Related Technical Discussions

  • PKCE is discussed as ensuring continuity of OAuth flows beyond what state alone provides.
  • Concerns raised about the Digital Credentials API as infrastructure for broader online ID mandates, though others note ID proof is already required for some travel and government services.